←back to thread

Knocker, a knock based access control system for your homelab

(github.com)
67 points xlmnxp | 2 comments | 22 Oct 25 08:37 UTC | HN request time: 0s | source
Show context
tptacek ◴[22 Oct 25 13:01 UTC] No.45668433[source]
I will never, ever understand this "single-packet authentication" "port knocking" fetish. It has never made sense. Bin it, along with fail2ban, and just set up WireGuard.

Your network authentication should not be a fun game or series of Rube Goldberg contraptions.

replies(7): >>45668640 #>>45668974 #>>45669023 #>>45672079 #>>45672470 #>>45673304 #>>45676649 #
1. sneak ◴[22 Oct 25 17:35 UTC] No.45672470[source]
I view port knocking as just a very, very poor form of an unencrypted PSK (replayable) authentication step.

Just skip the plaintext password (the sequence of ports transmitted) and use certificate based auth, as you note below.

replies(1): >>45672489 #
2. tptacek ◴[22 Oct 25 17:36 UTC] No.45672489[source]
It's part of a long line of cargo culted security things people do because it makes them feel on-the-ball; they're all anti-tiger rocks. Even before WireGuard, port knocking never made sense, and for most of its history it was actively harmful.