Problem/Justification knock/knockd is really effective to create a security layer over some other services, like for exemple ssh or even web server. In certain situations it is preferable to hide some NAS services and make them visible only on request, using precisely knockd. Or sometimes knockd can be used to perform some user scripts.
Impact
I think the impact is really minimal. I have already implemented it but obviously without changing the system (https://forums.truenas.com/t/help-install-knock-service-or-similar/).
I think it would be enough to insert the normal knock Debian package into TrueNas OS, and create the configuration GUI into the Advanced Settings
User Story
In my case I needed to remotely perform an midclt command, being able to launch it with only one click from multiple devices (computer, Android phone, Android tablet). With knockd I solved the problem perfectly.
Wait for a packet on port 40000, then 3 packets on port 23232, then 2 packets on port 10000, do not respond to these packets but recognize the fact that the pattern has been matched and quietly send the packets to a black hole, but because the match has taken place within the timeout period open an ssh connection on the specified port, if the timeout has expired - do nothing.
VPNs like Tailscale & caddy-tailscale are another way of hiding services without needing security by obscurity. Tailscale is already available in TrueNAS apps and you can deploy caddy-tailscale yourself.
I don’t know if this is applicable with Tailscale or if many people are aware of the site called Gibson Research but while I have a DHCP self healing VPN running between my site and another my system is undetectable to my knowledge from the internet, you can probe any port you like and you’ll get nothing and I’d kind of like to keep it that way my system is designed to be fully stealth in the respect it simply can’t be seen so it provides zero attack surface.
With Tailscale you will have no inbound firewall rules so there is nothing for anyone on the internet to see. So, much better than security by obscurity.
You can lookup how Tailscale and Wireguard work to learn why it doesn’t need inbound firewall rules. It will work slightly better if you setup persistent NAT on the Wireguard source port but that is just an optimisation, and all inward traffic is still blocked until matched with the outgoing Wireguard UDP that sets up the firewall state.
At least with wireguard you typically need to allow inbound udp to wireguard on the server side (and port forward in case of NAT). This is usually done automatically if you setup wireguard on the router directly. Wireguard is resistant to fingerprinting, so it shouldn’t show up on port scans. On the client you don’t need any firewall rules.
I would image that tailscale doesn’t need inbound firewall rules that because it will probably use their their coordination servers do to the nat traversal. But that would also mean you are depending on a third-party service.
Thanks for all your answers and suggestion.
However when I tought of knock service, as I already said in my first post, it was because it’s also a very simple way (secure and hidden too) to execute scripts from remote. Cosider that knock client exists on every platforms, mobiles included.
And again, I stress that to me it seems very simple to implement.
I’m suggesting your reconsider your threat model and options so you can find something that might actually deter the kind of competent adversary that you are imagining while also having any likelihood of availability on TrueNAS.
Yes, Tailscale uses a coordination server. If you don’t want any dependencies you can run your own Headscale. It’s a TrueNAS App.
It depends on how its implemented if it’s preset up users would be given their first knock sequence by a secure method the first time the knock sequence was used with the correct credentials attached that knock sequence would be discarded and a new knock sequence generated and sent to the client, upon acknowledgement of receipt the server would store the next knock session details and the connection would continue as normal. In this way the knock is secure.
