Some services run really good behind a reverse proxy on 443, but some others can really become an hassle… And sometimes just opening other ports would be easier than to try configuring everything to work through 443.

An example that comes to my mind is SSH, yeah you can use SSLH to forward requests coming from 443 to 22, but it’s so much easier to just leave 22 open…

Now, for SSH, if you have certificate authentication or a strong password, I think you can feel quite safe, but what about other random ports? What risks I’m exposing my server to if I open some of them when needed for a service? Is the effort of trying to pass everything through 443/80 worth it?

  • sfjvvssss@lemmy.worldEnglish
    0·
    4 months ago

    Does this method use a cryptographically secure secret which is transmitted encrypted? If not, it is obscurity. If yes, just use normal secure authentication if your goal is security. If you want to get volume down and maybe reduce your risk, feel free to use such things but you should not apply the security label to it.

    • ganymede@lemmy.mlEnglish
      0·
      4 months ago

      would you classify out of band whitelisting by IP (or other session characteristic[s]) as having no security merit whatsoever?

      would you classify it as purely a decision regarding network congestion & optimisation?

      you’re ofc free to define these things however you wish, but in a form which is helpful to OP’s question i’m not sure i follow you.

      • sfjvvssss@lemmy.worldEnglish
        0·
        4 months ago

        I just wanted to make clear that port knocking is obscurity and maintaining and configuring your still public facing services in a secure manner is essential. There are best practices which I did not define and are applicable here.

        If you whitelist your IP that of course helps but I am not sure what that has to do with port knocking. Whitelisting an IP after it knocked right, that would be obscurity. Whitelisting an IP after it authenticated through a secure connection with secure credentials? Why not just use VPN?

        I am also not directly commenting on OPs question, as I try to tackle missconceptions in the comments.

        • ganymede@lemmy.mlEnglish
          0·
          4 months ago

          if you can’t work out what knocking might have to do with whitelisting then i’m not sure what you hoped to contribute towards reducing misconceptions in the conversation

          • sfjvvssss@lemmy.worldEnglish
            0·
            4 months ago

            You wrote:

            there’s certainly plenty of implementations which i wouldn’t class as obscurity.

            without specifying further. How am I supposed to work out what you mean? I did a guess in my last answer and you seem not to care about a discussion on the topic but instead now question me. I