I'm with Jeremy here. All the production systems I manage run SSH on a weird port that's usually not scanned by script kiddies tools. That removes a lot of jitter from our logs. On the other hand, there's not that many machines that are accessible from the net by SSH.
The corporate security policy states on the other hand that remote connections are only allowed over VPN. And that's the case for most organizations out there. I would think it's kinda historical, as in the telnet days, DES encryption was much better ;) The only reason I'd see people use VPN + SSH is to use 2 different encryption schemes, to make it twice as hard to get hacked. Having worked in financial institutions in the past, I can assure you that's common practice. They even bring up VPN tunnels on top of their LAN extensions, because they cannot assume their carrier won't snoop on their traffic. On Thu, Nov 26, 2009 at 10:47 AM, Jeremy <[email protected]> wrote: > Stephane Bakhos wrote: > >>> Its exciting to see so many people interested in using Linux more and > >>> more. I am often asked about setting up a "small server" for web, > >>> > >> Nice write up Jimmy, one other thing I do is to set the SSH listening > >> port to be something non-standard. It is really just obscuring the fact > >> SSH is there, but it stops all those logged intrusion attempts, and if > >> you put the port up high, the server looks completely closed to incoming > >> traffic on many port scans. > >> > > > > Why not use a VPN like openvpn / gvpe / pptp ? > > You can just have sshd listen only to connections on the vpn. > > > > And if you really need to have sshd on a public ip from time to time, you > > can use port knocking. > What would a VPN give me that SSH does not? I mean I can even do SOCKS > proxying over SSH. It would hide SSH, but it would expose a port for VPN. > > I find obscuring the SSH port is pretty much the same as port knocking > (but less bother, plus I can access it from devices able to SSH but not > to port knock), very few will bother finding it, and if they do, they > can't brute force it for passwords anyways. > > Anyways, maybe someone could explain the merits of double encrypting as > Stephane suggests. I suppose it could have helped with the debian ssh > keygen debacle (but weren't VPN keys gen'd using same algo?). > > Jeremy > > PS: You can alias your ssh command to include the -p19092 (for example), > same for SCP. > > > _______________________________________________ > mlug mailing list > [email protected] > https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca > -- :(){ :|:& };:
_______________________________________________ mlug mailing list [email protected] https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
