Re: defense-in-depth possible for sshd?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 01/12/2012 10:31 AM, Tilman Schmidt wrote:
> Am 10.01.2012 19:05, schrieb Johnny Hughes:
> > Limit access to the sshd port from only authorized places ... and
> > the authorized places can be an openvpn type connection if you
> > always need access from difference IPs.  If you have a laptop, put
> > an openvpn client on it and take it with you if you need access
> > from dynamic places. Connect the openvpn to the endpoint someplace
> > and then use  that to connect to the sshd on the server via the
> > vpn.
>
> I'm not convinced that would actually improve security.
> What that does is replace the risk of intrusion via an sshd
> exploit by the risk of intrusion via an OpenVPN exploit.
> But it also adds a layer of complexity, and complexity is
> the enemy of security. So the risk of an exploitable hole
> in OpenVPN would have to be provably so much lower than in
> SSH that the difference outweighs the increase of risk
> through added complexity. I don't know of any data to
> support that claim.

Not at all ... you first have to crack the OpenVPN system to gain access
to the ssh port at all (that did not get you into the machine, it got
you an IP address that then allows you to TRY to access the machine) ...
THEN ... you still have to do all the things you need to do to the
openssl port to break into it.  Without OpenVPN, you only need to do the
second step and can totally skip the first.  It would therefore make a
actual machine breach exponentially harder.

>
> > Wide open sshd ports on the Internet are dangerous.
>
> That's a very bold statement. I guess its truth depends on
> your definition of "wide open". In fact I'd maintain that
> an open ssh port is less dangerous than most other open
> ports. (http, smtp, imap, to name a few)

No, it's not.  They need to use one of the other ports you mentioned to
gain access to a method to grab your shadow file.  Then after they gain
access to your shadow file, they figure out the root (or another user's)
password based on the hash ... then IF you have your ssh port
unrestricted they use what they gained to login to your machine and take
it over.

None of that can happen if you have restricted access to your openssh
port ...  they might find a password, but then they have no ability to
login to the machine.  If you have some kind of access restrictions to
the ssh port AND also do not allow password logins, but also require
keys (with a pass-phrase) to login ... then you have again made it
exponentially harder to hack into.



Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux