←back to thread

Knocker, a knock based access control system for your homelab

(github.com)
67 points xlmnxp | 1 comments | 22 Oct 25 08:37 UTC | HN request time: 0.201s | source
Show context
tptacek ◴[22 Oct 25 13:01 UTC] No.45668433[source]
I will never, ever understand this "single-packet authentication" "port knocking" fetish. It has never made sense. Bin it, along with fail2ban, and just set up WireGuard.

Your network authentication should not be a fun game or series of Rube Goldberg contraptions.

replies(7): >>45668640 #>>45668974 #>>45669023 #>>45672079 #>>45672470 #>>45673304 #>>45676649 #
hatradiowigwam ◴[22 Oct 25 13:38 UTC] No.45668974[source]
Fail2ban is not in the same realm as port knocking, and to "bin it" would be foolish security posture at best, and negligent at worst.
replies(2): >>45669348 #>>45669979 #
tptacek ◴[22 Oct 25 14:49 UTC] No.45669979[source]
No, fail2ban is cargo cult security, and if you actually "need" it, you've misconfigured your system. Don't allow password authentication.
replies(3): >>45670325 #>>45673312 #>>45673525 #
wolrah ◴[22 Oct 25 18:52 UTC] No.45673525[source]
They can't get in but they can still fill my logs up, so fail2ban cuts them off after a few failures.

Also by collecting data on the IP addresses that are triggering fail2ban I can identify networks and/or ASes that disproportionally host malicious traffic and block them at a global level.

replies(1): >>45673585 #
tptacek ◴[22 Oct 25 18:58 UTC] No.45673585[source]
Why bother logging them at all? What is this doing for you? You can't meaningfully characterize attacker traffic this way. They'll come from any AS they want to.
replies(3): >>45673825 #>>45675271 #>>45679180 #
1. Capricorn2481 ◴[23 Oct 25 07:29 UTC] No.45679180[source]
> You can't meaningfully characterize attacker traffic this way. They'll come from any AS they want to

I'm not totally following what Fail2Ban has to do with Wireguard. Are we talking strictly about homelabs you don't expose to the internet?

Because I have a homelab I can connect to with Wireguard. That's great. But there are certain services I want to expose to everybody. So I have a VPS that can connect to my homelab via Wireguard and forward certain domain traffic to it.

That's a safe setup in that I don't expose my IP to the internet and don't have to open ports, but I could still be DDOS'd. Would it not make sense for me to use Fail2Ban (or some kind of rate limiting) even if I'm using Wireguard? I can still be DDOS'd.