←back to thread

Knocker, a knock based access control system for your homelab

(github.com)
67 points xlmnxp | 2 comments | 22 Oct 25 08:37 UTC | HN request time: 0s | source
Show context
tptacek ◴[22 Oct 25 13:01 UTC] No.45668433[source]
I will never, ever understand this "single-packet authentication" "port knocking" fetish. It has never made sense. Bin it, along with fail2ban, and just set up WireGuard.

Your network authentication should not be a fun game or series of Rube Goldberg contraptions.

replies(7): >>45668640 #>>45668974 #>>45669023 #>>45672079 #>>45672470 #>>45673304 #>>45676649 #
hatradiowigwam ◴[22 Oct 25 13:38 UTC] No.45668974[source]
Fail2ban is not in the same realm as port knocking, and to "bin it" would be foolish security posture at best, and negligent at worst.
replies(2): >>45669348 #>>45669979 #
tptacek ◴[22 Oct 25 14:49 UTC] No.45669979[source]
No, fail2ban is cargo cult security, and if you actually "need" it, you've misconfigured your system. Don't allow password authentication.
replies(3): >>45670325 #>>45673312 #>>45673525 #
wolrah ◴[22 Oct 25 18:52 UTC] No.45673525[source]
They can't get in but they can still fill my logs up, so fail2ban cuts them off after a few failures.

Also by collecting data on the IP addresses that are triggering fail2ban I can identify networks and/or ASes that disproportionally host malicious traffic and block them at a global level.

replies(1): >>45673585 #
tptacek ◴[22 Oct 25 18:58 UTC] No.45673585[source]
Why bother logging them at all? What is this doing for you? You can't meaningfully characterize attacker traffic this way. They'll come from any AS they want to.
replies(3): >>45673825 #>>45675271 #>>45679180 #
hrimfaxi ◴[22 Oct 25 19:17 UTC] No.45673825[source]
Don't compliance regimes like NIST 800-53 require logging access attempts, whether successful or not, and especially for privileged users?
replies(1): >>45674192 #
akerl_ ◴[22 Oct 25 19:44 UTC] No.45674192[source]
> To balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance.

It's possible that some compliance regimes exist that mandate keeping logs of all unsuccessfully authentication attempts. There's surely a compliance regime out there that mandates every possible permutation of thing.

But the far more common permutation, like we see with NIST, is that the organization has to articulate which logs it keeps, why those logs are sufficient for conducting investigations into system activity, and how it supports those investigations.

replies(1): >>45676063 #
hrimfaxi ◴[22 Oct 25 22:39 UTC] No.45676063[source]
I was thinking of:

> The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period.

https://csf.tools/reference/nist-sp-800-53/r5/ac/ac-7/

replies(1): >>45676142 #
1. akerl_ ◴[22 Oct 25 22:49 UTC] No.45676142[source]
That’s almost always going to be a setting in your IDP, not based on log capture/retention.

The IDP will have some settings for max fails before lockout, and apply it by counting.

replies(1): >>45682106 #
2. hrimfaxi ◴[23 Oct 25 14:19 UTC] No.45682106[source]
A centralized IDP that touches every service is not mandated by NIST though. So while you are right that an IDP can handle that, the organization may not have the IDP integrated with a given system and you will still need compensating controls or mitigations. Outright incredulity over logging failed access attempts is surprising.