top | item 45666742

(no title)

mano78 | 4 months ago

I implemented something similar as a caddy module, then I realized that if I was connected to a public wifi network I was actually authorizing the whole bunch of people that were connected to it with me. How do you avoid this, or is it just not important?

discuss

OJFord|4 months ago

It shouldn't be your only layer of security, and then it's not important. Think of it as replacing explicit IP black/whitelisting - you still want a login wall or something, but now you restrict access to guess logins or otherwise obtain access through app vulnerabilities etc.

fariszr|4 months ago

It's a compromise.It's not as secure as using a VPN, but it's way more convenient, since only one device has to have a knocker client on it without needing any sort of VPN.

The likelihood of someone is on the same network as you noticing your servic, try to hack it, before the TTL expires again is IMO quite low.

This is without taking into account that the services themselves have their own security and login processes, getting a port open doesn't mean the service is hacked.

teddyh|4 months ago

It’s the third option: Port knocking is stupid.

<https://news.ycombinator.com/item?id=39898061>

symbogra|4 months ago

I implemented port knocking couple decades ago as a teenager and it was stupid then too.

unknown|4 months ago

[deleted]

TuxPowered|4 months ago

> How do you avoid this

IPv6 of course.

> or is it just not important

Port knocking not a security feature anyway.