[CentOS] defense-in-depth possible for sshd?

Johnny Hughes johnny at centos.org
Fri Jan 13 01:25:01 UTC 2012


On 01/12/2012 10:31 AM, Tilman Schmidt wrote:
> Am 10.01.2012 19:05, schrieb Johnny Hughes:
> > Limit access to the sshd port from only authorized places ... and
> > the authorized places can be an openvpn type connection if you
> > always need access from difference IPs.  If you have a laptop, put
> > an openvpn client on it and take it with you if you need access
> > from dynamic places. Connect the openvpn to the endpoint someplace
> > and then use  that to connect to the sshd on the server via the
> > vpn.
>
> I'm not convinced that would actually improve security.
> What that does is replace the risk of intrusion via an sshd
> exploit by the risk of intrusion via an OpenVPN exploit.
> But it also adds a layer of complexity, and complexity is
> the enemy of security. So the risk of an exploitable hole
> in OpenVPN would have to be provably so much lower than in
> SSH that the difference outweighs the increase of risk
> through added complexity. I don't know of any data to
> support that claim.

Not at all ... you first have to crack the OpenVPN system to gain access
to the ssh port at all (that did not get you into the machine, it got
you an IP address that then allows you to TRY to access the machine) ...
THEN ... you still have to do all the things you need to do to the
openssl port to break into it.  Without OpenVPN, you only need to do the
second step and can totally skip the first.  It would therefore make a
actual machine breach exponentially harder.

>
> > Wide open sshd ports on the Internet are dangerous.
>
> That's a very bold statement. I guess its truth depends on
> your definition of "wide open". In fact I'd maintain that
> an open ssh port is less dangerous than most other open
> ports. (http, smtp, imap, to name a few)

No, it's not.  They need to use one of the other ports you mentioned to
gain access to a method to grab your shadow file.  Then after they gain
access to your shadow file, they figure out the root (or another user's)
password based on the hash ... then IF you have your ssh port
unrestricted they use what they gained to login to your machine and take
it over.

None of that can happen if you have restricted access to your openssh
port ...  they might find a password, but then they have no ability to
login to the machine.  If you have some kind of access restrictions to
the ssh port AND also do not allow password logins, but also require
keys (with a pass-phrase) to login ... then you have again made it
exponentially harder to hack into.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20120112/989cc1c0/attachment.sig>


More information about the CentOS mailing list