What do y'all think about port-knocking? Is it any good?
13 comments
Yeah, its not the same level of isolation, for sure. What do you do for remote access? Tail scale? VPN? I'm thinking in regards to home stuff. I'll have to find a way to combine #Yunohost with #Tailscale, because Yuno wants to have open ports on the internet, and I think that's loopy, even for home. @RL_Dane @jsbilsbrough Tailscale is fun, I haven't deployed it personally but have played around on it a bit. I'm also not a fan of port knocking and tend to VPN when away from home. I'm ancient so I've typically used OpenVPN but I rarely use it anymore anyway, since nowadays if I'm leaving home I don't need to bring my homelab with me. :) Doesn't the VPN itself need an open port, though? Is that safer than SSH? I was thinking of using Tailscale because (to my understanding) it doesn't need an open port. Man, I'm really wished I had switched to NetSec in 2003. My networking knowledge is really rough. 😅 @RL_Dane @jsbilsbrough "safer" is relative to the threat, of course. In my typical case, OpenVPN is handled itself by my firewall appliance. While it opens a port it also knows what bad traffic to scan for, without me telling it what to do. Again, I'm not a security researcher, but I tend to trust pfSense/OPNsense/etc more than myself when it comes to opening a port and watching for baddies. And nowadays I don't even do that, because I just don't need it badly enough anymore. @RL_Dane @jsbilsbrough I should also mention that I typically remote from a static IP provided by my wireless carrier. So, in my case, the firewall knew where I'd be coming from and I could block most of the internet from getting in. @tripplehelix it's usually an option for business accounts. I've had them numerous times in the past connected with hotspot appliances. Not currently using one since I don't have as much of a need anymore. @vkc @RL_Dane @jsbilsbrough I like the ability to see my local cameras when away, tailscale makes that simple. |
@RL_Dane @vkc @crossed seems like a potentially bad idea, plus it appears it relies on the local firewall, not a network level one ?
https://www.howtogeek.com/442733/how-to-use-port-knocking-on-linux-and-why-you-shouldnt/