←back to thread

Knocker, a knock based access control system for your homelab

(github.com)
67 points xlmnxp | 10 comments | 22 Oct 25 08:37 UTC | HN request time: 0.001s | source | bottom
Show context
tptacek ◴[22 Oct 25 13:01 UTC] No.45668433[source]
I will never, ever understand this "single-packet authentication" "port knocking" fetish. It has never made sense. Bin it, along with fail2ban, and just set up WireGuard.

Your network authentication should not be a fun game or series of Rube Goldberg contraptions.

replies(7): >>45668640 #>>45668974 #>>45669023 #>>45672079 #>>45672470 #>>45673304 #>>45676649 #
hatradiowigwam ◴[22 Oct 25 13:38 UTC] No.45668974[source]
Fail2ban is not in the same realm as port knocking, and to "bin it" would be foolish security posture at best, and negligent at worst.
replies(2): >>45669348 #>>45669979 #
mdhb ◴[22 Oct 25 14:03 UTC] No.45669348[source]
I’m not super familiar with the intricacies of fail2ban and don’t currently understand why op made that claim but would very much like to know more because he is talking about a topic he is highly regarded for and I respect that. I just don’t have the context.
replies(2): >>45670625 #>>45671161 #
Joel_Mckay ◴[22 Oct 25 15:28 UTC] No.45670625[source]
Port-knocking mainly mitigates slow distributed-brute-force login attacks, and works best when ports are interleaved with several tripwire black-hole and knock-port-close firewall rules.

Use-cases:

1. helps auto-ban hosts doing port-scans or using online vulnerability scanners

2. helps reduce further ingress for a few minutes as the hostile sees the site is "down". Generally, try to waste as much of a problem users time as possible, as it changes the economics of breaking networked systems.

3. the firewall rule-trigger delay means hostiles have a harder time guessing which action triggered a IP ban. If every login attempt costs 3 days, folks would have to be pretty committed to breaking into a simple website.

4. keeps failed login log noise to a minimum, so spotting actual problems is easier

5. Easier to forensically analyze the remote packet stream when doing a packet dump tap, as only the key user traffic is present

6. buys time to patch vulnerable code when zero day exploits hits other hosts exposed services

7. most administrative ssh password-less key traffic should be tunneled over SSL web services, and thus attackers have a greater challenge figuring out if dynamic service-switching is even active

People that say it isn't a "security policy" are somewhat correct, but are also naive when it comes to the reality of dealing with nuisance web traffic.

Fail2ban is slightly different in that it is for setting up tripwires for failed email logins, and known web-vulnerability scanners etc. Then whispering that IP ban period to the firewall (must override the default config.)

Finally, if the IP address for some application login session changes more than 5 times an hour, one should also whisper a ban to the firewalls. These IP ban rules are often automatically shared between groups to reduce forum spam, VoIP attacks, and problem users. Popular cloud-based VPN/proxies/Tor-exit-nodes run out of unique IPs faster than most assume.

Have a nice day, =3

replies(3): >>45671078 #>>45671584 #>>45671674 #
frumplestlatz ◴[22 Oct 25 16:28 UTC] No.45671584[source]
This is a metric ton of completely pointless theater.

Your services should simply be unreachable over anything but wireguard (or another secure VPN option).

replies(2): >>45672039 #>>45672104 #
Joel_Mckay ◴[22 Oct 25 17:02 UTC] No.45672039[source]
Depends on the use-case, IPsec is often not supported by many LANs. Also, network crossing is 1 badly configured client away from full infrastructure worming.

At some point, the idealism of white-listed pears and VPN will fail due to maintenance service costs. Two things may be true at the same time friend. =3

https://www.poetry.com/poem/101535/the-blind-men-and-the-ele...

replies(1): >>45672313 #
1. frumplestlatz ◴[22 Oct 25 17:24 UTC] No.45672313[source]
Yes, and those two true things are:

- You should be using WireGuard.

- “Port knocking” is pointless theater.

replies(1): >>45672524 #
2. Joel_Mckay ◴[22 Oct 25 17:39 UTC] No.45672524[source]
CVE-2024-26950 is also true, and while I respect your opinion... a VPN has a lot of additional links in the chain trivially broken by competent hostiles or incompetent client installations.

IPSec is simply a luxury unavailable on some LANs =3

replies(1): >>45676070 #
3. tptacek ◴[22 Oct 25 22:39 UTC] No.45676070[source]
I don't understand what you think CVE-2024-26950 has to do with this thread. Do you understand what that vulnerability actually is, or did you just go search "WireGuard CVE" to find ammunition?
replies(1): >>45676141 #
4. Joel_Mckay ◴[22 Oct 25 22:49 UTC] No.45676141{3}[source]
Firewall administrative network port traffic priority is important for systems under abnormal stress.
replies(1): >>45676198 #
5. tptacek ◴[22 Oct 25 22:56 UTC] No.45676198{4}[source]
I don't know what this even means. Do you understand the vulnerability you cited? Can you explain it here?
replies(1): >>45676550 #
6. Joel_Mckay ◴[22 Oct 25 23:41 UTC] No.45676550{5}[source]
The relatively benign legacy kernel level pointer-bug CVE chosen is hardly the worst thing from WireGuard or strongSwan over the years. However, it makes the point a priority reliable network side-channel administrative login is more robust under some use-cases.

Adding layers of complexity rarely improves security, and doesn't usually address the underlying issue of accountability. And I often ponder if a bastion host is even still meaningful in modern clouds. =3

replies(1): >>45676589 #
7. tptacek ◴[22 Oct 25 23:47 UTC] No.45676589{6}[source]
The bug you cited is in Netlink. It's not exposed on the network. What's the "worse" thing you're referring to? I think you just searched "WireGuard CVE" and tried to play it off.
replies(1): >>45676813 #
8. Joel_Mckay ◴[23 Oct 25 00:21 UTC] No.45676813{7}[source]
In general, doing a qualitative summary of the projects impact is less helpful, and never as verbose as some would prefer on platform specific issues. Additionally, wireguard is now more popular than strongswan these days...

https://www.cve.org/CVERecord/SearchResults?query=ipsec

https://www.cve.org/CVERecord/SearchResults?query=wireguard

https://www.cve.org/CVERecord/SearchResults?query=strongswan

Best of luck, and straw-man arguments are never taken seriously. =3

replies(1): >>45676859 #
9. tptacek ◴[23 Oct 25 00:29 UTC] No.45676859{8}[source]
This reads like a long-winded way of saying you aren't bothering to read what the vulnerabilities actually are.
replies(1): >>45677102 #
10. Joel_Mckay ◴[23 Oct 25 01:12 UTC] No.45677102{9}[source]
>This reads like a long-winded way of saying you aren't bothering to read what the vulnerabilities actually are.

Almost, it is more that I don't care specifically why a IPSec option is often a liability, and would rather stick with something less silly.

Ad hominem attacks do not change the fact there are new issues in IPSec/VPN approaches found regularly. Pick any failure mode(s) on the list that applies to your specific use-case and platform.... or could find new ones if you are still bored.

Have a great day =3

https://www.youtube.com/watch?v=6vgoEhsJORU