Knocker, a knock based access control system for your homelab

(github.com)

67 points xlmnxp | 1 comments | 22 Oct 25 08:37 UTC | HN request time: 0s | source

Show context

TZubiri ◴[22 Oct 25 10:01 UTC] No.45666900[source]▶

Port knocking is a very hacky technique that was used:

1- In the 90s were security was whatever

2- In modern days as a way to keep your logs squeaky clean ( although you get 99% there with custom ports)

3- As a cute warm up exercise that you code yourself with what's available in your system. (iptables? a couple of python scripts communicating with each other?)

It's not a security mechanism, and downloading external dependencies or code (especially if vibecoded) is a net loss (by a huge margin).

It's also a waste of time to overengineer for the reasons noted above, I've seen supposedly encrypted port knocking implementations. It feels as if someone had a security checklist and then a checklist for that checklist.

replies(1): >>45667078 #

imiric ◴[22 Oct 25 10:27 UTC] No.45667078[source]▶

>>45666900 #

There's nothing "hacky" about port knocking. It was never meant to be a complete security solution—nothing is.

But it works very well as an additional layer of security. Sec nerds often scoff at "security through obscurity", but it is a very valid strategy. Running sshd on a random high port is not inherently more secure, but it avoids the vast majority of dumb scanners that spam port 22, which is why all my systems do that. Camouflage is underrated, yet wildly effective. You can see how well it works in nature.

In any case, this is not a port knocking solution anyway, as I mentioned in another comment.

replies(1): >>45671790 #

1. frumplestlatz ◴[22 Oct 25 16:45 UTC] No.45671790[source]▶

>>45667078 #

It’s really, really not a valid strategy for anything. Just put your services behind WireGuard.

↑