|
|
|
|
|
|
by peterwwillis
4638 days ago
|
|
|
If you're concerned enough to set up an SSH bastion host, do the right thing and set up a VPN. Not only is it a completely separate application (vs two SSH daemons which might both be exploited by a single 0day), it gives you fine-grained control over what users get access to what parts of the network, it doesn't magically grant a user shell, and ultimately allows for tunneling any network service without fumbling with SSH tunneling. IMO, If your aim is to provide a clandestine entry point to your network, port knocking is amazingly effective. Your host can be completely silent on the internet and seemly be offline but still provide network services. Keep a honeypot online on the same network and most attackers will be busy for weeks/months. |
|
|
I think the "clandestine entry point" stuff is mostly a psychological benefit.