Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You're just trading sshd bugs for VPN bugs, in that case. Which are more likely? From what I know, I think I'll put my lot in with sshd. Perhaps I'm not well informed, though.

Also, sshd + fwknop (port knocking) is a very secure combo, IMO.



With openvpn (which is just ssl) you can simply not respond when someone presents a bad key.

openssh always responds (unless I've missed a recent feature) thus exposing which port its listening on and that you sent a bad key.

The silent failure is preferable for this application.

Port knocking gives you a roughly equivalent layer.


And both these things you never do in production because it takes little effort to establish there must be a port open, whereas the cumulative time you'll spend tracking down whether its a network issue or bad/wrong keys is just not worth it.

Not to mention: nobody's going to be brute-forcing properly generated keys remotely. And if they're not properly generated, you have much bigger problems.


openvpn, which is just ssl, was vulnerable to heartbleed.

Like the GP said - you're trading VPN bugs for SSH bugs - and experience shows that betting on SSH is generally wiser.

If you only need TCP/DNS and not a full-blown VPN, a program called sshuttle uses ssh+python to provide excellent seamless poor man's VPN. It's not perfect - e.g., you lose the ip src address on the forwarded connections - but it works amazingly well, much better than e.g. openvpn and most other vpn products I've used.


PubkeyAuthentication and disabling password logins helps a lot too. I've also been using deny_hosts a lot over the last couple years as an extra layer.


That solution is secure, but I used the word "smarter" to describe the use of a VPN intentionally. You are introducing nonstandard practices (everybody knows what a VPN is and everybody's already able to deal with them) with nonstandard behavior (ever tried to debug fwknop? because I have) and creating an obscure way for your stuff to fail (and it will, at 3AM, and you will not be able to Google your way out of it).

And you're also manually creating SSH tunnels to do anything else inside that network, so you've got that going for you, too.

It's 2015. A VPN is the settled method for accessing sensitive services inside a private network. Doing otherwise may create great nerd cred but doesn't make you do your job better.


Why not just do away with port knocking and use keys?


sshd would still be authenticated. It's defense in depth.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: