← Back to context Comment by l0ng1nu5 14 hours ago Why not use port knocking as well? 3 comments l0ng1nu5 Reply doorsopen 12 hours ago Port knocking is so 2014. Single Packet auth for publicly exposed hidden services is great: https://github.com/mrash/fwknop rwmj 14 hours ago What's the best way to set up port knocking on a Fedora / Debian server? While not a security measure per se, it adds a layer of obfuscation which blocks random scanners. c64d81744074dfa 10 hours ago Not sure if this is the best, but I use nftables and this article helped me setup port knocking on a debian server: https://home.regit.org/2017/07/nftables-port-knocking/Then I added a tripwire feature to make it less likely that a random port traversal would be successful. Here's a snippet of my nftables.conf: define KNOCK_PORT1 = 20000 define KNOCK_PORT2 = 30000 define KNOCK_PORT3 = 10000 define TRIPWIRE_PORT1 = 15000 define TRIPWIRE_PORT2 = 25000 table inet filter { . . set allowed_ssh { type ipv4_addr flags timeout elements = { $HOME_IP, $OTHER_SERVER_IP } } # track port knocking set knock1 { type ipv4_addr timeout 5s } set knock2 { type ipv4_addr timeout 5s } set banned { type ipv4_addr timeout 1m } # handle port knocking chain raw { type filter hook prerouting priority raw; policy accept; ip saddr @banned tcp dport { $KNOCK_PORT1, $KNOCK_PORT2, $KNOCK_PORT3} log prefix "nft banned: " drop tcp dport $KNOCK_PORT1 set add ip saddr @knock1 log prefix "nft knock1: " drop ip saddr @knock1 tcp dport $TRIPWIRE_PORT1 set add ip saddr @banned log prefix "nft tripwire1: " drop ip saddr @knock1 tcp dport $KNOCK_PORT2 set add ip saddr @knock2 log prefix "nft knock2: " drop ip saddr @knock2 tcp dport $TRIPWIRE_PORT2 set add ip saddr @banned log prefix "nft tripwire2: " drop ip saddr @knock2 tcp dport $KNOCK_PORT3 set add ip saddr @allowed_ssh log prefix "nft knock3: " drop } }
doorsopen 12 hours ago Port knocking is so 2014. Single Packet auth for publicly exposed hidden services is great: https://github.com/mrash/fwknop
rwmj 14 hours ago What's the best way to set up port knocking on a Fedora / Debian server? While not a security measure per se, it adds a layer of obfuscation which blocks random scanners. c64d81744074dfa 10 hours ago Not sure if this is the best, but I use nftables and this article helped me setup port knocking on a debian server: https://home.regit.org/2017/07/nftables-port-knocking/Then I added a tripwire feature to make it less likely that a random port traversal would be successful. Here's a snippet of my nftables.conf: define KNOCK_PORT1 = 20000 define KNOCK_PORT2 = 30000 define KNOCK_PORT3 = 10000 define TRIPWIRE_PORT1 = 15000 define TRIPWIRE_PORT2 = 25000 table inet filter { . . set allowed_ssh { type ipv4_addr flags timeout elements = { $HOME_IP, $OTHER_SERVER_IP } } # track port knocking set knock1 { type ipv4_addr timeout 5s } set knock2 { type ipv4_addr timeout 5s } set banned { type ipv4_addr timeout 1m } # handle port knocking chain raw { type filter hook prerouting priority raw; policy accept; ip saddr @banned tcp dport { $KNOCK_PORT1, $KNOCK_PORT2, $KNOCK_PORT3} log prefix "nft banned: " drop tcp dport $KNOCK_PORT1 set add ip saddr @knock1 log prefix "nft knock1: " drop ip saddr @knock1 tcp dport $TRIPWIRE_PORT1 set add ip saddr @banned log prefix "nft tripwire1: " drop ip saddr @knock1 tcp dport $KNOCK_PORT2 set add ip saddr @knock2 log prefix "nft knock2: " drop ip saddr @knock2 tcp dport $TRIPWIRE_PORT2 set add ip saddr @banned log prefix "nft tripwire2: " drop ip saddr @knock2 tcp dport $KNOCK_PORT3 set add ip saddr @allowed_ssh log prefix "nft knock3: " drop } }
c64d81744074dfa 10 hours ago Not sure if this is the best, but I use nftables and this article helped me setup port knocking on a debian server: https://home.regit.org/2017/07/nftables-port-knocking/Then I added a tripwire feature to make it less likely that a random port traversal would be successful. Here's a snippet of my nftables.conf: define KNOCK_PORT1 = 20000 define KNOCK_PORT2 = 30000 define KNOCK_PORT3 = 10000 define TRIPWIRE_PORT1 = 15000 define TRIPWIRE_PORT2 = 25000 table inet filter { . . set allowed_ssh { type ipv4_addr flags timeout elements = { $HOME_IP, $OTHER_SERVER_IP } } # track port knocking set knock1 { type ipv4_addr timeout 5s } set knock2 { type ipv4_addr timeout 5s } set banned { type ipv4_addr timeout 1m } # handle port knocking chain raw { type filter hook prerouting priority raw; policy accept; ip saddr @banned tcp dport { $KNOCK_PORT1, $KNOCK_PORT2, $KNOCK_PORT3} log prefix "nft banned: " drop tcp dport $KNOCK_PORT1 set add ip saddr @knock1 log prefix "nft knock1: " drop ip saddr @knock1 tcp dport $TRIPWIRE_PORT1 set add ip saddr @banned log prefix "nft tripwire1: " drop ip saddr @knock1 tcp dport $KNOCK_PORT2 set add ip saddr @knock2 log prefix "nft knock2: " drop ip saddr @knock2 tcp dport $TRIPWIRE_PORT2 set add ip saddr @banned log prefix "nft tripwire2: " drop ip saddr @knock2 tcp dport $KNOCK_PORT3 set add ip saddr @allowed_ssh log prefix "nft knock3: " drop } }
Port knocking is so 2014. Single Packet auth for publicly exposed hidden services is great: https://github.com/mrash/fwknop
What's the best way to set up port knocking on a Fedora / Debian server? While not a security measure per se, it adds a layer of obfuscation which blocks random scanners.
Not sure if this is the best, but I use nftables and this article helped me setup port knocking on a debian server: https://home.regit.org/2017/07/nftables-port-knocking/
Then I added a tripwire feature to make it less likely that a random port traversal would be successful. Here's a snippet of my nftables.conf: