Another basic thing that I would always do to secure a computer is to
conceal it.
You can very easily do this with OpenVPN using the
tls-auth feature. The
only thing that's facing the outside world, except possibly HTTP(S), is an OpenVPN that is silently listening on
some UDP port-number. All other services such as SSH are listening only to the addresses exposed by OpenVPN: they are firewalled away from any contact to/from the outside world.
There are tens of thousands of possible port-numbers to choose from.
With
tls-auth, you must show that you possess a one-of-a-kind digital certificate before OpenVPN will even
respond to your connection request. If you don't, it silently drops the packet, thus giving the "sniffer" no indication whatsoever that there is anything there.
(The UDP protocol has no concept of "sockets" therefore detectable "open ports.")
Then, access is obtained only through a
second, 4096-bit, one-of-a-kind digital certificate that is issued individually to each authorized user.
(That certificate may or may not be password-protected [encrypted ...].)
When you present your first badge, the gatekeeper pays attention to you. If you possess a certificate that has not been revoked, you pass through the gantlet quickly and easily. And if you don't, then there's nothing you can do.
"Number of unauthorized SSH connection attempts?" Zero.
"Number of ports found in a port scan (other than maybe HTTP(S))?" Zero.
Quote:
You are standing outside a smooth, featureless, stone wall which cannot be climbed.
> read the entire dictionary out loud.
You've got a lot of time on your hands, don't you? ...
Done. Nothing happens.
An authorized user bearing a curious piece of paper steps up to the wall somewhere nearby, and after just a moment's pause passes right through it.
> Examine wall where the authorized user stood.
I can't find it. There is apparently nothing there.
> Walk through wall.
I apparently value my nose more than you do ...
>
|