(github.com)

67 points xlmnxp | 1 comments | 22 Oct 25 08:37 UTC | HN request time: 0.271s | source

Show context

tptacek ◴[22 Oct 25 13:01 UTC] No.45668433[source]▶

I will never, ever understand this "single-packet authentication" "port knocking" fetish. It has never made sense. Bin it, along with fail2ban, and just set up WireGuard.

Your network authentication should not be a fun game or series of Rube Goldberg contraptions.

replies(7): >>45668640 #>>45668974 #>>45669023 #>>45672079 #>>45672470 #>>45673304 #>>45676649 #

hatradiowigwam ◴[22 Oct 25 13:38 UTC] No.45668974[source]▶

>>45668433 #

Fail2ban is not in the same realm as port knocking, and to "bin it" would be foolish security posture at best, and negligent at worst.

replies(2): >>45669348 #>>45669979 #

tptacek ◴[22 Oct 25 14:49 UTC] No.45669979[source]▶

>>45668974 #

No, fail2ban is cargo cult security, and if you actually "need" it, you've misconfigured your system. Don't allow password authentication.

replies(3): >>45670325 #>>45673312 #>>45673525 #

1. ◴[22 Oct 25 15:09 UTC] No.45670325[source]▶

>>45669979 #

↑

Knocker, a knock based access control system for your homelab