FREESCO Support

[bob selby]

I finally got fed up with the "script bunnies" trying to login to my ssh port ... (I cannot change the port from 22, sadly).

I found the 04x version of "knock" and have installed it but cannot see an obvious way to set "opensshd"'s port to "secure".

Can someone please give me a guide here please

Regards
Bob

[Lightning]

I am assuming that you have the OpenSSH package installed rather than using the built in SSH server Dropbear. Which for Dropbear it is just a matter of enabling the server in "s" mode. However for OpenSSH it has a firewall rule in the /pkg/rc/rc_opensshd script that is enabled by default. So you should have to have disabled it manually in the script or using the built in disable firewall configuration in the "setup". Knowing which way you disabled it would help in explaining how to enable it again. If you used the setup to disable it then when the firewall starts it will show the firewall is disabled for that package.

[bob selby]

I dont recall disabling the firewall rule ...

However, the line ---

case $1 in
$fire) # ipfwadm -I -a $Pd -P tcp -W $INET -D 0/0 $Port $LOG
;;
$setu) edithlp

--- was commented out.

Removing the "# " means that the package is now running and the port is now appears "stealthed"

I am running v "opensshd_3.7.1p1_dingetje"

I am assuming the rule above is correct for what I need.

Next step - testing "knock"

Thanks
Bob

[Lightning]

I am assuming the rule above is correct for what I need.

Yes

Next step - testing "knock"

Be aware that I have had some issues when mixing tcp and udp packet types when using knock. So start testing with just plain port numbers without the tcp or udp flags.

[bob selby]

Thanks for that

Next step - testing "knock"

Be aware that I have had some issues when mixing tcp and udp packet types when using knock. So start testing with just plain port numbers without the tcp or udp flags.

Is that an issue for just "knockd" or the windoze client ?? or both ??

Best regards
Bob

[Lightning]

Is that an issue for just "knockd" or the windoze client ?? or both ??

Looking at the source code, it does explain that the knock client included in the package is extremely basic and if you want or need to send more complicated packets with different flags set on each packet like "fin, syn, rst, psh, ack, or urg" then you should use another client such as "hping, sendip, or packit". So I think the main issue is the client is not complex enough to do all of the things the server is capable of doing. However be aware that you can send up to a 32 port sequence and it does not matter if the port is closed or not because knock runs at a link-layer level. For my own purposes I have never had anyone get into a knock protected system. Of course I am also doubtful anyone has really tried as there really isn't anything of value to be found on anything that I own unless they are after open source software.

What I am finding as VERY effective is blocking the people who are trying to hack the system. The emailblock package has almost entirely stopped anyone trying to force there way into my email as it blocks people from the entire system after there third (configured) failed login attempt for a few (configured) hours. I have also just created a FTP option that will be released in 0.4.5 that does the same thing. So brute force login attempts will be eliminated and I am working on the source code so that I will hopefully I will be able to do the same thing for the SSH server Dropbear. regardless I can say that I was getting about thirty log files a day and now I am getting one a week after the implementation.

This same type of system might be able to be adapted for OpenSSH, but I have not looked into it to know one way or another.

[bob selby]

Thanks - that all works a treat
Bob