On Wed, Mar 26, 2025 at 05:21:53AM +0800, jeremy ardley wrote: > > On 25/3/25 23:22, Jan Claeys wrote: > > On Mon, 2025-03-24 at 12:39 +0800, jeremy ardley wrote: > > > I should mention that having an internet facing ssh service is > > > usually a very bad idea. The 'better' approach is to have only a VPN > > > exposed and use heavy security on that. Once the VPN link is > > > established you can ssh through the VPN to internal systems. > > Why do you think SSH is less secure than any other VPN ? > > > > > One reason to choose VPN over ssh is that many ISPs block incoming ports > including ssh, telnet, RDP, smtp, and smb ports. > > The more extreme ones block outgoing connections on most of those those > ports as well.
I was once sitting at a $(DAYJOB) where they blocked everything but 443 (and 80). I tunneled ssh over socat (with TLS, so that the handshake didn't look suspect, in case their firewall sniffed that). Bonus: I got to see whether they did MITM, since I made my own server and client certs. Bigcorps are like that. It was not that the firewall department didn't want to talk to me. It was that they bought a "product" without really understanding how it works. Cheers -- t
signature.asc
Description: PGP signature
