[clug] [OT] IP range of a domain?
Robert Brockway
robert at timetraveller.org
Thu Jan 21 06:54:55 MST 2010
On Thu, 21 Jan 2010, Michael Cohen wrote:
> Robert,
> Can you explain to me the difference between running ssh to openvpn
> from a security or usability point of view? the OP wanted to block all
> IP addresses from ssh connections except a few selected ones
> presumably in order to limit the possibility of malicious attacks
> against the SSH service from the internet at large. If you are going
> to use openvpn then you would presumably also need to limit openvpn
> connections from all ip addresses except a few in order to limit the
> possibility of an attack against the openvpn service. From a security
Quite right :) I considered going in to this issue explicitely in my
original post.
To use the ssh or openvpn server from a client with a dynamically assigned
IP then the firewall must accept connections from at least a subset of the
Internet. If you know the address range of the ISP then you could limit
access to that but the allowed range may still be quite large, and could
change without notice.
> point of view there is no advantage for using openvpn over ssh - both
> are encrypted protocols (OpenSSH is possibly a lot more mature).
If ssh is configured to only use key auth then yes I would agree they are
equivalent from a security POV.
> Also in my experience openvpn has rather poor security against DoS
> attacks. Since the default protocol is done over UDP if an attacker
> uses an openvpn client to connect with an incorrect certificate with
> source IP spoofed as if the packet is sent from the correct end point,
> it seems that the server will drop the entire incoming connection and
> desyn the VPN disconnecting the proper connection. I came across this
> with misconfigured clients, but it can easily be done maliciously.
That's interesting. I've run many OpenVPN servers since about 2004 and
have never seen this problem.
> SSH is a VPN protocol in itself and is probably a lot more mature than
SSH can indeed but run as a VPN but it has one significant problem - it
uses TCP. I compared OpenVPN using TCP & UDP and for some types of
connections the difference is massive. Or as a friend in Brisbane put it
"TCP over TCP is a bad idea".
It's also worth noting that SSH over VPN is a relatively recent addition,
so while SSH is mature the VPN code may not be.
I have used SSH as a VPN when I've wanted a quick and dirty setup to test
something.
Cheers,
Rob
--
Email: robert at timetraveller.org
IRC: Solver
Web: http://www.practicalsysadmin.com
I tried to change the world but they had a no-return policy
More information about the linux
mailing list