←back to thread

Knocker, a knock based access control system for your homelab

(github.com)
67 points xlmnxp | 4 comments | 22 Oct 25 08:37 UTC | HN request time: 0.262s | source
Show context
tptacek ◴[22 Oct 25 13:01 UTC] No.45668433[source]
I will never, ever understand this "single-packet authentication" "port knocking" fetish. It has never made sense. Bin it, along with fail2ban, and just set up WireGuard.

Your network authentication should not be a fun game or series of Rube Goldberg contraptions.

replies(7): >>45668640 #>>45668974 #>>45669023 #>>45672079 #>>45672470 #>>45673304 #>>45676649 #
slightwinder ◴[22 Oct 25 13:41 UTC] No.45669023[source]
Every door you close, is one less someone can break.

Every complex services running, is a door someone can potentially break. Even with the most secure and battle tested service, you never know where someone fucked up and introduced an exploit or backdoor. Happened too often to be not a concern. XZ Utils backdoor for example was just last year.

> Your network authentication should not be a fun game or series of Rube Goldberg contraptions.

If there is no harm, who cares...

replies(1): >>45669312 #
1. mdhb ◴[22 Oct 25 14:00 UTC] No.45669312[source]
Just to be super clear.. using this in place of something like WireGuard is absolutely not an improvement. It’s actively worse in the majority of scenarios assuming you can manage to secure your keys.
replies(2): >>45669572 #>>45671802 #
2. slightwinder ◴[22 Oct 25 14:20 UTC] No.45669572[source]
Yes, of course, should this just be an optional gadget for a setup, which is already as safe as possible for the situation. After all, when the port has been opened, your setup is also open for attacks. The knockers purpose is to reduce the timeframe of when your system is accessible for attackers.
3. tptacek ◴[22 Oct 25 16:46 UTC] No.45671802[source]
Just to clarify: it's actively worse in every scenario. It's engineering malpractice.
replies(1): >>45679265 #
4. DaSHacka ◴[23 Oct 25 07:41 UTC] No.45679265[source]
I somehow doubt that it is quite truly worse in every single scenario, and that there is not one single scenario that port knocking may be better utilized than WireGuard.

I also find it hard to believe it is engineering malpractice to use one technology over another.

What happens if there is a vulnerability in WireGuard? Or if WireGuard traffic is not allowed in or out of a network due to a policy or security restriction?