1 yr. ago • 83%

Any feedback from port knockers ?

en.m.wikipedia.org Port knocking - Wikipedia

To mitigate the effort to maintain my personal server, I am considering to only expose ssh port to the outside and use its socks proxy to reach other services. is Portknocking enough to reduce surface of attack to the minimum?

33 comments

In your SSH config, you should disallow root login and password authentication.

It is more secure than these tommyknockers :-) but you can do that additionally, if you feel like it.

23
- Why disallow root login? I always need root when I connect, and stealing the password by aliasing sudo/doas is trivial. It seems to me it would just make life harder for no benefit.
  
  -6
  
  Because then:
  
  you also need to know the correct username
  
  audits and logging shows which user used sudo to gain root access
  
  31
  
  Why disallow root login?
  
  It is very easy to throw a dictionary at your port 22. It happens every few minutes. And they all try it with the username=root unless they know something better.
  
  7
  
  they need to guess a username i assume
  
  2
just use tailscale

12
Other then the slowly increasing log file (if you use fail2ban for example), it will take thousands of years to actually hack you through this method as long as root auth is disabled and authentication is only via SSH keys, I wouldn’t worry about it.

It is possible to tighten the security of a machine to the point it is no longer usable. It is important to secure our devices but we cannot forget about convenience, so the trick is to tighten it but also make it so you don’t have to jump through a number of hoops till you get to your destination.

I for example, wouldn’t use your method because it would make it difficult to use some services I host from my phone.

Port knockers for the most part aren’t worrying. In an ideal situation, the only ports that should be open are 22, 80, 443 and using a reverse proxy to mask headers. (Poor configuration for example, go to Shodan and type bitwarden in the search bar and see how many people expose their instances to the world carelessly without an SSL cert) and the occasional UDP for game servers/media servers.

8
I would only expose a VPN and use that to access the other services.

8
- Why? There's no downside to ssh, if anything it's easier to set up.
  
  8
  
  A VPN would give you access to a network, but not necessarily the devices on that network. It adds another layer of security as the user not only has to have SSH credentials/keys, but they also have to have the same for the VPN. SSH and VPNs would really be used in conjunction with each other.
  
  It's onion security.
  
  3
  
  If you only want to provide ssh access to one host, sure. If you want to provide other services, on multiple hosts, then you're either making it a jump box or a proxy, while a VPN would provide direct access (or at least as defined in the firewall and routing rules).
  
  1
Have you met my friend Tailscale?

6

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters	More Letters
SSH	Secure Shell for remote terminal access
SSL	Secure Sockets Layer, for transparent encryption
UDP	User Datagram Protocol, for real-time communications
VPN	Virtual Private Network
VPS	Virtual Private Server (opposed to shared hosting)

[Thread #128 for this sub, first seen 10th Sep 2023, 16:25] [FAQ] [Full list] [Contact] [Source code]

I used to SSH into my server and proxy out from there. Then I learned how shit of a solution that is for daily use and set up a vpn like a normal person.

4
Instead of ssh I use wireguard directly. It's a simple protocol based on public/private keys with great performance and security.

Wireguard is stateless and establishes connections really quickly on demand. This means the battery isn't impacted even though it's always on, since the VPN doesn't have to maintain a constant connection. At least that's the case if your routing only a specific subnet (e.g. 192.168.1.0/24 and not all traffic through it 0.0.0.0/0).

1
Sounds like security through obscurity to me.

Highly susceptible to replay and man in the middle attacks.

If you're gonna combine that with another authentication method (and you should), then I see little advantage over just going with the other auth method.

1
- Sure? It certainly detracts bots that now don't discover the SSH port anymore. Against a targeted attack it's less useful, but that is a very hard problem in any case. If someone is out to get you specifically, it will be a tough battle.
  
  3
  
  If you're worried about bots just use a non-standard port and move on. I did that on my own VPS just to cut down on log chatter and I get absolutely zero ssh attack attempts after the change.
  
  1
  
  Bots do not matter. They try just common know exploits. If your root password is not root you are fine.
  
  0
- Highly susceptible to replay and man in the middle attacks.
  
  fwknop isn't susceptible to either.
  
  1
I use a vps running openvps. Then i only allow ssh access from my vpn ip address.

1
What kind of port knocking just going to ports in sequence? Or someone wrote one that looks for a key signed and is supposedly not replayable.

1

You've viewed 33 comments.