[daraosn]

Is there a service that wraps/proxies a port with a different or custom protocol? (kind of like SSL for HTTP)

Idea: instead of ssh'ing a server, you would run your custom command which communicates to port XXXX, communicate with a custom protocol and then if validation succeeds, would proxy to SSH (or any other internal port/protocol).

Why? Because as others suggested you could scan all ports very quickly to break this, but if you scan a port and just receive garbage or something only you can understand when opening it, then you could hide it from the outside..

(Just curious)

[xg15]

Seems possible (though very time-consuming) if you just use it to protect your hobby/toy machines. As soon as your protocol becomes important enough that it attracts the attention of human hackers and not just bots they can easily reverse-engeneer it.

By the way, I think you could view encrypted connections as a sort of automation of that practice: A crypto algorithm could be seen as a machine that generates "custom protocols" given a key...

[daraosn]

That's a interesting idea, to make encryption dynamic using something like the 2FA described here.

[frutiger]

Encryption in most commonly used protocols are dynamic - each session generates a brand new session key that are negotiated such that only the holders of the private keys can discern.

[mjec]

There is an existing solution to give you this protection, it's called port knocking.

[oneru]

<shameless_plug> Check out fwknop, https://www.cipherdyne.org/fwknop/ It's one solution to this problem. Instead of answering with garbage, it allows for keeping the firewall closed/default drop stance. It's port knocking, but with real cryptography instead of just relying on hitting port numbers, and does it with just a single packet. </shameless_plug> Full disclosure: I'm one of the Fwknop devs.