I found just using a different port was enough for me and didn't need port knocking to reduce log noise, which I agree is super important.

I also have alerts for both failed SSH or failed wireguard connections, and for any logins from a new IP with either SSH or wireguard.

An upgrade to port knocking is Single Packet Authorization [1]. It doesn’t suffer from the observability, and other, problems of port knocking.

[1] https://www.cipherdyne.org/fwknop/

Is there any other kind? SPA is the only port knocking I use!

The folks at OpenBSD Misc do not recommend port knocking. IIRC one of the reasons stated was a possibility of getting locked out of your own server. I tried looking up the relevant thread, but am on the phone.

Linux's firewall can do port knocking entirely in the kernel:

https://wiki.nftables.org/wiki-nftables/index.php/Port_knock...

That script gets compiled into BPF and uploaded into the kernel once, at boot/ifup time. All the memory is preallocated.

Userspace can be dead/hung/OOM and you can be sure that at least the port knocking won't be why you got locked out.

Thank you. One learns something new everyday. And I feel humbled by most comments I read here.

I did look up OpenBSD pf again, and it too does port knocking in the kernel. My information was dated (left the misc mailing list at least 5 years ago).