- I will never, ever understand this "single-packet authentication" "port knocking" fetish. It has never made sense. Bin it, along with fail2ban, and just set up WireGuard.
Your network authentication should not be a fun game or series of Rube Goldberg contraptions.
- I don't want to be a hater, but exposing access to your homelab through a "fully vibe coded" application (it's mentioned at the bottom of the README) is probably not a good idea.
The idea itself sounds fun though
- Nowadays public facing client IPs are often shared by thousands of users behind CGNAT. IP based firewall rules are useful when the peers have their own static IP address, but provide no real security when the IP address is shared.
This is vibe coded security through obscurity, i. e. quite useless. Use Tailscale or a self hosted VPN.
- The way I see it, port knocking may not be a valid security measure but it can be a good filter. It will allow you to filter out port scanning and other mass cracking attempts.
My opinion is that being able to filter out noise and false positives from authentication logs allows you to improve your actual security measures.
An other advantage is that it may hide information about your system making it harder for an attacker to target you based on a broad scan without doing some (usually detectable) targeted reconnaissance first. For example imagine someone found a 0-day in one of the services behind the port-knock and is scanning for the vulnerable version.
It does however add another cog in the machine that may break.
by scottydelta
2 subcomments
- When every problem seems like a nail then every solution you come up with is a hammer.
This is what it feels like people using AI for everything.
AI is not good at telling you best solution but it will tell you that you can build it yourself since that approach is what AI is good at.
Using self hosted vpn, cloudflare zero trust or Tailscale is the easiest way to go.
I self host extensively and have multiple self hosted VPN(OpenVPN and WireGuard) along with Tailscale and cloudflare protecting my infra.
- I implemented something similar as a caddy module, then I realized that if I was connected to a public wifi network I was actually authorizing the whole bunch of people that were connected to it with me. How do you avoid this, or is it just not important?
- Also FWIW, if you're using nftables you can set up port knocking: https://wiki.nftables.org/wiki-nftables/index.php/Port_knock...
- Hey I'm the creator of knocker!
I actually wanted to write a blog post about it before posting, but OP already did that.
If you have any questions just let me know!
Will go into more details why I created in the blog post coming very soon! Just doing the final touches right now.
by parliament32
1 subcomments
- The "port knocking" has surfaced often since the early 2000s, but it continues to be a rather silly exercise in making security-by-obscurity look more complicated while not really helping all that much.
Briefly looking at the diagram at the top of the repo, it looks like you "knock" with an API key. Why not just run a reverse proxy in front of (whatever service you're trying to protect) and use the API keys there? To harden further, do some sort of real authentication (PKI, client certs). If you want your logs to look cleaner, install and actually configure fail2ban.
- Aw man, I thought this was going to be audio sensor that logs you in with a secret physical knocking pattern (like on a door or desk).
- > This is ideal for homelab environments where you want to expose services to the internet without a persistent VPN connection, while minimizing your public-facing attack surface.
To an untrained eye, the wording here could be construed to imply that this is more secure than a VPN. Might be worth a reword to clarify why one might prefer it want to over a VPN.
- If you need to manage risk for a legacy service that has a requirement to be internet exposed, I suggest checking out https://knocknoc.io/ for a self-hosted and/or cloud based solution that was not built with vibe coding, but actual customer security use cases.
They provide 2FA and/or single sign-on to allow just in time access to internet
exposed applications which remain hidden from unauthenticated/approved users.
- The authentication part does not look much different from password authentication (key ≈ password), and the "Configurable TTL" bit is somewhat confusing, the first part of the sentence assigns the TTL to API keys but the second part says it applies to IPs being whitelisted. I would expect that TTL for a key means that after the TTL expires the key itself becomes unusable.
- IP based exclusion should not be considered a security measure, not even for a low risk environment like a home lab
by dugite-code
1 subcomments
- I use fwknop in a similar manner, the main advantage it has is it's using an encrypted UDP packet. It's ability to call shell scripts for more advanced uses is its best feature. I have a packet set up for a rolling restart of all my services as well as ssh access
- Wireguard port is the only port that could be exposed to the Internet.
With xz backdoor owning ssh, I wouldn’t completely trust ssh public key authentication either.
- It has sequence diagrams so it must be a good idea.
- "Knock Knock" kinda sounds like a cool name for an access control system
- Port knocking is a very hacky technique that was used:
1- In the 90s were security was whatever
2- In modern days as a way to keep your logs squeaky clean ( although you get 99% there with custom ports)
3- As a cute warm up exercise that you code yourself with what's available in your system. (iptables? a couple of python scripts communicating with each other?)
It's not a security mechanism, and downloading external dependencies or code (especially if vibecoded) is a net loss (by a huge margin).
It's also a waste of time to overengineer for the reasons noted above, I've seen supposedly encrypted port knocking implementations. It feels as if someone had a security checklist and then a checklist for that checklist.
- I had hoped this would allow me to use various patterns of knocking on my desk to perform system actions. Do the cut-and-a-hair-shave knock to log in, or taptaptaptap-wait-tap to lock the screen, etc. Maybe with two microphones you could even distinguish between left and right handed knocks.
...now I'll have to make this myself.
- Sorry, but I felt a bit of nostalgia here; I wrote some port knocking code a couple decades ago, this is straight-up "neat" and I'm surprised it is still around.
by RickJWagner
1 subcomments
- Somebody must tell Mel Brooks about this.
- Neat project, thanks for sharing. I'll stay away since it was vibecoded, but I appreciate the honesty.
Though this is not technically a "knocker", but a typical token-based auth gateway. I experimented with something similar recently as well, and think it has its use cases.
But I would agree with some of the comments here. If you need to expose many services to the internet, especially if their protocols are not encrypted, then a tunneling/mesh/overlay network would be a better solution. I was a happy tinc user for several years, and WireGuard now fills that purpose well. As much as people use solutions like Tailscale, ZeroTier, etc., I personally don't trust them, and would prefer to roll my own with WG. It's not that difficult anyway.
There's also Teleport, which is more of an identity-aware proxy, and it worked well last time I tried it, but I wouldn't use it for personal use.
by felixandersen
1 subcomments
- [dead]
by eastabrooka
1 subcomments
- Its 2025, Just use Tailscale.
Hacker News