Comment by c64d81744074dfa
Comment by c64d81744074dfa 10 hours ago
Not sure if this is the best, but I use nftables and this article helped me setup port knocking on a debian server: https://home.regit.org/2017/07/nftables-port-knocking/
Then I added a tripwire feature to make it less likely that a random port traversal would be successful. Here's a snippet of my nftables.conf:
define KNOCK_PORT1 = 20000
define KNOCK_PORT2 = 30000
define KNOCK_PORT3 = 10000
define TRIPWIRE_PORT1 = 15000
define TRIPWIRE_PORT2 = 25000
table inet filter {
.
.
set allowed_ssh {
type ipv4_addr
flags timeout
elements = { $HOME_IP, $OTHER_SERVER_IP }
}
# track port knocking
set knock1 {
type ipv4_addr
timeout 5s
}
set knock2 {
type ipv4_addr
timeout 5s
}
set banned {
type ipv4_addr
timeout 1m
}
# handle port knocking
chain raw {
type filter hook prerouting priority raw;
policy accept;
ip saddr @banned tcp dport { $KNOCK_PORT1, $KNOCK_PORT2, $KNOCK_PORT3} log prefix "nft banned: " drop
tcp dport $KNOCK_PORT1 set add ip saddr @knock1 log prefix "nft knock1: " drop
ip saddr @knock1 tcp dport $TRIPWIRE_PORT1 set add ip saddr @banned log prefix "nft tripwire1: " drop
ip saddr @knock1 tcp dport $KNOCK_PORT2 set add ip saddr @knock2 log prefix "nft knock2: " drop
ip saddr @knock2 tcp dport $TRIPWIRE_PORT2 set add ip saddr @banned log prefix "nft tripwire2: " drop
ip saddr @knock2 tcp dport $KNOCK_PORT3 set add ip saddr @allowed_ssh log prefix "nft knock3: " drop
}
}