On Mon, Oct 26, 2009 at 23:54, David Suhendrik <david at pnyet.web.id> wrote: > Need more secure only allow access ssh from intranet or by VPN. > CMIIW Not a bad suggestion. It's somewhat more heavyweight and restrictive, but if you're paranoid enough to worry about 0-day OpenSSH server exploits, this could help you sleep better at night. This is an interesting judgement to consider. Personally, I don't generally consider the extra VPN layer to be a default requirement. Most VPNs clients require admin-level privs, and some kind of pre-connection setup process (install client software, distribute certs/keys, etc.), either of which could prevent legit users from connecting in certain common circumstances, like an Internet cafe or a borrowed machine. I think it's good to ask yourself whether the risks really justify the loss of functionality: If your current security concern is dictionary bots, I don't think you'd need to bother with a VPN, because the bot attacks aren't usually probing for unpatched exploits, they're just guessing common login creds. (Actually, I could be wrong about that last one--if anyone has profiled SSH bot traffic recently, I'd be interested in knowing how much of it [if any] is exploits vs. login guessing.) -Ryan