"Number of unauthorized access attempts: Zero."
by sundialsvcs from LinuxQuestions.org on (#5H54T)
Most people depend on ssh to provide a necessary "back door" into the various systems that they are responsible for. However, often within a matter of minutes, they find that their server logs are pounded with "unauthorized access attempt" messages that are coming from literally everywhere on earth. Somehow, they discovered that your IP-address existed, and that you were running sshd on it. They promptly began firing torpedoes. And, they will never stop.
There is, however, "a better way," and that "better way" is OpenVPN, using digital certificates and tls-auth. You pre-supply each authorized accessor ... such as yourself ... with a pair of digital credentials that can never be "hacked." You place this as an outer perimeter through which everyone must pass to reach anything "jucier." Then, you make it ... invisible!
(Necessarily, the remainder of this post is an introduction ... to ideas expounded upon by a legion of Internet posts.)
OpenVPN acts as "a secure TCP/IP router, implemented in software." It acts as a gateway to your "internal" network, including your sshd server. All of these services expose themselves only to the internal network - none to the outside world. Therefore, to reach any of it, you must "pass through the gateway door." However, it now becomes ... a secret(!!) door. If you are authorized to enter it, you pass right through. If not, you cannot discover(!!) that it even exists.
Unlike sshd, OpenVPN uses the "udp" layer of networking to communicate - so, there are no ("tcp/ip" ...) sockets to detect. "Port scans" fail because: there are no ports. Your opponent is forced to "shoot datagrams into the dark," and it literally cannot discover that your OpenVPN server is even present, unless that server responds. And, this is where tls-auth comes in.
tls-auth installs a "outside the portcullis, and beyond the drawbridge" layer of defenses. Unless the supplicant can demonstrate that it possesses the (separate ...) "tls-auth digital certificate," the server won't even answer. Which means that an intruder can never discover that "the secret door" exists, let alone attempt to enter it.
In this way, the "number of unauthorized access attempts" instantly drops to zero. They don't bother your sshd server simply because they can never get that far. Because the server exposes itself only to the internal network, not the public internet.
digital certificates, available only to those who managed to pass the drawbridge and the porticullis, are the next equally-impenetrable line of defense. "Either you possess a [unique ...] cryptographic key, which has not been individually revoked, or you do not."
Only if you successfully "establish the tunnel" in this way do you ever first get the chance to use the ssh command ... nor, anything else. (Likewise, perhaps, to "connect to some internal website.")
So ... here is a strategy that is simultaneously impenetrable and(!) convenient. Authorized users, possessing both keys, pass swiftly through the drawbridge and the portcullis without realizing that it is even there. Meanwhile, the legions of automated attackers pass it by - also never realizing that it is there.
... and your "security log" is deserted.
There is, however, "a better way," and that "better way" is OpenVPN, using digital certificates and tls-auth. You pre-supply each authorized accessor ... such as yourself ... with a pair of digital credentials that can never be "hacked." You place this as an outer perimeter through which everyone must pass to reach anything "jucier." Then, you make it ... invisible!
(Necessarily, the remainder of this post is an introduction ... to ideas expounded upon by a legion of Internet posts.)
OpenVPN acts as "a secure TCP/IP router, implemented in software." It acts as a gateway to your "internal" network, including your sshd server. All of these services expose themselves only to the internal network - none to the outside world. Therefore, to reach any of it, you must "pass through the gateway door." However, it now becomes ... a secret(!!) door. If you are authorized to enter it, you pass right through. If not, you cannot discover(!!) that it even exists.
Unlike sshd, OpenVPN uses the "udp" layer of networking to communicate - so, there are no ("tcp/ip" ...) sockets to detect. "Port scans" fail because: there are no ports. Your opponent is forced to "shoot datagrams into the dark," and it literally cannot discover that your OpenVPN server is even present, unless that server responds. And, this is where tls-auth comes in.
tls-auth installs a "outside the portcullis, and beyond the drawbridge" layer of defenses. Unless the supplicant can demonstrate that it possesses the (separate ...) "tls-auth digital certificate," the server won't even answer. Which means that an intruder can never discover that "the secret door" exists, let alone attempt to enter it.
In this way, the "number of unauthorized access attempts" instantly drops to zero. They don't bother your sshd server simply because they can never get that far. Because the server exposes itself only to the internal network, not the public internet.
digital certificates, available only to those who managed to pass the drawbridge and the porticullis, are the next equally-impenetrable line of defense. "Either you possess a [unique ...] cryptographic key, which has not been individually revoked, or you do not."
Only if you successfully "establish the tunnel" in this way do you ever first get the chance to use the ssh command ... nor, anything else. (Likewise, perhaps, to "connect to some internal website.")
So ... here is a strategy that is simultaneously impenetrable and(!) convenient. Authorized users, possessing both keys, pass swiftly through the drawbridge and the portcullis without realizing that it is even there. Meanwhile, the legions of automated attackers pass it by - also never realizing that it is there.
... and your "security log" is deserted.