On Thu, Jan 12, 2012 at 10:31 AM, Tilman Schmidt <t.schmidt at phoenixsoftware.de> wrote: > > I'm not convinced that would actually improve security. > What that does is replace the risk of intrusion via an sshd > exploit by the risk of intrusion via an OpenVPN exploit. Yes, but only to someone with inside information. You can't really hide an ssh server from a port scan, but openvpn on UDP will not respond to packets that aren't signed with the right key. You can't tell it from a firewall that drops packets at that address/port. And, if you do get the openvpn connection you only get network access - you still have to find a host on the other side and break into its ssh before you can do anything. > But it also adds a layer of complexity, and complexity is > the enemy of security. So the risk of an exploitable hole > in OpenVPN would have to be provably so much lower than in > SSH that the difference outweighs the increase of risk > through added complexity. I don't know of any data to > support that claim. Since you have to (a) find the connection, and (b) still break ssh, it seems logically more secure. Or are you thinking of the probably of a flaw in openvpn giving you arbitrary command access? I suppose you can't rule that out, but it is not as complicated as ssh so probably less to go wrong. >> Wide open sshd ports on the Internet are dangerous. > > That's a very bold statement. I guess its truth depends on > your definition of "wide open". In fact I'd maintain that > an open ssh port is less dangerous than most other open > ports. (http, smtp, imap, to name a few) You are pretty much guaranteed to get hacking attempts both by password guessing and vulnerability probes on all of those ports/services. -- Les Mikesell lesmikesell at gmail.com