On 1/12/2012 5:25 PM, Johnny Hughes wrote: > On 01/12/2012 10:31 AM, Tilman Schmidt wrote: >> Am 10.01.2012 19:05, schrieb Johnny Hughes: >>> Limit access to the sshd port from only authorized places ... and >>> the authorized places can be an openvpn type connection if you >>> always need access from difference IPs. If you have a laptop, put >>> an openvpn client on it and take it with you if you need access >>> from dynamic places. Connect the openvpn to the endpoint someplace >>> and then use that to connect to the sshd on the server via the >>> vpn. >> I'm not convinced that would actually improve security. >> What that does is replace the risk of intrusion via an sshd >> exploit by the risk of intrusion via an OpenVPN exploit. >> But it also adds a layer of complexity, and complexity is >> the enemy of security. So the risk of an exploitable hole >> in OpenVPN would have to be provably so much lower than in >> SSH that the difference outweighs the increase of risk >> through added complexity. I don't know of any data to >> support that claim. > Not at all ... you first have to crack the OpenVPN system to gain access > to the ssh port at all (that did not get you into the machine, it got > you an IP address that then allows you to TRY to access the machine) ... I think Tilman is saying that rather than "cracking" OpenVPN in the sense of tricking into allowing you access, you could find an exploit in OpenVPN where simply sending the right packets to the OpenVPN server would allow you to execute arbitrary code as root on the server, the same way as an attacker might try to do to the sshd server. Or is there a reason that an exploit against OpenVPN would be less powerful than an exploit against sshd? This came up earlier, and you said that OpenVPN has had far fewer such exploits logged against it than sshd. In that case it really would be more secure, but not because it provides an extra "layer", but rather simply because exploits against it are more rare. _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos