On Wed, 4 Jan 2023, Jeffrey Walton wrote:
The preauth scheme does not hide the service like your TOTP scheme. However, it looks like both schemes achieve the same thing - they both avoid the costly key exchange. Avoiding the key exchange is a big win since those public key operations are so costly.
My scheme doesn't remove the need for any auth. What it does do is limit the noise in the logs. Given that the DNS query won't come from the same address as the intended connection you have to open the service to everything temporarily. I was getting anything from thousands to hundreds of thousands of login attempts per day on a service that didn't accept passwords. I now have an aggressive firewall policy that blocks any ip that sends three SYN that dont get an ACK in an hour. (with a couple of ports that will remove a ban where external connections are expected) Roughly 300 ips got added yesterday and 30 managed to remove themselves. (incoming connections are totally blocked from china, russia and a handful of other countries along with some netblocks that I've manually added) My quick grep of the firewall logs suggests than I'm seeing 10x as many attempts to connect to telnet than I am to ssh so I guess ssh is finally becoming secured from password guessing and people are giving up on trying (except possibly targetted attacks on servers that accept passwords) I'm also, as far as possible, moving to ipv6. That also cuts down on the noise a lot. So hiding services just isn't as valuable to me now as it was four years ago. I'm still generating 40MB of firewall logs a day that get backed up though.