duboisj has quit [Remote host closed the connection]
klltkr has quit [Ping timeout: 260 seconds]
maxdevjs has quit [Ping timeout: 240 seconds]
I don't know anything about it really
certainly not enough to comment on it
On a system with a public IP, port knocking is a way to clean up your SSH log to get rid of all the passwrod brute force entries
I guess nowadays too many small servers have HTTPS (which is a horribly large surface), so maybe something like firewall hole punching with TOTP over a very plain HTTP form would not create much extra exposure (but avoid the need of special case client side tooling)
cole-h has quit [Quit: Goodbye]
duboisj has joined #spectrum
i dont usually have particularly good reasons for this stuff, my heuristic reasoning was just wanting to decrease surface area and recon-able information
MichaelRaskin: ^ , but yeah in practice 99% of the time i would probably vpn everything and put the vpn port behind this
i naively see two major criticism possibilities, which are somewhat addressed on the mailinglist: 1) the single-packet-authorizaion works but is weak 2) "there is no thread model where this is actually useful" - which feels right, but not quite?
for 2) you may protect against active probes. passive stuff doesnt work, but i guess if you are behind infrastructure a government isnt passively watching for the purposes of tor node identification, i guess thats somethign
If you do keep track of your logs, removing weak drive-bys _is_ an improvement!
But yeah, if you want to put _nothing_ publically, port-knocking (maybe three-port knocking with TOTP? 300 ports, 3 blocks each serving two digits of TOTP) for the VPN port might make sense.
(To clean the logs)
xantoz has quit [Read error: Connection reset by peer]