fwknop VS blocklist-ipsets

sounds fun; i see the arch aur has a few options as well. have you tried https://www.cipherdyne.org/fwknop/ ?

Yes that's the basic idea, i tried to use fwknop first but it didn't do what i wanted it to do so i made my own

Port knocking. Or better yet FWKNOP. I'm disappointed I don't hear people talk about it more. The port isn't even open until you give the secret combination of knocks on a large number of ports. There's much more to it. I recommend listening to Episode 865 ofSecurity Now.

> Is this approach used elsewhere?

Yes, or at least in a similar fashion. An alternative variant of port knocking is SPA (Single Packet Authorization). Often SPA protocols use UDP and contain within the body field an encrypted payload containing all the required data to authenticate and authorize a particular request.

There are multiple different implementations of SPA: OpenSPA [1] (full disclosure: I am the author of OpenSPA), fwknop [2] just to name a few.

SDP (Software Defined Perimeter) often builds upon SPA technologies in order to achieve a form of zero trust access.

[1] - https://github.com/greenstatic/openspa

[2] - https://github.com/mrash/fwknop

I am currently re-writting the OpenSPA protocol (version 2) and I plan on playing around with eBPF as well, so thanks eeriedusk for paving the way :)

As an alternative to port knocking, there is: https://github.com/mrash/fwknop

fwknop is nice and simple

Sure, few links for when you dig in: http://iplists.firehol.org/, https://crowdsec.net/, https://www.zeroflux.org/projects/knock/, https://www.cipherdyne.org/fwknop/

An upgrade to port knocking is Single Packet Authorization [1]. It doesn’t suffer from the observability, and other, problems of port knocking.

[1] https://www.cipherdyne.org/fwknop/

Or keep the port closed like I do with my ssh port and use fwknop to open the port only when needed.

Look into FireHol and its use of IPsets: https://firehol.org/guides/ipset/ | http://iplists.firehol.org/ - you can easily do what you’re wanting with these two.

Yes, unfortunately i think this also happened other times with Firehol L3 (you can see https://github.com/firehol/blocklist-ipsets/issues/188) but thanks for the lists advice.

It sounds like you want to jump into game development before learning how to write "Hello, world!". Try using any of the open source tools that already do this and sign up for some "free" threat intel tools and learn the lay of the land. https://www.misp-project.org/ https://github.com/OpenCTI-Platform/opencti https://iplists.firehol.org/ https://www.greynoise.io/

I believe you are running SSH over default port 22 - feel free to change that. You can also use iplists from FireHOL to block any connection from blacklisted (on way or another) IPs - https://iplists.firehol.org/

Tor exits are tracked here [1] and in a few other block-list repos. The data is built from Tor's exit node list [2]

[1] - https://github.com/firehol/blocklist-ipsets

[2] - https://check.torproject.org/exit-addresses