←back to thread

67 points xlmnxp | 4 comments | | HN request time: 1.936s | source
Show context
tptacek ◴[] No.45668433[source]
I will never, ever understand this "single-packet authentication" "port knocking" fetish. It has never made sense. Bin it, along with fail2ban, and just set up WireGuard.

Your network authentication should not be a fun game or series of Rube Goldberg contraptions.

replies(7): >>45668640 #>>45668974 #>>45669023 #>>45672079 #>>45672470 #>>45673304 #>>45676649 #
hatradiowigwam ◴[] No.45668974[source]
Fail2ban is not in the same realm as port knocking, and to "bin it" would be foolish security posture at best, and negligent at worst.
replies(2): >>45669348 #>>45669979 #
tptacek ◴[] No.45669979[source]
No, fail2ban is cargo cult security, and if you actually "need" it, you've misconfigured your system. Don't allow password authentication.
replies(3): >>45670325 #>>45673312 #>>45673525 #
dugite-code ◴[] No.45673312[source]
IMHO Fial2ban, just like port knocking, isn't cargo cult security. They are a single tool that can be included in a general system security arsenal, not the only tool you should use but one of a suite of tools that can be used depending on what you want to achieve.

Personally I use fwknop for port knocking as it doesn't suffer from replay attacks as it's an encrypted packet. But still serves the same niche

replies(1): >>45674206 #
1. akerl_ ◴[] No.45674206[source]
The point being made is that unless "what you want to achieve" is "run a tool that isn't improving your security posture", port knocking isn't providing value to the security model.

Hence the cargo cult.

replies(1): >>45675373 #
2. dugite-code ◴[] No.45675373[source]
I can't agree that it's "a tool that isn't improving your security posture", if it's a layer on top of other tools, you might argue it's effectiveness isn't great but to say it's effectively nothing is a reach.
replies(1): >>45675589 #
3. akerl_ ◴[] No.45675589[source]
It’s not nothing: it’s one more thing that can break or eat resources or have a vuln. And it’s not improving the thread model. It’s net negative.
replies(1): >>45679213 #
4. DaSHacka ◴[] No.45679213{3}[source]
How is it not improving the threat model to not have a service directly connected to the internet, but instead put behind a layer of protection?