Comment

Comment on Another good reason not to open port 22

I have wireguard for other purposes but I also have ssh open on a different port. I don’t much understand the argument of exchanging ssh for wireguard. In the end, we’re just trading an attack vector for another.

My ssh only allows connections from my user. If I’m using password auth, I also request a 2FA.

Tail scale is also a good idea but I don’t like having my control plane under someone else’s control.

source

Sort:hotnew top

486@kbin.social ⁨1⁩ ⁨year⁩ ago
There is quite a significant difference. An ssh server - even when running on a non-default port - is easily detectable by scanning for it. With a properly configured Wireguard setup this is not the case. As someone scanning from the outside, it is impossible to tell if there is Wireguard listening or not, since it simply won't send any reply to you if you don't have the correct key. Since it uses UDP it isn't even possible to tell if there is any service running on a given UDP port.

source
FrederikNJS@lemm.ee ⁨1⁩ ⁨year⁩ ago
The reason a VPN is better to expose than SSH, is the feedback.

If someone tries connecting to your SSH with the wrong key or password, they get a nice and clear permission denied. They now know that you have SSH, and which version. Which might allow them to find a vulnerability.

If someone connects to your wireguard with the wrong key, they get zero response. Exactly as if the port had not been open in the first place. They have no additional information, and they don’t even know that the port was even open.

Try running your public IP through shodan.io, and see what ports and services are discovered.

source
axum@kbin.social ⁨1⁩ ⁨year⁩ ago
So just run headscale then.

source
- Cyberflunk@lemmy.world ⁨1⁩ ⁨year⁩ ago
  Or nebula
  
  source
barsoap@lemm.ee ⁨1⁩ ⁨year⁩ ago
If someone finds a 0day in your SSH server and goes on drive-by attacking the whole internet you’re toast.

Already moving off port 22 reduces much of the risk, essentially reducing the attack surface for drive-by attacks to zero while still being susceptible to targeted attacks – that is, still susceptible to attackers bothering to scan the whole range. Anything that makes you unscannable (VPN, portknockd, doesn’t matter) mitigates that. Even state-level actors would have to be quite determined to get through that one.

Yes it’s security through obscurity. Yes it’s a good idea: There’s a difference between hiding your unlocked front door and hiding your military-grade front door lock, one of them is silly the other isn’t.

source