ssh port knocking with pf
| October 24th, 2009The idea of port knocking is simple – a service, normally firewalled accepts connections from a given source IP if that IP address has connected to certain ports in some special sequence. This is a simplified implementation of this idea using pf to protect the ssh service.
In pf.conf file:
…
### pf tables
table <ssh_accept> persist
…
### pf rules
block in log all
…
pass in quick on $if proto tcp from <ssh_accept> to $me port 22 flags S/SA keep state
…
# there’s no service listening on 31337 so we need synproxy state to complete the handshake
pass in quick on $if proto tcp from any to $me port {31337} synproxy state (max-src-conn-rate 3/5, overload <ssh_accept>
…
### pf tables
table <ssh_accept> persist
…
### pf rules
block in log all
…
pass in quick on $if proto tcp from <ssh_accept> to $me port 22 flags S/SA keep state
…
# there’s no service listening on 31337 so we need synproxy state to complete the handshake
pass in quick on $if proto tcp from any to $me port {31337} synproxy state (max-src-conn-rate 3/5, overload <ssh_accept>
…
This will open port 22 on the $me host if there are 3 attempts to connect to port 31337 within 5 seconds.
From this moment ssh access to $me is granted. This shouldn’t probably be allowed forever, so this crontab entry will clear all entries in the ssh_accept table not used within last 5 minutes:
*/5 * * * * root /sbin/pfctl -q -t ssh_accept -T expire 300