15 Apr
2024
15 Apr
'24
6:39 p.m.
Hello,
On Mon, Apr 15, 2024 at 04:56:12PM +0100, Chris Smith via BitFolk Users wrote:
On 15 Apr 2024, at 16:34, Andy Smith via BitFolk Users
<users(a)mailman.bitfolk.com> wrote:
I think it's fairly unlikely that there would be as many
installations of haproxy as there are of OpenSSH, since there are
several big-name reverse proxies and web servers while there is
really only OpenSSH used at scale. Outside of Windows and OpenBSD I
would expect almost every web and proxy server to also run OpenSSH.
What makes sshd different is that it's run
almost everywhere (hugely
attractive target) and it's often exposed to the whole Internet
(hugely attractive target) and a lot of it runs as root.
But despite that I expect it is still run in as many places as
whatever web server you will use to implement your alternative
solution. You may argue that your web server doesn’t run as
root,
but if you intend it to perform this intended service then a
portion of it will have to, so you’re back at square one.
I don't agree as what we're actually talking about here is a
collection of things: bits of the Panel site to manage the list of
net blocks in the customer database; something else to adjust the
firewall rules on the hypervisors. That's all very disaggregated and
limited in how they speak to each other; such communication is
mostly only internal; the bits that aren't internal are only
touched by authenticated users; and so on.
It doesn't seem like an easy or attractive target for anyone to
spend a lot of effort on.
I get that you aren't a fan of the idea though. Your point about
GitHub being a service that relies upon world-accessible SSH is well
taken and it may be a situation like that.
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting