[clug] [OT] IP range of a domain?

Michael Cohen scudette at gmail.com
Thu Jan 21 02:39:32 MST 2010 

Robert,
  Can you explain to me the difference between running ssh to openvpn
from a security or usability point of view? the OP wanted to block all
IP addresses from ssh connections except a few selected ones
presumably in order to limit the possibility of malicious attacks
against the SSH service from the internet at large. If you are going
to use openvpn then you would presumably also need to limit openvpn
connections from all ip addresses except a few in order to limit the
possibility of an attack against the openvpn service. From a security
point of view there is no advantage for using openvpn over ssh - both
are encrypted protocols (OpenSSH is possibly a lot more mature).

Also in my experience openvpn has rather poor security against DoS
attacks. Since the default protocol is done over UDP if an attacker
uses an openvpn client to connect with an incorrect certificate with
source IP spoofed as if the packet is sent from the correct end point,
it seems that the server will drop the entire incoming connection and
desyn the VPN disconnecting the proper connection. I came across this
with misconfigured clients, but it can easily be done maliciously.

SSH is a VPN protocol in itself and is probably a lot more mature than
openvpn. From a usability perspecitve the extra complexity of routing
IP when SSH is all thats required does not make it easier to use
openvpn.

Michael.

On Thu, Jan 21, 2010 at 5:24 PM, Robert Brockway
<robert at timetraveller.org> wrote:
> On Thu, 21 Jan 2010, Carlo Hamalainen wrote:
>
>> I want to drop all incoming ssh connections to my server apart from a
>> few IP addresses plus my current home ADSL. When I had Internode I was
>
> Have you considered running a VPN between your server and your home DSL?
> This sidesteps the entire problem.   You can access your server over your
> VPN link and don't have to worry about allowing a dynamically assigned
> address through the firewall.  OpenVPN would accept connections from any
> address but it can use a key pair for authentication.
>
> If you do then OpenVPN is good choice.
>
> Other options you may like to consider:
>
> * Blocking password access for ssh and using key auth only.
>
> * Enabling 'fail2ban' to block brute force attacks against sshd on the
> server, if you are using password auth.
>
> Cheers,
>
> Rob
>
> --
> Email: robert at timetraveller.org
> IRC: Solver
> Web: http://www.practicalsysadmin.com
> I tried to change the world but they had a no-return policy
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux
>

More information about the linux mailing list