this post was submitted on 18 May 2024
19 points (100.0% liked)

linux4noobs

1338 readers
1 users here now

linux4noobs


Noob Friendly, Expert Enabling

Whether you're a seasoned pro or the noobiest of noobs, you've found the right place for Linux support and information. With a dedication to supporting free and open source software, this community aims to ensure Linux fits your needs and works for you. From troubleshooting to tutorials, practical tips, news and more, all aspects of Linux are warmly welcomed. Join a community of like-minded enthusiasts and professionals driving Linux's ongoing evolution.


Seeking Support?

Community Rules

founded 1 year ago
MODERATORS
 

Hello I am wondering if there is increased network/packet security by connecting to a server over ssh through a VPN hosted by that same server as opposed to without first tunneling by VPN. I imagine with or without tunneling through a VPN there would be latency/speed differences too?

top 19 comments
sorted by: hot top controversial new old
[–] sxan@midwest.social 8 points 6 months ago (2 children)

Yes.

Using a VPN for all your traffic obscures your usage and hinders surveillance by your internet provider. If you ssh directly to your server, that's one extra bit of information (that you're ssh'ing into the server) your internet provider has about you. Whether this is significant or useful to the provider is questionable, but the short answer is "yes, it provides more security." That said, AI is probably being already used to do pattern analysis on traffic, and they might still be able to tell you're making an ssh connection, unless you're also constantly streaming through the VPN, too.

I'm going to get heat for this, but running a bitcoin wallet on your home computer - whether or not you actually have any coins or are mining - is a great way to generate a variable amount of constant traffic to an endpoint. Hosting a public IPFS, web site, torrent seeds, or Freenet node are also good ways, although some of those require opening ports to inbound connections and could invite attacks.

[–] Ponziani@sh.itjust.works 6 points 6 months ago

Thank you for this excellent answer

[–] refalo@programming.dev 2 points 5 months ago* (last edited 5 months ago) (1 children)

and hinders surveillance by your internet provider

Yes, but it also shifts all that surveillance capability directly to your vpn provider, of whom many are thought/known to be compromised or otherwise mishandle your data. I would argue VPN providers may even be more appropriately situated/equipped to analyze/hand over your data more easily than your local ISP.

Also, SSH does have some obscure design "issues" that might be applicable depending on your threat model, for example one can check if a user has a certain key on the remote end, if you care about that. There's probably more.

[–] sxan@midwest.social 1 points 5 months ago

It's true there's a trust shift; you have to trust someone, even if you're self- hosting your endpoint (unless you also own the hardware the endpoint is running on). The difference is that I can vet my VPN provider, look at third party reviews, and some even get audits... whereas it's been proven that Comcast and Verizon are inserting trackers into your packet data and selling the results.

Can you elaborate a little on why you think a VPN provider is better equipped to analyze or hand over data? On what basis?

[–] ziviz@lemmy.sdf.org 3 points 6 months ago (1 children)

VPN latency depends on tech used. OpenVPN is kinda slow and wireguard quite fast in my experience. That said, both work fine and I can't tell the speed difference unless I actually use a ton of data (streaming 4k hd videos, or transferring gigs of files or something). Regular ssh, I can't tell a difference.

[–] Ponziani@sh.itjust.works 1 points 5 months ago
[–] orcrist@lemm.ee 1 points 6 months ago (1 children)

Whenever we have a discussion about security, it's generally useful for us to talk about the types of attacks that we are trying to mitigate. What are some examples that you would be concerned about?

If your VPN is reasonably responsive, you probably won't notice a change in the latency. VPNs tend to have maximum top speeds, and if you were doing SFTP, there's a reasonable chance you would find that limit very quickly.

[–] Ponziani@sh.itjust.works 1 points 5 months ago

I am aware that opening / forwarding ports are attack vectors and they become unavoidable though if i need the vpn and ssh capability, however, in theory the ssh port could be closed/not forwarded if traffic/connection was tunneled through the VPN. Those are my thoughts

[–] harry315@feddit.de 1 points 6 months ago (1 children)

afaik accessing your SSH over Wireguard while making SSH only listen on local can help mitigate DOS attacks, as Wireguard, opposed to many other protocols, is silent by default, meaning an attacker won't see if you have a Server listening for incoming connections or if they are screaming into the void

[–] Ponziani@sh.itjust.works 2 points 5 months ago (1 children)

But wouldn't the port being open alert anyone who looks for that? Network security is not my specialty but I believe I have read that people can ping/scan ip addresses easily and quickly to determine if any ports are open / forwarded, so if Wireguard was used or any VPN software, they could pick up on that as an attack vector?

[–] towerful@programming.dev 3 points 5 months ago (1 children)

Wireguard uses UDP.
Wireguard also strives to be "silent" for bad traffic/connection attempts. I've tried a cursory look to find more information on it, but nothing that explains it simply.

Either way it doesn't turn up on port scans.

[–] Ponziani@sh.itjust.works 2 points 5 months ago (1 children)

But the router must forward the port to allow the VPN to be utilized , meaning that port being forwarded can be scanned/detected i thought?

[–] damium@programming.dev 3 points 5 months ago

It depends on how the router responds to other non-forwarded ports. For UDP an open port with no response is the same as a dropped packet. A scanner will only know if the device sends an ICMP response back to indicate that it is closed.

[–] lurch@sh.itjust.works 1 points 6 months ago (1 children)

It's likely more secure, but VPN increases attack vectors if one of your systems is compromised.

[–] Ponziani@sh.itjust.works 4 points 6 months ago (1 children)

Both require opening a port but theoretically ssh going through the vpn would mean port 22 does not need to be open/forwarded right, as opposed to both port 22 and whichever for the VPN open?

[–] lurch@sh.itjust.works 3 points 6 months ago (1 children)

The SSH port can be set to just accept connections from within the VPN.

However, what I meant is: VPN does allow for more than SSH. Let's assume something like you allowed your girlfriends phone to use your wifi, but she uses an app with a Chinese backdoor. The Chinese hacked your network printer which is available to all using the wifi. Your linux CUPS printing service talks to the printer and gets infected with a worm, but being linux it's confined within the things the cups user can access.

At that point the attacker/worm has no access to your personal files yet, except for what you print. Nor does the attacker/worm know about your server.

Now when you use just SSH it will likely stay that way.

If you use VPN though, it will allow the worm/attacker to find out about the existence of the server and send network traffic to your server. Hopefully, that doesn't get them far, but it's an additional attack vector they get.

[–] Ponziani@sh.itjust.works 2 points 5 months ago (1 children)

This is the first that I have heard about setting the SSH port to only accept connections from the VPN, is there a term or something I can search about this online? Or is this basically just allowing port 22 open on a device and not forwarding the port on the router as when a different device tunnels into the same network through the VPN it can already talk to the first device?

[–] lurch@sh.itjust.works 1 points 5 months ago* (last edited 5 months ago) (1 children)

You would either configure the Linux firewall of the router or server to drop everything on the SSH port not from the VPN IP/interface or change the ListenAdress in /etc/ssh/sshd , but be careful: Don't lock yourself out!

[–] Ponziani@sh.itjust.works 1 points 5 months ago

Thank you for the info! This is very helpful to me.