[lug] keeping up with attacks
Stephen Kraus
ub3ratl4sf00 at gmail.com
Sat May 4 11:07:42 MDT 2019
Caveat: Everything is vulnerable with time. No safe is uncrackable. But the
more layers the better, and the more time it gives you to notice and
respond to an incident.
Forgot: moving SSH to a non standard port and using keypairs, and deny root
from ssh is acceptable in my book.
On Sat, May 4, 2019, 12:59 PM Stephen Kraus <ub3ratl4sf00 at gmail.com> wrote:
> The major difference is that, by trying to crack a OpenVPN box, you need
> to guess username, password AND the certificate used. You can get a strong
> externally generated RSA key generated too ifbyou are really paranoid.
>
> SSH: No fail2ban? Just keep guessing till you win. No cert guessing or
> sniffing needed. Public key eliminates some of that, but its still not good
> practice to expose SSH.
>
> On Sat, May 4, 2019, 12:38 PM Rob Nagler <nagler at bivio.biz> wrote:
>
>> On Sat, May 4, 2019 at 10:15 AM Stephen Kraus wrote:
>> > Why is your SSH public facing anyways? OpenVPN is free, set it up and
>> deny any SSH from external IPs. Best practice is to always use VPN or a
>> Jump Box to access SSH.
>>
>> I will fail my network security certification for saying this: OpenSSH is
>> more secure than OpenVPN.
>>
>> They both use the same software encryption software so that's a wash. The
>> difference is that OpenSSH is older and much more widely installed.
>> Therefore, I trust it more than OpenVPN.
>>
>> Bastion hosts (your jump boxes) encourage chewy centers.
>>
>> Rob
>>
>> _______________________________________________
>> Web Page: http://lug.boulder.co.us
>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20190504/270ef95a/attachment.html>
More information about the LUG
mailing list