On 01/12/2012 10:31 AM, Tilman Schmidt wrote: > Am 10.01.2012 19:05, schrieb Johnny Hughes: > > Limit access to the sshd port from only authorized places ... and > > the authorized places can be an openvpn type connection if you > > always need access from difference IPs. If you have a laptop, put > > an openvpn client on it and take it with you if you need access > > from dynamic places. Connect the openvpn to the endpoint someplace > > and then use that to connect to the sshd on the server via the > > vpn. > > I'm not convinced that would actually improve security. > What that does is replace the risk of intrusion via an sshd > exploit by the risk of intrusion via an OpenVPN exploit. > But it also adds a layer of complexity, and complexity is > the enemy of security. So the risk of an exploitable hole > in OpenVPN would have to be provably so much lower than in > SSH that the difference outweighs the increase of risk > through added complexity. I don't know of any data to > support that claim. Not at all ... you first have to crack the OpenVPN system to gain access to the ssh port at all (that did not get you into the machine, it got you an IP address that then allows you to TRY to access the machine) ... THEN ... you still have to do all the things you need to do to the openssl port to break into it. Without OpenVPN, you only need to do the second step and can totally skip the first. It would therefore make a actual machine breach exponentially harder. > > > Wide open sshd ports on the Internet are dangerous. > > That's a very bold statement. I guess its truth depends on > your definition of "wide open". In fact I'd maintain that > an open ssh port is less dangerous than most other open > ports. (http, smtp, imap, to name a few) No, it's not. They need to use one of the other ports you mentioned to gain access to a method to grab your shadow file. Then after they gain access to your shadow file, they figure out the root (or another user's) password based on the hash ... then IF you have your ssh port unrestricted they use what they gained to login to your machine and take it over. None of that can happen if you have restricted access to your openssh port ... they might find a password, but then they have no ability to login to the machine. If you have some kind of access restrictions to the ssh port AND also do not allow password logins, but also require keys (with a pass-phrase) to login ... then you have again made it exponentially harder to hack into. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 262 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20120112/989cc1c0/attachment-0005.sig>