You wrote:

there’s certainly plenty of implementations which i wouldn’t class as obscurity.

without specifying further. How am I supposed to work out what you mean? I did a guess in my last answer and you seem not to care about a discussion on the topic but instead now question me. I

I just wanted to make clear that port knocking is obscurity and maintaining and configuring your still public facing services in a secure manner is essential. There are best practices which I did not define and are applicable here.

If you whitelist your IP that of course helps but I am not sure what that has to do with port knocking. Whitelisting an IP after it knocked right, that would be obscurity. Whitelisting an IP after it authenticated through a secure connection with secure credentials? Why not just use VPN?

I am also not directly commenting on OPs question, as I try to tackle missconceptions in the comments.

Does this method use a cryptographically secure secret which is transmitted encrypted? If not, it is obscurity. If yes, just use normal secure authentication if your goal is security. If you want to get volume down and maybe reduce your risk, feel free to use such things but you should not apply the security label to it.

A WAF won’t magically solve your problems and free you from your attack surface. To be effective it needs contect of the application and a lot of tuning. Your public facing services should be treated, configured and maintained as such. I am not sure if you include a WAF in the stuff that won’t stop exploitation of vulns, but it definitely belongs there. Yes, it can decrease volume and make exploitation a bit harder but that’s it usually. Also don’t just include proprietary third party stuff and hope it solves your problems.

While this helps getting volume down it just adds a layer of obscurity and the service behind should still be treated and maintained as if it was fully public-facing.

Sorry to nitpick but I feel like beimg precise here is important. Nginx is a project, ssh a protocol and VPN an overlay network, so more of a concept. All 3 can be run somewhere on the spectrum between quite secure and super insecure. Also safe and secure are two different things, I guess you meant secure so no big deal.

In this thread something I see a lot on lemmy is happening. Maybe someone can give me a hint on how that happens. The post itself is 90% upvotes, while the comment section is really anti-Brave (for good reasons). Do most upvotes come from people scrolling through without looking at the comment section and those with an opinion on the topic dive into it?

Last time i checked so called LLM detectors were completely useless.