Whatever your setup is, it's better if it doesn't show up in a scan at all.

The "knock is a weak password" argument is silly - nobody suggests using only the knock, but rather to use the knock in addition to your existing auth scheme.

It might be a decent extra tool for very delicate situations, but I find it reasonably clear that it's largely self-defeating and not to be relied upon. It can also introduce further bugs.

I can see it could have an appeal as a proper password system though (not an obscurity device), since it's really the first step in interacting with a server. With password protocols, you usually have a more complicated interaction that can open a greater surface area. It seems good practice to authenticate absolutely as soon as possible.

There are benefits beyond security: for example, less strange login attempts mean less clutter in your logs. If you're actually trying to investigate login attempts (don't!), it means less time wasted.

The "security by obscurity" screaming people are usually thinking too narrowly, in my opinion.

However, you can get the same effect as port knocking with none of the drawbacks using single packet authorization like fwknop if you don’t want to go full VPN.

The standard (and always condescending) responses are that it is either a very small password and/or that an attacker can record and replay the knock from an eavesdropping position.

Both of those are true, of course, but they neglect that the knock is always in addition to whatever else you are already doing to protect ssh.

So I have always rejected those arguments and continue to evangelize for port knocking.

BUT, the added complexity part is a valid point. I try to keep systems as bare and simple as possible and hate to add even a single unnecessary dependency package. I am happy to say that (on FreeBSD, at least) knock[1] is light, simple, and has run for thousands of days on busy production servers as well as my personal servers without even a single incident.

[1] /usr/ports/security/knock

And, of course, for any discussion of security, you need to specify what your threat environment is. Are you just locking down your home router, or are you running the first line of cyber defense for the CIA? He keeps moving the goalposts in order to knock down his opponents, which is why I can't take him seriously.

This take is bordering on not even wrong territory. The point of port knocking isn't to increase entropy of your password or authentication keys per se, it is to control who can send packets to your SSH daemon, either to limit the noise in your logs or to mitigate an RCE in the SSH daemon. The vast majority of potential attackers in the real world are off-path and aren't going to be in a position to observe someone's port-knocking sequence.

Is VPN a better solution? Maybe, but VPNs, especially commercial VPNs have their own set of challenges with regard to auditability and attack surface.

I don't know how much it adds, but it is non-zero.

The knockd daemon is rock solid[1] and your ssh port traffic goes down to zero (other than your own use).

Port knocking has no place in security by itself but I think it's a wonderful addition to a layered defense - my favorite one, in fact.

Unless you are talking about your own personal use-case, in which case, feel free to follow your deepest wishes

Firewall is a joke, too. Who can manage hundreds and thousands of even-changing IP ? Nobody. Again: I'm not talking about your personal use-case (yet I enjoy connecting to my server through 4G, whereever I am)

Fail2ban, on the other hand, is nice: every systems that relies on some known secret benefits from an anti-bruteforce mechanism. Also, and this is important: fail2ban is quick to deploy, and not a PITA for users. Good stuff.

The article didn't really mention that angle.

Does it solve anything else?

> I believe there are sshd vulns extant that you and I don't know about and port knocking allows me to worry less about them.

Wouldn't you need to worry about vulnerabilities in knockd?

If I require 5 ports to be hit in sequence, and blacklist IPs that hit unknown ports, it is extremely unlikely you will ever connect. Now if someone on my local network, at my ISP, or at my hosting provider sniffs my traffic to determine a static knocking sequence... good for them. They're the one unauthorized person who can connect to sshd, without a valid ssh key to authenticate with.

It's a reality that most businesses are not going to invest in setting up a network that cannot be accessed from the internet at large. For such setups, a little bit of obscurity via something like port knocking to prevent every single port scanner in existence from discovering your sshd server must be better than nothing at all.