Would it be possible to resurrect the knockd package?
The suggested replacement of fwknop lacks an iOS app store client.
Pretty please? If desired I can take a stab at the code and submit a pull request.
Ty.
Would it be possible to resurrect the knockd package?
The suggested replacement of fwknop lacks an iOS app store client.
Pretty please? If desired I can take a stab at the code and submit a pull request.
Ty.
You don't need permission. Just go for it.
@krazeh are you a maintainer? i just want to know that the code would get merged prior to doing the work. thanks.
I'm not a maintainer, but I doubt anyone would be able to tell you what you're wanting to know. Without seeing what the changes are it's unlikely anyone would commit to saying it'd get merged. On the other hand, it's equally unlikely anyone else is going to make the changes. If they were it would've been done already. So you're kinda stuck at do the work and hope it gets merged, or don't do it and nothing will get changed.
Interesting years ago, totally useless today with modern, far more secure methods, e.g. use wireguard instead.
Just my two cents.
nftables can do it
https://wiki.nftables.org/wiki-nftables/index.php/Port_knocking_example
These days, wireguard is pretty much always a 'better knockd'. It doesn't respond at all, unless the provided key/ passphrase are correct, you have full control over what aspects remain accessible via firewall (zone-) rules and split horizon/ pbr settings.
There is something super quaint about the concept of port knocking.
and with wireguard:
it behaves just like port knocking in the sense of not being observable from the outside, without access to the credentials - and is actually secure on top.
I'm still searching for some kind of temporary "guest access" like this:
In this case you don't have to struggle with transferring any wireguard keys or ssh keys to your friends computer at all (that would be a potential security risk by itself).
The problem is we don't have knockd anymore. fwknopd is way too bloated/complicated, somewhat incompatible and lacks essential functionality (like predefined server-side cmd execution).
The nftables port knocking script sounds promising but my practice with nft is limited.
So, another +1 for knockd resurrection from me.
The easy answer to this would be using the QR code feature for transferring wireguard settings. Yes, this means the private key of the client would be created on the router (so it can be included in the QR code), which is not ideal, but not a real issue for this use case either (the private key is only relevant for this tunnel, not all (unrelated) tunnels on your client). It works, it's trivial and takes around 10s on the phone without any further configuration requirements.
Sure, one could also (web)serve a turnkey-ready wireguard client config file in the first place. But it needs additional software and more time to set up.
I would still prefer the simple 2-factor approach (unlock + ssh).
There is ostiary that should be able to executes a (uci) command. That might be ok if it behaves correctly etc. But the project looks somewhat dead.
Edit: There is a 2 month old knockd fork. Looks promising.
Wireguard?
How so?
Do you have a reference?
Not directly of course. nmap or similar will show open/filtered. But wireguard traffic can be easily detected and blocked. Saw it many times (not at the handshake phase but some after). I believe this reveals wireguard port, indirectly but unambiguously.
In contrary, port knocking is hard to detect, it's just too simple and «small».
And in which way would this be better with port-knocking?
If you are in the middle, the port-knocking sequence can be recorded, blocked, altered, replayed, security remains nil.
Yes, wireguard traffic is not obfuscated, but it's encrypted and replaying it won't hand out the keys to your castle.
If you're relaying in wireguard in the environment where wireguard traffic can be blocked in any moment (please do not forget that wireguard as popular VPN is one of the primary DPI targets) of course you're safe because that means «no access at all».
On the other side, I never heard about port-knocking attacks. Is it a real-world scenario at all? Well, if you're not sending same knock sequence (knockd supports «one time sequences») by cron every minute it is very, very hard to detect anything (without knowledge of some patterns). Almost impossible in fact. 100% resistance to replay attacks.
What «keys to a castle» you're talking about? You're using wireguard to secure some kind of insecure access like telnet? But when «knocking» used for something like ssh port open, the weak link is not knock or wireguard but ssh itself.
Ye olde security by obscurity
Not my cup of tea
Step 1: use only ecliptic curves and get rid of 90% of bots
Step 2: use only ssh keys on a hardware key
Step 3: call it a day
Ps: if you have to use telnet, then just put it behind a firewall or disable global access and allow only connections from the local network and access the telnet server from a jump host like the router itself...
PPS: port knocking is just the second worst idea right after NAT and PAT
Ppps: if you are that scared about ssh zero days then again, just use a VPN.
Sorry but I have no idea at all why we're talking about vpn and such comparing to knockd.
knockd is a simply way to do something specific on remote host. Personally, I'm not using it for getting access… more, I'm considering it a bad idea.
On the other side, all arguments against knockd insecurity is based on a most dumb scenario – sending same packets again and again.
More, using ssh only for specific actions (maybe even with superuser access) is a bit overkill and of course, more insecure. For instance, you have lost your smartphone with ssh privkey.
Wireguard… ha, how can you invoke something with wireguard?
The question is: if we're considering knockd obsolete and "bad", we have to have better alternatives to replace (but not emulate or invent it's functionality).