[CentOS] defense-in-depth possible for sshd?

Les Mikesell lesmikesell at gmail.com
Thu Jan 12 17:11:53 UTC 2012

On Thu, Jan 12, 2012 at 10:31 AM, Tilman Schmidt
<t.schmidt at phoenixsoftware.de> wrote:
> I'm not convinced that would actually improve security.
> What that does is replace the risk of intrusion via an sshd
> exploit by the risk of intrusion via an OpenVPN exploit.

Yes, but only to someone with inside information.  You can't really
hide an ssh server from a port scan, but openvpn on UDP will not
respond to packets that aren't signed with the right key.   You can't
tell it from a firewall that drops packets at that address/port.  And,
if you do get the openvpn connection you only get network access - you
still have to find a host on the other side and break into its ssh
before you can do anything.

> But it also adds a layer of complexity, and complexity is
> the enemy of security. So the risk of an exploitable hole
> in OpenVPN would have to be provably so much lower than in
> SSH that the difference outweighs the increase of risk
> through added complexity. I don't know of any data to
> support that claim.

Since you have to (a) find the connection,  and (b) still break ssh,
it seems logically more secure.  Or are you thinking of the probably
of a flaw in openvpn giving you arbitrary command access?  I suppose
you can't rule that out, but it is not as complicated as ssh so
probably less to go wrong.

>> Wide open sshd ports on the Internet are dangerous.
> That's a very bold statement. I guess its truth depends on
> your definition of "wide open". In fact I'd maintain that
> an open ssh port is less dangerous than most other open
> ports. (http, smtp, imap, to name a few)

You are pretty much guaranteed to get hacking attempts both by
password guessing and vulnerability probes on all of those

   Les Mikesell
     lesmikesell at gmail.com

More information about the CentOS mailing list