←back to thread

Knocker, a knock based access control system for your homelab

(github.com)
67 points xlmnxp | 3 comments | 22 Oct 25 08:37 UTC | HN request time: 0s | source
Show context
tptacek ◴[22 Oct 25 13:01 UTC] No.45668433[source]
I will never, ever understand this "single-packet authentication" "port knocking" fetish. It has never made sense. Bin it, along with fail2ban, and just set up WireGuard.

Your network authentication should not be a fun game or series of Rube Goldberg contraptions.

replies(7): >>45668640 #>>45668974 #>>45669023 #>>45672079 #>>45672470 #>>45673304 #>>45676649 #
hatradiowigwam ◴[22 Oct 25 13:38 UTC] No.45668974[source]
Fail2ban is not in the same realm as port knocking, and to "bin it" would be foolish security posture at best, and negligent at worst.
replies(2): >>45669348 #>>45669979 #
mdhb ◴[22 Oct 25 14:03 UTC] No.45669348[source]
I’m not super familiar with the intricacies of fail2ban and don’t currently understand why op made that claim but would very much like to know more because he is talking about a topic he is highly regarded for and I respect that. I just don’t have the context.
replies(2): >>45670625 #>>45671161 #
Joel_Mckay ◴[22 Oct 25 15:28 UTC] No.45670625[source]
Port-knocking mainly mitigates slow distributed-brute-force login attacks, and works best when ports are interleaved with several tripwire black-hole and knock-port-close firewall rules.

Use-cases:

1. helps auto-ban hosts doing port-scans or using online vulnerability scanners

2. helps reduce further ingress for a few minutes as the hostile sees the site is "down". Generally, try to waste as much of a problem users time as possible, as it changes the economics of breaking networked systems.

3. the firewall rule-trigger delay means hostiles have a harder time guessing which action triggered a IP ban. If every login attempt costs 3 days, folks would have to be pretty committed to breaking into a simple website.

4. keeps failed login log noise to a minimum, so spotting actual problems is easier

5. Easier to forensically analyze the remote packet stream when doing a packet dump tap, as only the key user traffic is present

6. buys time to patch vulnerable code when zero day exploits hits other hosts exposed services

7. most administrative ssh password-less key traffic should be tunneled over SSL web services, and thus attackers have a greater challenge figuring out if dynamic service-switching is even active

People that say it isn't a "security policy" are somewhat correct, but are also naive when it comes to the reality of dealing with nuisance web traffic.

Fail2ban is slightly different in that it is for setting up tripwires for failed email logins, and known web-vulnerability scanners etc. Then whispering that IP ban period to the firewall (must override the default config.)

Finally, if the IP address for some application login session changes more than 5 times an hour, one should also whisper a ban to the firewalls. These IP ban rules are often automatically shared between groups to reduce forum spam, VoIP attacks, and problem users. Popular cloud-based VPN/proxies/Tor-exit-nodes run out of unique IPs faster than most assume.

Have a nice day, =3

replies(3): >>45671078 #>>45671584 #>>45671674 #
akerl_ ◴[22 Oct 25 15:56 UTC] No.45671078[source]
If a slow brute force attack is working on your system, all the port knocking and tripwires and whatever are just gimmicks.

Don’t waste resources putting lipstick on the pig.

replies(1): >>45671327 #
Joel_Mckay ◴[22 Oct 25 16:11 UTC] No.45671327{3}[source]
Stolen password-less key bots are also common these days, and again it is more about reducing log noise.

"Don’t waste resources putting lipstick on the pig."

I would never kink-shame someone that ignored the recent CVE-2025-48416, that proved exposing unprotected services is naive =3

replies(1): >>45671578 #
akerl_ ◴[22 Oct 25 16:28 UTC] No.45671578{4}[source]
If somebody has a stolen credential, they aren’t going to be brute forcing at all. Likewise that CVE wouldn’t be attacked by a brute force attack.

But I see you’ve backpedaled to this being about log noise, not security.

replies(1): >>45671926 #
Joel_Mckay ◴[22 Oct 25 16:54 UTC] No.45671926{5}[source]
Threat detection is a higher security priority than prevention in my experience.

One may believe whatever they like, as both our intentions are clear friend.

Have a wonderful day =3

replies(1): >>45671967 #
akerl_ ◴[22 Oct 25 16:56 UTC] No.45671967{6}[source]
It's weird to assign them comparatively like that but also, what does that have to do with fail2ban?

The roving spam it blocks are not threats, and stolen credentials aren't going to be detected by it.

replies(1): >>45672371 #
1. Joel_Mckay ◴[22 Oct 25 17:28 UTC] No.45672371{7}[source]
In general, bots/worms/clowns will first check if a host/router is already infected or vulnerable to a shim. Thus, tripwires on those checks or URI often auto-ban infected/hostile hosts before a scan fully escalates to a successful payload. Note, people don't want a VM delta-snapshot of their zero-day around for automated analysis.

99.98% of hostile traffic simply reuse already published testing tools, or services like Shodan to target hosts.

One shouldn't waste resources guessing the motives behind problem traffic. =3

replies(1): >>45674314 #
2. akerl_ ◴[22 Oct 25 19:55 UTC] No.45674314[source]
You're just sort of loosely interweaving unrelated comments?

You're back on prevention instead of detection, but also no: an attacker with valid creds isn't going to run other checks first before using them.

And yes: by volume, most attacks on the internet are just spam reusing published tools and IP lists. And that traffic is zero percent risky unless your auth is already busted.

replies(2): >>45675156 #>>45679219 #
3. Capricorn2481 ◴[23 Oct 25 07:34 UTC] No.45679219[source]
> And that traffic is zero percent risky unless your auth is already busted

Well it's a waste of our time and resources. I'm not just going to let people make 100 requests per second for no reason?