Jan Claeys (HE12025-03-25): > Jeremy insinuated that, not me, by saying that having SSH listening > publicly is a bad idea, and that “a VPN” listening publicly is somehow > safer.
First of all, I want to say that I hope this will not turn into one of those discussion where you try to gotcha everybody using every little detail, they turn boring very fast. Second, I hope the context we are all thinking of is a ssh server and a VPN configured in a common way. A situation where the ssh server gives shell access to an account with possibly valuable data and possibly sudo privileges, not a situation where the ssh server somehow was configured to only be able to execute /usr/games/fortune. A situation where the VPN gives access to an internal network where sensitive services are listening but not where they are entirely open free-for-all. That said, you seem to be missing a few key elements in your reasoning. One of those points is that the consequences of a breach on ssh are orders of magnitude more severe than the consequences of a breach in the VPN. As a consequence, protecting ssh by having inside the VPN only is a good idea even if the VPN is less secure than ssh. Another of those points is that handshakes on VPN are usually much more lightweight than handshakes on ssh: less negotiation of ciphers, less logging. That means even if both ssh and the VPN are secure, it is better, in terms of CPU load, bandwidth burned and disk space consumed by logs, to have the failed attacks stop at the VPN than at ssh. A third of those points is that ssh servers on the usual port are routinely subject to attempts, all the time. VPNs, not so much. So again, in terms of CPU, bandwidth, logs, hiding ssh behind the VPN will give benefits. I grant you, most of those benefits can be obtained by just having ssh on an unusual port. > As OpenSSH can be used as a VPN (if you want), a statement like that > makes very little sense, unless SSH would be somehow less secure than > all the other VPN solutions. The performances of using ssh as a VPN rather than a proxy are very bad due to piling of TCP timeouts and retries. So although it is technically possible to use ssh as a VPN, nobody serious would call it a VPN, just as nobody serious would call FFmpeg a binary file manipulation tool, even though it is technically possible to read and write arbitrary parts of binary files with it. Regards, -- Nicolas George
