[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 16/02/18 22:35, Mark Williams wrote: >> VPN servers are considerably more effort to implement and maintain >> properly, but well worth it if you can. > > I'm curious, would you suggest a VPN or tunnelling desktop traffic over SSH as a > more secure method to gain 'local' GUI access remotely? It's obviously possible to > do a lot via SSH but in the instance of wanting a desktop experience remotely, do > you think one creates a greater attack surface than the other? VPN vs SSH usually comes down to other factors to be honest - either properly setup should be easily "secure enough" and do whatever you need it to. SSH more often than not is the flexible swiss army knife of remote access but normally reserved for the highly technical (devs and admins basically - you wouldn't let a normal user near SSH would you?!) whereas VPNs are basically required for normal staff and non-technical types. As for attack surface, hmm, I'm really not sure... I'd like to say a single port SSHD instance seems like it has a smaller footprint and probably way less lines of code to go wrong compared to a VPN, and I *think* historically VPNs have had a lot more flaws in them as compared to SSH but it's not like I've bothered to actually look up figures or anything. Also I'm only really considering OpenVPN vs OpenSSH, and there are a lot of crappy VPN products out there. Ultimately SSH vs VPN - especially as SSH can actually provide VPN-like transit as one of it's countless 'special tricks' normally ends up being an architectural decision normally. Does the client want/need to do the secure connection at Layer 2 or Layer 3? > Do you think there's ever a case to use port knocking? I view it as a further > layer through which bad actors must pass, before gaining access to the desired > services. Not obscurity per se but a way of helping to mitigate bugs which > invariably exist in most services by increasing the complexity involved in gaining > unauthorised access to them in the first instance. I do see what you mean to be fair - technically it is by definition still security through obscurity of course but I get your point. Especially if you're going into it with the full knowledge that it's not truly increasing security but can have an otherwise useful effect then who am I to say it has no value at all? I have also experimented with it a bit myself over the years before losing interest a long time ago - mostly as a "get out of jail" free card when fiddling with remote access servers on a remote link where you're always worried you're going to lock yourself out after a SSH restart or something. It didn't work very well for that either, and it makes my iptables output look like hell. > I changed the default SSH port for years before realising it was a stupid idea, > not least because of this: > https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/ Oh hey, we've all been there - port X is getting battered on the load balancer/VPN concentrator/firewalls/whatever... We'll just move the port and remap all of our services! We're geniuses! Everything is solved! Who needs stupid RFCs and standardised service/port numbers! Hooray! [one hour later] Waaah, why does nothing work properly anymore?! Why is sendmail on port 12345? Why is SSH bound to 4 different unprivileged ports?! You're all fired! The reason we've all stopped doing that is because it was really, really dumb for a lot of reasons. I bet you still come across people even now that *still* recommend it though! Cheers -- The Mailing List for the Devon & Cornwall LUG https://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq