Alver wrote:You use port knocking for ssh? That's most interesting... perhaps something for a different thread, otherwise this one might go somewhat offtopic ;) I found the port knocking idea remarkable but never tried it, I don't run many services anyway (ircd and ssh only, and ssh is restricted to one single host... so I'm not really in need of it).
I used to just have the SSH port open to the civilized world, but the number of attacks it attracted convinced me to close it off to everything but my LAN and certain known locations.
I still needed occasional SSH access from unanticipated locations, though, so I implemented a really simple portknocking arrangement. It uses a special "knocking" port to detect the IP address of a potential SSH user. SSH is still restricted to certain users, of course; the knocking arrangement just allows me to keep the SSH port closed except to certain IP addresses. You knock on one port, and the other port opens.
I did it this this way:
Open the SSH port bidirectionally through the firewall. Forward those packets to the portknocking/SSH machine.
Open a non-priviledged port to incoming connections through the firewall. Forward those packets to the portknocking/SSH machine, too.
Don't allow any outgoing packets on the "knocking" port.
On the portknocking/SSH machine, restrict SSH access by IP address (I use ipfilter) at the machine level.
On the portknocking/SSH machine, log any connections to the "knocking" port.
Attached to that port, a shell script detects a connection, waits a bit, parses the log to grab the IP address of the connecting client, and tells ipfilter to open the SSH port to that IP address. The script is attached to the port via the usual /etc/services and /etc/init.d method.
That's about as simple as it can get. I wouldn't rate it as "NSA-quality" security, since it depends on obscurity, but a potential attacker would have to guess the knocking port number, know a certain characteristic about his connection to it, and know how long to wait for the SSH connection to become active.
It's been in place for over a year, it's been really handy, it's been completely reliable, and the knocking port hasn't even been probed, much less explioted. The closed-off SSH port gets probed many times a day.
I imagine this would work for almost any service.