Re: OpenSSH 3.4p1 Trouble on SCO 5.0.5 -- use a VPN instead?



On Wed, 26 Mar 2008, Bill Campbell wrote:

On Wed, Mar 26, 2008, jd wrote:


On Wed, 26 Mar 2008, Nico Kadel-Garcia wrote:

On 25 Mar, 09:12, Rob <r...@xxxxxxxxxxx> wrote:

Steve,

what about using tcp_wrappers as to perform a "route delete" on the offending IP?

If memory serves, there was a porting of tcp_wrapper for SCO OS5 on a TLS076a
on the FTP site:

ftp://ftp.sco.com/pub/TLS/tls076a.tcp_wrappers.tar.Z

Hope this helps!

If our faithful here only needs SSH access from a small set of well-
maintained sites, that might work well. However, if he has clients who
use NAT on their ISP networks (such as AOL, which uses 10.* internal
addresses), than the tcp_wrapper will block the NAT and everything
behind the NAT server.

We use tcp_wrappers extensively, and absolutely require it when
allowing username/password authentication via SSH. Normally we
only permit authentication via authorized_keys, with good pass
phrases, with tcp_wrappers not restricting sshd access (it's used
for many other services).

Then perhaps a VPN (such as OpenVPN) is a more appropriate solution for
remote access, instead of SSH (although SSH can be used over the VPN).

OpenVPN is great -- unless one has high packet loss as it
normally runs with UDP.

It can run over TCP, but I am not sure why you would want to do this. If you get dropped packets when running TCP over TCP, which layer requests that the packets should be re-sent? What happens if both TCP layers request a re-send?

Any VPN is not going to work well with a high packet loss, but then SSH probably won't work well either.

I found a discussion on the web and the consensus seemed to be that the only case where using TCP for the transport layer would be sensible is when tunnelling a UDP protocol that requires a reliable connection (eg. tunnelling NFS using its default UDP protocol).
http://www.google.com/search?q=%22Terrible+performance+issues%22+openvpn+udp+tcp&hl=en&safe=off&client=mozilla&rls=org.mozilla:en-US:unofficial&filter=0

.

Relevant Pages

  • iptables rule for ssh port forwarding
    ... TCP for control,i want to ssh the tcp data but if I do an ssh tunnel and I ... handshaking is ok but then also the UDP data is sent to localhost and I ... created the ssh tunnel) that sends all the tcp packets directed to a certain ...
    (comp.os.linux.networking)
  • Re: SSH - TCP only
    ... jfw> packets. ... SSH uses TCP for its transport. ... SSH does not use SSL in any way; ...
    (comp.security.ssh)
  • Re: UPD better than TCP in streaming video/audio ?
    ... > UDP gains speed over TCP because it carries no information that would ... it doesn't even know that packets were lost. ... which is perfect for UDP. ... > Finally, there's the possibility of multicast data - for instance, a live ...
    (microsoft.public.win32.programmer.networks)
  • Re: Simulating smaller MTU? ie sending small packets.
    ... This is due to the fact that TCP ... If you want smaller packets, ... >> set there as the MSS is announced by the receiver during the ... Yes, per connection. ...
    (comp.lang.perl.misc)
  • Re: NTP and Firewall help needed.
    ... >port 123 for udp and tcp. ... Also the idea of combining rules for packets arriving at the local machine ... ACCEPT any and all traffic coming from the localhost interface ...
    (comp.os.linux.setup)