Some services run really good behind a reverse proxy on 443, but some others can really become an hassle… And sometimes just opening other ports would be easier than to try configuring everything to work through 443.
An example that comes to my mind is SSH, yeah you can use SSLH to forward requests coming from 443 to 22, but it’s so much easier to just leave 22 open…
Now, for SSH, if you have certificate authentication or a strong password, I think you can feel quite safe, but what about other random ports? What risks I’m exposing my server to if I open some of them when needed for a service? Is the effort of trying to pass everything through 443/80 worth it?
It’s not so much about the ports, its about what you’re running that’s accessible to the public.
If you have a single website on 443 and SSH on 22 (or a non-standard port like 6543) you’re generally considered safe. This is 2 services and someone would need to attack one of the two to get in.
If you have a VPN on 4567 and everything behind the VPN then someone would need to hack the VPN to get in.
If you have 100 different things behind 443 then someone just needs to find a hole in one to get in.
Generally ssh, nginx, a VPN are all safe and they should be on their own ports.
Sorry to nitpick but I feel like beimg precise here is important. Nginx is a project, ssh a protocol and VPN an overlay network, so more of a concept. All 3 can be run somewhere on the spectrum between quite secure and super insecure. Also safe and secure are two different things, I guess you meant secure so no big deal.
Exposing SSH is not recommended, it’s a hot attack target. Expose a VPN and use that to SSH in.
Or use port-knocking for SSH.
While this helps getting volume down it just adds a layer of obscurity and the service behind should still be treated and maintained as if it was fully public-facing.
I think people get too defensive about security by obscurity not being security. It’s still better for things to be obscure, it’s just not sufficient. A hidden lock to open a door is marginally better than a lock on the door. A hidden button to open a door isn’t secure though, of course.
But at the same time, I fully understand why it’s stressed so much. People tend to make analogies in their mind to the physical world. The digital world is so different though. An example I use often is you can’t jiggle every doorknob in the world to see if it’s unlocked, but it’s (relatively) easy to check every IPv4 address for an open port to some database with default credentials.
Security through obscurity is hammered into newbies as being bad because it’s often a “quicker and easier” solution and we don’t want anyone thinking they could just do that and be done with it.
You have to learn the proper way to do it; obscurity only buys you time. Maybe.
while the most bare bones knocking implementation may be classed as obscurity, there’s certainly plenty of implementations which i wouldn’t class as obscurity.
Does this method use a cryptographically secure secret which is transmitted encrypted? If not, it is obscurity. If yes, just use normal secure authentication if your goal is security. If you want to get volume down and maybe reduce your risk, feel free to use such things but you should not apply the security label to it.
would you classify out of band whitelisting by IP (or other session characteristic[s]) as having no security merit whatsoever?
would you classify it as purely a decision regarding network congestion & optimisation?
you’re ofc free to define these things however you wish, but in a form which is helpful to OP’s question i’m not sure i follow you.
I just wanted to make clear that port knocking is obscurity and maintaining and configuring your still public facing services in a secure manner is essential. There are best practices which I did not define and are applicable here.
If you whitelist your IP that of course helps but I am not sure what that has to do with port knocking. Whitelisting an IP after it knocked right, that would be obscurity. Whitelisting an IP after it authenticated through a secure connection with secure credentials? Why not just use VPN?
I am also not directly commenting on OPs question, as I try to tackle missconceptions in the comments.
if you can’t work out what knocking might have to do with whitelisting then i’m not sure what you hoped to contribute towards reducing misconceptions in the conversation
Everything you expose is fine until somebody finds a zero day.
Everything these days is being built from a ton of publically maintained packages. All it takes is for one of those packages to fall into the wrong hands and get updated which happens all the time.
If you’re going to expose web yourself, use anubus and fail2ban
Put everything that doesn’t absolutely need to be public open behind a VPN.
Keep all of your software updated, constant vigilance.