[CentOS] defense-in-depth possible for sshd?

Thu Jan 12 17:11:53 UTC 2012
Les Mikesell <lesmikesell at gmail.com>

On Thu, Jan 12, 2012 at 10:31 AM, Tilman Schmidt
<t.schmidt at phoenixsoftware.de> wrote:
>
> I'm not convinced that would actually improve security.
> What that does is replace the risk of intrusion via an sshd
> exploit by the risk of intrusion via an OpenVPN exploit.

Yes, but only to someone with inside information.  You can't really
hide an ssh server from a port scan, but openvpn on UDP will not
respond to packets that aren't signed with the right key.   You can't
tell it from a firewall that drops packets at that address/port.  And,
if you do get the openvpn connection you only get network access - you
still have to find a host on the other side and break into its ssh
before you can do anything.

> But it also adds a layer of complexity, and complexity is
> the enemy of security. So the risk of an exploitable hole
> in OpenVPN would have to be provably so much lower than in
> SSH that the difference outweighs the increase of risk
> through added complexity. I don't know of any data to
> support that claim.

Since you have to (a) find the connection,  and (b) still break ssh,
it seems logically more secure.  Or are you thinking of the probably
of a flaw in openvpn giving you arbitrary command access?  I suppose
you can't rule that out, but it is not as complicated as ssh so
probably less to go wrong.

>> Wide open sshd ports on the Internet are dangerous.
>
> That's a very bold statement. I guess its truth depends on
> your definition of "wide open". In fact I'd maintain that
> an open ssh port is less dangerous than most other open
> ports. (http, smtp, imap, to name a few)

You are pretty much guaranteed to get hacking attempts both by
password guessing and vulnerability probes on all of those
ports/services.

-- 
   Les Mikesell
     lesmikesell at gmail.com