←back to thread

Knocker, a knock based access control system for your homelab

(github.com)
67 points xlmnxp | 1 comments | 22 Oct 25 08:37 UTC | HN request time: 0.361s | source
Show context
tptacek ◴[22 Oct 25 13:01 UTC] No.45668433[source]
I will never, ever understand this "single-packet authentication" "port knocking" fetish. It has never made sense. Bin it, along with fail2ban, and just set up WireGuard.

Your network authentication should not be a fun game or series of Rube Goldberg contraptions.

replies(7): >>45668640 #>>45668974 #>>45669023 #>>45672079 #>>45672470 #>>45673304 #>>45676649 #
hatradiowigwam ◴[22 Oct 25 13:38 UTC] No.45668974[source]
Fail2ban is not in the same realm as port knocking, and to "bin it" would be foolish security posture at best, and negligent at worst.
replies(2): >>45669348 #>>45669979 #
tptacek ◴[22 Oct 25 14:49 UTC] No.45669979[source]
No, fail2ban is cargo cult security, and if you actually "need" it, you've misconfigured your system. Don't allow password authentication.
replies(3): >>45670325 #>>45673312 #>>45673525 #
wolrah ◴[22 Oct 25 18:52 UTC] No.45673525[source]
They can't get in but they can still fill my logs up, so fail2ban cuts them off after a few failures.

Also by collecting data on the IP addresses that are triggering fail2ban I can identify networks and/or ASes that disproportionally host malicious traffic and block them at a global level.

replies(1): >>45673585 #
tptacek ◴[22 Oct 25 18:58 UTC] No.45673585[source]
Why bother logging them at all? What is this doing for you? You can't meaningfully characterize attacker traffic this way. They'll come from any AS they want to.
replies(3): >>45673825 #>>45675271 #>>45679180 #
1. wolrah ◴[22 Oct 25 21:19 UTC] No.45675271[source]
> Why bother logging them at all? What is this doing for you?

Logging both successful and failed requests is important for troubleshooting my systems, especially the client-facing ones (a subset of which are the only ones that are accessible to the open internet), and failed authentication attempts are just one sort of request failure. Sometimes those failures are legitimate client systems where someone misconfigured something, and the logs allow me to troubleshoot that after the fact. That it can also be fed to fail2ban to block attackers is just another benefit.

> You can't meaningfully characterize attacker traffic this way. They'll come from any AS they want to.

Obviously in a world full of botted computers, IoT devices, etc. it's true that an attacker can hypothetically come from anywhere, but in practice at least from the perspective of a small service provider I just don't see that happen. I'm aware that you are involved with much larger scale operations than I'm likely to ever touch so perhaps that's where our experiences differ. No one's targeting my services specifically, they're just scanning the internet for whatever's out there and occasionally happen to stumble upon one of my systems that needs to be accessible to wherever my clients happen to bring their devices.

Sure, I see random domestic residential ISP addresses get banned from individual servers from time to time, but I never see the organized attacks I see which are usually coming from small hosting providers half way around the world from my clients. I have on multiple occasions seen fail2ban fire off rapidly sequential IP addresses like xxx.xxx.xxx.1 followed by xxx.xxx.xxx.2 then xxx.xxx.xxx.3, or in other cases a series of semi-random addresses all in the same subnet, which then triggers my network block and magically they're stopped instead of just moving on to another network. If I were to be packet sniffing on the outside of the relevant firewall I'm sure I'd see another address in the blocked network trying to do its thing but I've never looked.