zlacker

[parent] [thread] 6 comments
1. eqvino+(OP)[view] [source] 2026-01-12 09:00:39
In theory.

In the same theory, someone would need your EC SSH key to do anything with an exposed SSH port.

Practice is a separate question.

replies(2): >>bjt123+5t >>JasonA+8u
2. bjt123+5t[view] [source] 2026-01-12 12:43:42
>>eqvino+(OP)
SSH is TCP though and the outside world can initiate a handshake, the point being that wireguard silently discards unauthenticated traffic - there's no way they can know the port is open for listening.
replies(1): >>eqvino+nt3
3. JasonA+8u[view] [source] 2026-01-12 12:51:12
>>eqvino+(OP)
Not even remotely comparable.

Wireguard is explicitly designed to not allow unauthenticated users to do anything, whereas SSH is explicitly designed to allow unauthenticated users to do a whole lot of things.

replies(1): >>eqvino+tt3
◧◩
4. eqvino+nt3[view] [source] [discussion] 2026-01-13 10:24:35
>>bjt123+5t
Uh, you know you can scan UDP ports just fine, right? Hosts reply with an ICMP destination unreachable / port unreachable (3/3 in IPv4, 1/4 in IPv6) if the port is closed. Discarding packets won't send that ICMP error.

It's slow to scan due to ICMP ratelimiting, but you can parallelize.

(Sure, you can disable / firewall drop that ICMP error… but then you can do the same thing with TCP RSTs.)

replies(1): >>apstls+JZ5
◧◩
5. eqvino+tt3[view] [source] [discussion] 2026-01-13 10:25:19
>>JasonA+8u
> SSH is explicitly designed to allow unauthenticated users to do a whole lot of things

I'm sorry, what?

◧◩◪
6. apstls+JZ5[view] [source] [discussion] 2026-01-13 22:03:04
>>eqvino+nt3
That's why you discard ICMP errors.
replies(1): >>eqvino+vW6
◧◩◪◨
7. eqvino+vW6[view] [source] [discussion] 2026-01-14 05:09:16
>>apstls+JZ5
If anything, that's why you discard ICMP port unreachable, which I assume you meant.

If you're blanket dropping all ICMP errors, you're breaking PMTUD. There's a special place reserved in hell for that.

(And if you're firewalling your ICMP, why aren't you firewalling TCP?)

[go to top]