Some services run really good behind a reverse proxy on 443, but some others can really become an hassle… And sometimes just opening other ports would be easier than to try configuring everything to work through 443.
An example that comes to my mind is SSH, yeah you can use SSLH to forward requests coming from 443 to 22, but it’s so much easier to just leave 22 open…
Now, for SSH, if you have certificate authentication or a strong password, I think you can feel quite safe, but what about other random ports? What risks I’m exposing my server to if I open some of them when needed for a service? Is the effort of trying to pass everything through 443/80 worth it?
if you can’t work out what knocking might have to do with whitelisting then i’m not sure what you hoped to contribute towards reducing misconceptions in the conversation
You wrote:
without specifying further. How am I supposed to work out what you mean? I did a guess in my last answer and you seem not to care about a discussion on the topic but instead now question me. I
ok fair enough, sorry i may have misinterpreted what you meant.
it sounds like your argument is that if the attacker doesn’t know the service is running then the assertion that this reduces the risk profile is classified as an obscurity control - this argument is correct under these conditions.
however, certain knocking configurations are not obscurity, because their purpose & value does not depend on the hope that the attacker is unaware of the service’s existence but rather to reduce the attacker’s window of access to the service with a type of out of band whitelisting. by limiting the attacker’s access to the service you are reducing the attack surface.
you can imagine it like a stack call trace, the deeper into the trace you go, every single instruction represents the attack surface getting larger and larger. the earlier in the trace you limit access to the attacker, you are by definition reducing the attack surface.
in case i’ve misinterpreted what you meant. susceptibility to a replay attack does not mean something isn’t a security measure. it means it’s a security measure with a vulnerability. ofc replay attacks in knocking is a well known problem addressed long ago.
perhaps the other source of miscommunication is for us to remember that security is about layers, because no single layer is ever going to be perfect.