Port forwarding 443 but keep it stealth
-
Hello,
not sure if this is the right category for my question. I have a OpenVPN server running which is listening to port 1194. Additionally I set up another server, listening on tpc 443.
Nmap shows me that this port is open. Is it somehow possible to keep the port stealth but still forward the data stream? How would I do that?
Thanks.
-
Not possible. If it's open for traffic, it's open for port scans.
-
@JKnott
Thank you for your reply.
If the port can't be stealth while it is forwarded what else can I do to increase it's security?
-
@baumkuchen said in Port forwarding 443 but keep it stealth:
@JKnott
Thank you for your reply.
If the port can't be stealth while it is forwarded what else can I do to increase it's security?If all the connections come from known addresses, you could filter on that.
-
At some point you're going to have to trust your authentication methods. JKnott's suggestion is good. However, if you don't know the source IP addresses but know for a fact that all your traffic will come from the US, you could use a geoblocker like pfBlocker to block access from all other countries except the US.
Ultimately, you can't hide a 'public' service but you can limit it to a subset of 'public'.
-
Thank you guys for the clarification.
I'll try to understand port forwarding and the possible security elements on top of it much better, unfortunately I don't get the basics yet. I had the idea that a forwarded port could block incoming traffic but hand over authorized packages to the listening OpenVPN server, so that the OpenVPN server only responds if the authorization has got successful in the first place. If I understand you right, this is not an option.
I authorize with a SSL/TSL + User Auth, but I don't like the fact that this is the only method to protect my data to keep them safe. Is it an option to pass incoming traffic based on MAC adresses or other unique indicators?
-
@baumkuchen said in Port forwarding 443 but keep it stealth:
Is it possible to block incoming traffic based on MAC adresses or other unique indicators?
No, the only MAC address pfSense will see is that of the next upstream router. MACs are valid only on the local network and are discarded by routers, which then add the MAC of the exit interface. Read up on the protocol stack and encapsulation to understand why this is. Basically, the IP packet is encapsulated in an Ethernet frame only for the transport to the next device. The Ethernet frame goes no further, but the IP packet can be forwarded by routers and encapsulated in a frame for the next hop.
-
other unique indicators?
Other then already mentioned, use tls-crypt...
