←back to thread

Knocker, a knock based access control system for your homelab

(github.com)
67 points xlmnxp | 7 comments | 22 Oct 25 08:37 UTC | HN request time: 0.4s | source | bottom
1. mano78 ◴[22 Oct 25 09:39 UTC] No.45666742[source]
I implemented something similar as a caddy module, then I realized that if I was connected to a public wifi network I was actually authorizing the whole bunch of people that were connected to it with me. How do you avoid this, or is it just not important?
replies(5): >>45666786 #>>45666828 #>>45667520 #>>45667566 #>>45676716 #
2. ◴[22 Oct 25 09:45 UTC] No.45666786[source]
3. OJFord ◴[22 Oct 25 09:50 UTC] No.45666828[source]
It shouldn't be your only layer of security, and then it's not important. Think of it as replacing explicit IP black/whitelisting - you still want a login wall or something, but now you restrict access to guess logins or otherwise obtain access through app vulnerabilities etc.
4. teddyh ◴[22 Oct 25 11:32 UTC] No.45667520[source]
It’s the third option: Port knocking is stupid.

<https://news.ycombinator.com/item?id=39898061>

replies(1): >>45668241 #
5. TuxPowered ◴[22 Oct 25 11:36 UTC] No.45667566[source]
> How do you avoid this

IPv6 of course.

> or is it just not important

Port knocking not a security feature anyway.

6. symbogra ◴[22 Oct 25 12:46 UTC] No.45668241[source]
I implemented port knocking couple decades ago as a teenager and it was stupid then too.
7. fariszr ◴[23 Oct 25 00:08 UTC] No.45676716[source]
It's a compromise.It's not as secure as using a VPN, but it's way more convenient, since only one device has to have a knocker client on it without needing any sort of VPN.

The likelihood of someone is on the same network as you noticing your servic, try to hack it, before the TTL expires again is IMO quite low.

This is without taking into account that the services themselves have their own security and login processes, getting a port open doesn't mean the service is hacked.