[x3blah]

One can use "port knocking" for more than remotely opening ports. It is a crude form of messaging in its own right, that can be based on some pre-determined code, like Morse code. The "secret knock" need not open any ports. It can be simply a message to the person (or program) reading the logs, to be translated according to the pre-determined code. Actions might be taken in response to the message, or not.

It is possible to do similar things with haproxy. Configured to listen for TLS connections on a large number of ports, look for a secret combination of custom headers and values, then, if found and matching, forward to a localhost ucspi tcpserver on the backend. The tcpserver may then execute some program, for example sshd or pfctl.

http://cr.yp.to/ucspi-tcp.html

[rogerdonut]

Good idea. You can also do it based on a sequence of ports accessed as well without headers/values which would allow you to forward directly to a tcp based service. You can track which ports are accessed and verify the sequence using stick-tables.

Here's an example of what that would look like:

https://gist.github.com/dcorbett-haproxy/ec7059cbfccf12c8f41...