[lug] keeping up with attacks
Stephen Kraus
ub3ratl4sf00 at gmail.com
Sat May 4 10:59:25 MDT 2019
The major difference is that, by trying to crack a OpenVPN box, you need to
guess username, password AND the certificate used. You can get a strong
externally generated RSA key generated too ifbyou are really paranoid.
SSH: No fail2ban? Just keep guessing till you win. No cert guessing or
sniffing needed. Public key eliminates some of that, but its still not good
practice to expose SSH.
On Sat, May 4, 2019, 12:38 PM Rob Nagler <nagler at bivio.biz> wrote:
> On Sat, May 4, 2019 at 10:15 AM Stephen Kraus wrote:
> > Why is your SSH public facing anyways? OpenVPN is free, set it up and
> deny any SSH from external IPs. Best practice is to always use VPN or a
> Jump Box to access SSH.
>
> I will fail my network security certification for saying this: OpenSSH is
> more secure than OpenVPN.
>
> They both use the same software encryption software so that's a wash. The
> difference is that OpenSSH is older and much more widely installed.
> Therefore, I trust it more than OpenVPN.
>
> Bastion hosts (your jump boxes) encourage chewy centers.
>
> Rob
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20190504/9919c7db/attachment.html>
More information about the LUG
mailing list