←back to thread

Knocker, a knock based access control system for your homelab

(github.com)
67 points xlmnxp | 5 comments | 22 Oct 25 08:37 UTC | HN request time: 0s | source
Show context
Halan ◴[22 Oct 25 10:23 UTC] No.45667049[source]
IP based exclusion should not be considered a security measure, not even for a low risk environment like a home lab
replies(1): >>45667093 #
password4321 ◴[22 Oct 25 10:29 UTC] No.45667093[source]
> IP based exclusion should not be considered a security measure

Apologies in advance if I'm missing something obvious here, but are you saying an IP allow list is not a standard security practice? If so I'd appreciate further explanation.

replies(1): >>45667470 #
1. abujazar ◴[22 Oct 25 11:25 UTC] No.45667470[source]
It's useful when the client always has its own static IP that _doesn't change_ between sessions. In this case, where the public facing IP may be shared by thousands of users, it provides no real security. All you'd have to do to gain access would be getting the client IP and finding some way of getting on the same network. Which in many cases could be as easy as subscribing to the same cell network or other ISP, or connecting to the guest wifi network of an office building.
replies(1): >>45667717 #
2. password4321 ◴[22 Oct 25 11:56 UTC] No.45667717[source]
Thanks for filling in the details. I agree that an IP allow list works best for users who are alone on an IP that doesn't change often, which is the case for a majority of home internet users but not when they're away from home.
replies(1): >>45668699 #
3. yccs27 ◴[22 Oct 25 13:20 UTC] No.45668699[source]
Unfortunately there's an increasing number of home internet connections behind CGNat, as IPv4 adresses run out (and IPv6 doesn't gain momentum, heaven knows why)
replies(2): >>45669294 #>>45672929 #
4. abujazar ◴[22 Oct 25 13:59 UTC] No.45669294{3}[source]
I guess it's partially because ISPs are perfectly happy selling crippled internet connectivity as the base service and charging hefty premiums for "luxuries" like static IPs. It has also become common to only offer static IPs to business customers.
5. ianburrell ◴[22 Oct 25 18:07 UTC] No.45672929{3}[source]
IPv4 addresses have run out, everything has been allocated, and they are now being traded.

IPv6 is slowly growing in popularity. Google stats are close to 50%. If your ISP has IPv6, you might be accessing Hacker News with IPv6 since they added support recently.