[CentOS] defense-in-depth possible for sshd?

Bennett Haselton bennett at peacefire.org
Fri Jan 13 02:56:04 UTC 2012


On 1/12/2012 5:25 PM, Johnny Hughes wrote:
> On 01/12/2012 10:31 AM, Tilman Schmidt wrote:
>> Am 10.01.2012 19:05, schrieb Johnny Hughes:
>>> Limit access to the sshd port from only authorized places ... and
>>> the authorized places can be an openvpn type connection if you
>>> always need access from difference IPs.  If you have a laptop, put
>>> an openvpn client on it and take it with you if you need access
>>> from dynamic places. Connect the openvpn to the endpoint someplace
>>> and then use  that to connect to the sshd on the server via the
>>> vpn.
>> I'm not convinced that would actually improve security.
>> What that does is replace the risk of intrusion via an sshd
>> exploit by the risk of intrusion via an OpenVPN exploit.
>> But it also adds a layer of complexity, and complexity is
>> the enemy of security. So the risk of an exploitable hole
>> in OpenVPN would have to be provably so much lower than in
>> SSH that the difference outweighs the increase of risk
>> through added complexity. I don't know of any data to
>> support that claim.
> Not at all ... you first have to crack the OpenVPN system to gain access
> to the ssh port at all (that did not get you into the machine, it got
> you an IP address that then allows you to TRY to access the machine) ...

I think Tilman is saying that rather than "cracking" OpenVPN in the 
sense of tricking into allowing you access, you could find an exploit in 
OpenVPN where simply sending the right packets to the OpenVPN server 
would allow you to execute arbitrary code as root on the server, the 
same way as an attacker might try to do to the sshd server.

Or is there a reason that an exploit against OpenVPN would be less 
powerful than an exploit against sshd?

This came up earlier, and you said that OpenVPN has had far fewer such 
exploits logged against it than sshd.  In that case it really would be 
more secure, but not because it provides an extra "layer", but rather 
simply because exploits against it are more rare.



More information about the CentOS mailing list