Is there a robust, low-hassle solution for "port-knocking" based protection of SSH ports?

ssh security firewall

By robust and low-hassle I mean NOT involving complex iptables setups, NOT involving apache, NOT requiring an additional client program, NOT requiring fragile shell scripts running from cron, etc.

Does anybody have sshd & ssh (client) patches to enable some form of port-knocking built-in to the sshd service & client itself?

For instance, rejecting connections on Port 22 until a properly encrypted and verified UDP packet is received, would be nice.

I'm disappointed that all port-knocking solutions out there are shameless hacks, rather than a nicely integrated and tested patch to the programs in question.


Solution 1:

knockd seems to be one of the more established implementations, although doesn't fit your criteria of being a patch to sshd itself. Personally I'd favour an external program for reasons including:

  • it can be used to help secure other services (e.g. IMAP, OpenVPN) as well as ssh
  • patching extra functionality into sshd increases likelihood of introducing vulnerabilities (no matter how "tested" such a patch may be, sshd runs as root so the smallest flaw could prove to be quite nasty)

Related

Raid rebuild performance impact
Should ServiceStack be the service layer in an MVC application or should it call the service layer?
What access right is required to rename a computer
Custom MKAnnotation callout bubble with button
e2fsck aborts: memory allocation failed
dkimproxy unable to read private key
Fetch Contacts in iOS 7
How to connect to IIS and SQL Server Express on Windows 7 host from XP Mode
Create a custom animatable property
Using lynx or wget in cron to call a php script?
How to Make Windows Network Visible to Linux Server Box?
iPhone: Incrementing the application badge through a local notification