zlacker

Someone would need your 256-bit key to do anything to an exposed Wireguard port.

replies(1): >>eqvino+Mf

In the same theory, someone would need your EC SSH key to do anything with an exposed SSH port.

Practice is a separate question.

>>eqvino+Mf
SSH is TCP though and the outside world can initiate a handshake, the point being that wireguard silently discards unauthenticated traffic - there's no way they can know the port is open for listening.

replies(1): >>eqvino+9J3

>>eqvino+Mf
Not even remotely comparable.

Wireguard is explicitly designed to not allow unauthenticated users to do anything, whereas SSH is explicitly designed to allow unauthenticated users to do a whole lot of things.

replies(1): >>eqvino+fJ3

>>bjt123+RI
Uh, you know you can scan UDP ports just fine, right? Hosts reply with an ICMP destination unreachable / port unreachable (3/3 in IPv4, 1/4 in IPv6) if the port is closed. Discarding packets won't send that ICMP error.

It's slow to scan due to ICMP ratelimiting, but you can parallelize.

(Sure, you can disable / firewall drop that ICMP error… but then you can do the same thing with TCP RSTs.)

replies(1): >>apstls+vf6

>>JasonA+UJ
> SSH is explicitly designed to allow unauthenticated users to do a whole lot of things

I'm sorry, what?

>>eqvino+9J3
That's why you discard ICMP errors.

replies(1): >>eqvino+hc7

>>apstls+vf6
If anything, that's why you discard ICMP port unreachable, which I assume you meant.

If you're blanket dropping all ICMP errors, you're breaking PMTUD. There's a special place reserved in hell for that.

(And if you're firewalling your ICMP, why aren't you firewalling TCP?)