duboisj has quit [Remote host closed the connection]
klltkr has quit [Ping timeout: 260 seconds]
maxdevjs has quit [Ping timeout: 240 seconds]
<qyliss>
pie_: interesting
<qyliss>
I don't know anything about it really
<qyliss>
certainly not enough to comment on it
<MichaelRaskin>
On a system with a public IP, port knocking is a way to clean up your SSH log to get rid of all the passwrod brute force entries
<MichaelRaskin>
I guess nowadays too many small servers have HTTPS (which is a horribly large surface), so maybe something like firewall hole punching with TOTP over a very plain HTTP form would not create much extra exposure (but avoid the need of special case client side tooling)
cole-h has quit [Quit: Goodbye]
duboisj has joined #spectrum
<pie_>
i dont usually have particularly good reasons for this stuff, my heuristic reasoning was just wanting to decrease surface area and recon-able information
<pie_>
MichaelRaskin: ^ , but yeah in practice 99% of the time i would probably vpn everything and put the vpn port behind this
<pie_>
i naively see two major criticism possibilities, which are somewhat addressed on the mailinglist: 1) the single-packet-authorizaion works but is weak 2) "there is no thread model where this is actually useful" - which feels right, but not quite?
<pie_>
for 2) you may protect against active probes. passive stuff doesnt work, but i guess if you are behind infrastructure a government isnt passively watching for the purposes of tor node identification, i guess thats somethign
<MichaelRaskin>
If you do keep track of your logs, removing weak drive-bys _is_ an improvement!
<MichaelRaskin>
But yeah, if you want to put _nothing_ publically, port-knocking (maybe three-port knocking with TOTP? 300 ports, 3 blocks each serving two digits of TOTP) for the VPN port might make sense.
<MichaelRaskin>
(To clean the logs)
xantoz has quit [Read error: Connection reset by peer]
<pie_>
someone told me forget about this knocking crap and up the priority on wg
<pie_>
*on learning about wg
<MichaelRaskin>
I thought the idea of knocking is that the listening side refuses to receive any information before at least a mild authentication?
<pie_>
also ive never heard a good thing about ipsec so ive been avoiding looking into it, but on second thought ipsec is below tcp and udp so...its probably better than port knocking variants anyway?
<MichaelRaskin>
Well, in a sense, port knocking does almost no processing of attacker controlled input that the kernel is not doing anyway
<pie_>
well, theres hiding and also the no-0day-pls. wg is a small enough surface for that i guess?
<pie_>
but yeah i think you could sill get it somewhat lower with single-packet-authentication
<MichaelRaskin>
Is there such a thing as small-surface cryptography that is also going to be kept up to date?
<pie_>
userspace firewall fuckery seems rickety to me :I
<MichaelRaskin>
Well, if it doesn't react correctly, everything stays locked…
<pie_>
yeah.
duboisj has quit [Remote host closed the connection]
maxdevjs has joined #spectrum
jb551 has quit [Remote host closed the connection]
jb551 has joined #spectrum
jb551 is now known as jb55
cole-h has joined #spectrum
duboisj has joined #spectrum
duboisj has quit [Remote host closed the connection]