xlmnxpKnocker, a knock based access control system for your homelab
I will never, ever understand this "single-packet authentication" "port knocking" fetish. It has never made sense. Bin it, along with fail2ban, and just set up WireGuard.
Your network authentication should not be a fun game or series of Rube Goldberg contraptions.
Fail2ban is not in the same realm as port knocking, and to "bin it" would be foolish security posture at best, and negligent at worst.
No, fail2ban is cargo cult security, and if you actually "need" it, you've misconfigured your system. Don't allow password authentication.
They can't get in but they can still fill my logs up, so fail2ban cuts them off after a few failures.
Also by collecting data on the IP addresses that are triggering fail2ban I can identify networks and/or ASes that disproportionally host malicious traffic and block them at a global level.
Every door you close, is one less someone can break.
Every complex services running, is a door someone can potentially break. Even with the most secure and battle tested service, you never know where someone fucked up and introduced an exploit or backdoor. Happened too often to be not a concern. XZ Utils backdoor for example was just last year.
> Your network authentication should not be a fun game or series of Rube Goldberg contraptions.
If there is no harm, who cares...
Just to be super clear.. using this in place of something like WireGuard is absolutely not an improvement. It’s actively worse in the majority of scenarios assuming you can manage to secure your keys.
Knocking can cut down on grinding. I have in the past created setups where you had to knock prior to establishing a VPN connection, and given the semi-regular problems with VPN implementations I really don't feel bad about that. Fortigate, Sonicwall, Cisco, Ivanti, etc - sure a big part of it is "don't run VPNs based on big legacy codebases" but who's to say there won't be implementation problems found (or introduced given "Jia Tan" style attacks) in Wireguard?
Is knocking incredibly weak security through obscurity? Sure, but part of what it does is cut down on log volume.
There is literally no value to cutting down on WireGuard attempts. Like, the exact same set of skbuffs are being created and destroyed in either case.
Sure there is, if the attacker has to fulfil some basic obfuscation then it cuts down on the amount of crypto work you have to do before ignoring the packet.
It's not extra security but it is a little extra efficiency.
Wireguard has something like this built in though, the PresharedKey (which is in addition to the public key crypto, and doesn't reduce your security to the level of a shared-key system). It's still more work to verify that than a port knock however.
This has no value at all. WireGuard assumes an adversary trying to make it do extra work doing handshakes; a big chunk of the WireGuard paper discusses it. I don't think this is as important a problem as Jason does (but it's his baby), but either way: part of the point of WireGuard is that it's safe to hang out on the open Internet this way.
I view port knocking as just a very, very poor form of an unencrypted PSK (replayable) authentication step.
Just skip the plaintext password (the sequence of ports transmitted) and use certificate based auth, as you note below.
Using WireGuard in what way? WireGuard defaults to the security posture SPA/port knocking hopes to asymptotically achieve.
> Using WireGuard in what way?
Using WireGuard to gate access to a server. It looks like it's a VPN, not an access control mechanism. So I am curious how this works.