qyliss changed the topic of #spectrum to: A compartmentalized operating system | https://spectrum-os.org/ | Logs: https://logs.spectrum-os.org/spectrum/
duboisj has joined #spectrum
klltkr has joined #spectrum
<pie_> I dunno what yall think about port knocking but im disappointed this doesnt seem to have gotten anywhere https://en.wikipedia.org/wiki/TCP_Stealth https://wiki.parabola.nu/Knock https://wiki.parabola.nu/Grsecurity%2BKnock https://lwn.net/Articles/576452/
duboisj_ has joined #spectrum
duboisj has quit [Ping timeout: 260 seconds]
duboisj_ has quit [Remote host closed the connection]
leah2 has joined #spectrum
duboisj has joined #spectrum
cole-h has joined #spectrum
puck has quit [Quit: nya]
puck has joined #spectrum
duboisj has quit [Remote host closed the connection]
klltkr has quit [Ping timeout: 260 seconds]
maxdevjs has quit [Ping timeout: 240 seconds]
<qyliss> pie_: interesting
<qyliss> I don't know anything about it really
<qyliss> certainly not enough to comment on it
<MichaelRaskin> On a system with a public IP, port knocking is a way to clean up your SSH log to get rid of all the passwrod brute force entries
<MichaelRaskin> I guess nowadays too many small servers have HTTPS (which is a horribly large surface), so maybe something like firewall hole punching with TOTP over a very plain HTTP form would not create much extra exposure (but avoid the need of special case client side tooling)
cole-h has quit [Quit: Goodbye]
duboisj has joined #spectrum
<pie_> i dont usually have particularly good reasons for this stuff, my heuristic reasoning was just wanting to decrease surface area and recon-able information
<pie_> MichaelRaskin: ^ , but yeah in practice 99% of the time i would probably vpn everything and put the vpn port behind this
<pie_> i naively see two major criticism possibilities, which are somewhat addressed on the mailinglist: 1) the single-packet-authorizaion works but is weak 2) "there is no thread model where this is actually useful" - which feels right, but not quite?
<pie_> for 2) you may protect against active probes. passive stuff doesnt work, but i guess if you are behind infrastructure a government isnt passively watching for the purposes of tor node identification, i guess thats somethign
<MichaelRaskin> If you do keep track of your logs, removing weak drive-bys _is_ an improvement!
<MichaelRaskin> But yeah, if you want to put _nothing_ publically, port-knocking (maybe three-port knocking with TOTP? 300 ports, 3 blocks each serving two digits of TOTP) for the VPN port might make sense.
<MichaelRaskin> (To clean the logs)
xantoz has quit [Read error: Connection reset by peer]
xantoz has joined #spectrum
<nyanotech> there's also this incredibly cursed thing https://blog.benjojo.co.uk/post/ssh-port-fluxing-with-totp
<pie_> so i didnt know wg is udp
<pie_> someone told me forget about this knocking crap and up the priority on wg
<pie_> *on learning about wg
<MichaelRaskin> I thought the idea of knocking is that the listening side refuses to receive any information before at least a mild authentication?
<pie_> also ive never heard a good thing about ipsec so ive been avoiding looking into it, but on second thought ipsec is below tcp and udp so...its probably better than port knocking variants anyway?
<MichaelRaskin> Well, in a sense, port knocking does almost no processing of attacker controlled input that the kernel is not doing anyway
<pie_> well, theres hiding and also the no-0day-pls. wg is a small enough surface for that i guess?
<pie_> but yeah i think you could sill get it somewhat lower with single-packet-authentication
<MichaelRaskin> Is there such a thing as small-surface cryptography that is also going to be kept up to date?
<pie_> userspace firewall fuckery seems rickety to me :I
<MichaelRaskin> Well, if it doesn't react correctly, everything stays locked…
<pie_> yeah.
duboisj has quit [Remote host closed the connection]
maxdevjs has joined #spectrum
jb551 has quit [Remote host closed the connection]
jb551 has joined #spectrum
jb551 is now known as jb55
cole-h has joined #spectrum
duboisj has joined #spectrum
duboisj has quit [Remote host closed the connection]
cole-h has quit [Quit: Goodbye]
cation21 has quit [Quit: Leaving]
cation21 has joined #spectrum
duboisj has joined #spectrum
MilkManzJourDadd has joined #spectrum