I setup SSHD to listen on a wireguard interface rather than listening on all interfaces. This makes SSHD only accessible to wireguard peers rather than the entire internet.
A nice aspect of wireguard is that it's "steath", meaning that it does not respond to unauthenticated connections at all, so there is no way to probe and scan for wireguard listeners at all.
I think setting up daemons behind wireguard offers a lot of security. SSHD is probably fine to expose, but something like an IRC bouncer for example really benefits from being protected I think.
I use ZNC over wireguard for this reason! It also allows to use ZNC securely without the need to setup TLS certs, which IME is actually harder than setting up wireguard!
> A nice aspect of wireguard is that it's "steath", meaning that it does not respond to unauthenticated connections at all, so there is no way to probe and scan for wireguard listeners at all.
I did not know this. That’s really cool.
Is it done over a stateless protocol like UDP, or is a TCP connection opened first? Ie. is it impossible to see if there’s even a server there at all, or is it first revealed that there’s a server accepting a TCP connection?
openvpn has had an option for such behavior (over udp obviously) for a while.
the option is called tls-auth, it requires you to go through and generate an aditional key which has to exist on all clients and server.
Last i remember is that even if you scan the server, it is completely quiet unless the right signature is received as well for each frame.
depends on your firewall, lots of setups give you an ICMP port unreachable in response to probing closed udp ports so you can often tell a wireguard host if the default port doesn't (in practice)
This is why I come to HN - brilliant ideas that I should have thought of before, but didn't!
I just changed my server, and uninstalled the - now truly useless - fail2ban. I use SSH keys of course, but without fail2ban my server's logs were constantly flooded with hacking attempts.
No longer - wireguard for the win. Thank you, chlorion!
A nice aspect of wireguard is that it's "steath", meaning that it does not respond to unauthenticated connections at all, so there is no way to probe and scan for wireguard listeners at all.
I think setting up daemons behind wireguard offers a lot of security. SSHD is probably fine to expose, but something like an IRC bouncer for example really benefits from being protected I think.
I use ZNC over wireguard for this reason! It also allows to use ZNC securely without the need to setup TLS certs, which IME is actually harder than setting up wireguard!