Are you talking a VPN running on the same box as the service? UDP VPN would help as another mentioned, but doesn’t really add isolation.

If your vpn box is standalone, then getting root is bad but just step one. They have to own the VPN to be able to even do more recon then try SSH.

Defense in depth. They didn’t immediately get server root and application access in one step. Now they have to connect to a patched, cert only, etc SSH server. Just looking for it could trip into some honeypot. They had to find the VPN host as well which wasn’t the same as the box they were targeting. That would shut down 99% of the automated/script kiddie shit finding the main service then scanning that IP.

You can’t argue that one step to own the system is more secure than two separate pieces of updated software on separate boxes.

https://nvd.nist.gov/vuln/detail/cve-2024-6409 RCE as root without authentication via Open SSH. If they’ve got a connection, that’s more than nothing and sometimes it’s enough.

I went down a rabbit hole on this one. I think the age may be irrelevant, or only correlated with children. At least Kidman and Holmes left him over Scientology. They were trying to avoid having their kids indoctrinated. That worked for Holmes, backfired on Kidman. It might have worked for Holmes because it backfired on Kidman. https://www.mercurynews.com/2024/06/28/after-tom-cruise-once-denied-abandoning-suri-she-seems-to-get-the-last-word/