In the past two weeks I set up a new VPS, and I run a small experiment. I share the results for those who are curious.
Consider that this is a backup server only, meaning that there is no outgoing traffic unless a backup is actually to be recovered, or as we will see, because of sshd.
I initially left the standard "port 22 open to the world" for 4-5 days, I then moved sshd to a different port (still open to the whole world), and finally I closed everything and turned on tailscale. You find a visualization of the resulting egress traffic in the image. Different colors are different areas of the world. Ignore the orange spikes which were my own ssh connections to set up stuff.
Main points:
-
there were about 10 Mb of egress per day due just to sshd answering to scanners. Not to mention the cluttering of access logs.
-
moving to a non standard port is reasonably sufficient to avoid traffic and log cluttering even without IP restrictions
-
Tailscale causes a bit of traffic, negligible of course, but continuous.
I have wireguard for other purposes but I also have ssh open on a different port. I don't much understand the argument of exchanging ssh for wireguard. In the end, we're just trading an attack vector for another.
My ssh only allows connections from my user. If I'm using password auth, I also request a 2FA.
Tail scale is also a good idea but I don't like having my control plane under someone else's control.
There is quite a significant difference. An ssh server - even when running on a non-default port - is easily detectable by scanning for it. With a properly configured Wireguard setup this is not the case. As someone scanning from the outside, it is impossible to tell if there is Wireguard listening or not, since it simply won't send any reply to you if you don't have the correct key. Since it uses UDP it isn't even possible to tell if there is any service running on a given UDP port.
The reason a VPN is better to expose than SSH, is the feedback.
If someone tries connecting to your SSH with the wrong key or password, they get a nice and clear permission denied. They now know that you have SSH, and which version. Which might allow them to find a vulnerability.
If someone connects to your wireguard with the wrong key, they get zero response. Exactly as if the port had not been open in the first place. They have no additional information, and they don't even know that the port was even open.
Try running your public IP through shodan.io, and see what ports and services are discovered.
So just run headscale then.
Or nebula
If someone finds a 0day in your SSH server and goes on drive-by attacking the whole internet you're toast.
Already moving off port 22 reduces much of the risk, essentially reducing the attack surface for drive-by attacks to zero while still being susceptible to targeted attacks -- that is, still susceptible to attackers bothering to scan the whole range. Anything that makes you unscannable (VPN, portknockd, doesn't matter) mitigates that. Even state-level actors would have to be quite determined to get through that one.
Yes it's security through obscurity. Yes it's a good idea: There's a difference between hiding your unlocked front door and hiding your military-grade front door lock, one of them is silly the other isn't.