[
Top of Page ]
[ Contact Us ]
[ Support/Wish List ]
[ Copyright © 2025, Audio Asylum, all rights reserved ]
[ General ] [ Speakers ] [ Tubes ] [ Vinyl ] [ Digital ] [ Hi-Rez ] [ Video Asylum ] [ Cables ] [ Tweaks/DIY ] [ Music ] [ Films ]
172.117.191.20
This Post Has Been Edited by the Author
In Reply to: RE: Port Knocking ? posted by Dawnrazor on April 23, 2025 at 12:07:04
I am learning nftable rules to build a custom firewall/router with a WAN side and a LAN side. The LAN side is a bridge of multiple NICs and the WAN side is a single NIC.One of the layered security schemes of a firewall is "Port Knocking". Instead of opening up a port (e.g. 22 for ssh), all the ports on the WAN side are closed. "Port Knocking" is a secret knock, "e.g. knock 3 times, pause, knock 2 times, pause, knock 5 times" letting the occupant know the visitor is a potential friendly.
The firewall rules can listen to the timing, pattern and specific CLOSED port numbers that are being "knocked on" on the WAN side noting the IP Address of the external "knocker". It adds the complexity of multiple ports numbers in addition to timing and sequence.
If the pattern, port sequence and timing is recognized, the dynamic firewall can temporarily open the desired port (e.g. port 22) for the specific outsider to try and access. The outsider would then have to pass normal protocol credentials to access the port. If normal credentials are not accepted within the allotted time, the port is closed again. The outsider's IP Address could be put on a [temporary] no-fly list.
This allows all ports to stay closed, not discovered by nmap scans and not accessible to brute force attacks.
You can configure ssh to listen to another port (other than the default 22), but a nmap scan will show what services are on what open ports (e.g. 22 has been moved to 2222).
With "Port Knocking", this eliminates generic nmap scans from identifying what port ssh has been relocated to as well as obfuscating its potential availability.
The nftables documentation gives examples rule sets on how to configure "Port Knocking" in addition to other scenarios. Thought it was pretty cool.
.
2022/03/30 Historical Records CENSORED
Edits: 04/23/25 04/23/25 04/23/25 04/23/25Follow Ups:
Top of Page ]
[ Contact Us ]
[ Support/Wish List ]
[ Copyright © 2025, Audio Asylum, all rights reserved ]