fwknop VS endlessh

sounds fun; i see the arch aur has a few options as well. have you tried https://www.cipherdyne.org/fwknop/ ?

Yes that's the basic idea, i tried to use fwknop first but it didn't do what i wanted it to do so i made my own

Port knocking. Or better yet FWKNOP. I'm disappointed I don't hear people talk about it more. The port isn't even open until you give the secret combination of knocks on a large number of ports. There's much more to it. I recommend listening to Episode 865 ofSecurity Now.

> Is this approach used elsewhere?

Yes, or at least in a similar fashion. An alternative variant of port knocking is SPA (Single Packet Authorization). Often SPA protocols use UDP and contain within the body field an encrypted payload containing all the required data to authenticate and authorize a particular request.

There are multiple different implementations of SPA: OpenSPA [1] (full disclosure: I am the author of OpenSPA), fwknop [2] just to name a few.

SDP (Software Defined Perimeter) often builds upon SPA technologies in order to achieve a form of zero trust access.

[1] - https://github.com/greenstatic/openspa

[2] - https://github.com/mrash/fwknop

I am currently re-writting the OpenSPA protocol (version 2) and I plan on playing around with eBPF as well, so thanks eeriedusk for paving the way :)

As an alternative to port knocking, there is: https://github.com/mrash/fwknop

fwknop is nice and simple

Sure, few links for when you dig in: http://iplists.firehol.org/, https://crowdsec.net/, https://www.zeroflux.org/projects/knock/, https://www.cipherdyne.org/fwknop/

An upgrade to port knocking is Single Packet Authorization [1]. It doesn’t suffer from the observability, and other, problems of port knocking.

[1] https://www.cipherdyne.org/fwknop/

Or keep the port closed like I do with my ssh port and use fwknop to open the port only when needed.

You can reduce the noise a lot by moving ssh to a non standard port. Security through obscurity isn't actually security, but it will reduce the number of attempts you receive. Another thing I like to do is put Endlessh on the standard port 22. That way as bots go by they will get stuck or at least slow down on that connection.

SSH tarpit with Endlessh and for the hidden SSH: auth with both a key files (that need unlocking and is on the computer) AND an One Time Password on my phone.

If you change the ssh port, install https://github.com/skeeto/endlessh to slow down the attackers

Even this requires you to successfully guess the username and password correctly, and if it's just not the default most people won't bother brute forcing further. Sidenote: you can use endlessh on a computer and port forward port 22 to trap scanners that scan the entire internet for open ssh ports to exploit.

The fun way is moving your ssh port somewhere else and installing endlessh to f the bots.

Such as endlessh

But, as a prank to Chinese hackers, what I did on my system was to run endless ssh. It keeps the ssh client busy as it slowly sends the ssh banner. I modified the code to send strings like:

For hardening: I use lynis for some guidance, the VPS runs rkhunter, AIDE and other things nightly and mails me the reports, fail2ban manages the SSH port, having SSH on a custom port helps to keep things quiet. If you're into these kind of things, have a look at the Endlessh tarpit to learn about login attempts on port 22 on your machine - I found it eye-opening.