Not entirely true! There are ways to scan IPv6 space efficiently without brute force that are in RFCs
Comment on Wireguard over IPv6
Oha@lemmy.ohaa.xyz 1 week ago
You are pretty much as safe as it gets as long as you update that container. Ip/Port scanning basically isnt a thing in ipv6 land as youd have to scan the entire /64 which amounts to 18,446,744,073,709,551,616 addresses.
Archer@lemmy.world 1 week ago
cmnybo@discuss.tchncs.de 1 week ago
Just make sure you’re not using an EUI64 address. That significantly narrows down the number of addresses per subnet to scan. The bots found one of my computers that was using one. It took them 3 years to find it though.
filister@lemmy.world 1 week ago
Thanks to both of you, my same thoughts, but I also wanted to hear an outside perspective as I am not so well versed in IPv6. But it sounds reassuring. Shall I also consider exposing some HTTP/S services for media over IPv6 is also relatively safe, as long as I have MFA etc?
jores@infosec.exchange 1 week ago
@filister You should keep in mind that every "normal" HTTPS certificate is recorded publicly (certificate transparency, see e.g. crt.sh). If you do expose services, you most likely won't get security by obscurity. You might be able to keep your services a bit more hidden when you expose them with IPv6 only, but not when you use a Let's Encrypt certificate with a proper DNS entry.
filister@lemmy.world 1 week ago
True, maybe the best way then is to expose them only within your Wireguard network.
cmnybo@discuss.tchncs.de 1 week ago
Yes, that’s fine as long as whatever you’re hosting is designed to be safely used on the internet. Just keep it up to date and only expose the stuff you need to. I would suggest setting up fail2ban to block IPs that repeatedly fail to log in though. Depending on what you’re hosting, you may need bot protection, but if all they can see is a login page, they shouldn’t be too much of an issue.