[clug] [OT] IP range of a domain?

Robert Brockway robert at timetraveller.org
Thu Jan 21 06:54:55 MST 2010 

On Thu, 21 Jan 2010, Michael Cohen wrote:

> Robert,
>  Can you explain to me the difference between running ssh to openvpn
> from a security or usability point of view? the OP wanted to block all
> IP addresses from ssh connections except a few selected ones
> presumably in order to limit the possibility of malicious attacks
> against the SSH service from the internet at large. If you are going
> to use openvpn then you would presumably also need to limit openvpn
> connections from all ip addresses except a few in order to limit the
> possibility of an attack against the openvpn service. From a security

Quite right :)   I considered going in to this issue explicitely in my 
original post.

To use the ssh or openvpn server from a client with a dynamically assigned 
IP then the firewall must accept connections from at least a subset of the 
Internet.  If you know the address range of the ISP then you could limit 
access to that but the allowed range may still be quite large, and could 
change without notice.

> point of view there is no advantage for using openvpn over ssh - both
> are encrypted protocols (OpenSSH is possibly a lot more mature).

If ssh is configured to only use key auth then yes I would agree they are 
equivalent from a security POV.

> Also in my experience openvpn has rather poor security against DoS
> attacks. Since the default protocol is done over UDP if an attacker
> uses an openvpn client to connect with an incorrect certificate with
> source IP spoofed as if the packet is sent from the correct end point,
> it seems that the server will drop the entire incoming connection and
> desyn the VPN disconnecting the proper connection. I came across this
> with misconfigured clients, but it can easily be done maliciously.

That's interesting.  I've run many OpenVPN servers since about 2004 and 
have never seen this problem.

> SSH is a VPN protocol in itself and is probably a lot more mature than

SSH can indeed but run as a VPN but it has one significant problem - it 
uses TCP.  I compared OpenVPN using TCP & UDP and for some types of 
connections the difference is massive.  Or as a friend in Brisbane put it 
"TCP over TCP is a bad idea".

It's also worth noting that SSH over VPN is a relatively recent addition, 
so while SSH is mature the VPN code may not be.

I have used SSH as a VPN when I've wanted a quick and dirty setup to test 
something.

Cheers,

Rob

-- 
Email: robert at timetraveller.org
IRC: Solver
Web: http://www.practicalsysadmin.com
I tried to change the world but they had a no-return policy

More information about the linux mailing list