[mscdex]

For what it's worth if you have control over both client and server and don't want to limit access using a strict IP whitelist, an alternative solution that will keep your logs quieter and add additional protection is to use good old fashioned port knocking. knockd on Linux helps with automating this on the server side. Client side you can use anything (although knockd does include a dedicated client) to send your sequence of packets before actually connecting.

[gnfargbl]

I really think this solution is underrated. Port knocking is robust, doesn't use any special technology, and servers using it can't reasonably be scanned for. The only real disadvantage is that any passive observer can see your knock sequence in "plaintext" (so that includes anyone logging netflow).

Even so, I don't know why OpenSSH hasn't implemented it instead of the the silly fail2ban theatre we're discussing in these comments.

[imglorp]

One thing to help with the passive observer would be to have the knock sequence be time varying like a TOTP. It's still a very thin addition but more defense in depth the better sometimes.

[raffraffraff]

lol, hadn't read all the comments before posting mine.. Have an upvote! Actually who not do both. Vary the knock code and the resulting ssh port using succesive codes.

I just checked knockd man page and it turns out it can use a one_time_sequences file that contains a sequence of port knock combinations. I wonder if this file is dynamically checked, or loaded and parsed during startup? Or could one simply echo the TOTP code straight into that file and hup the knockd service each time (let's say the TOTP interval was set to something like 5 minutes).

[frankjr]

https://github.com/moxie0/knockknock

[gnfargbl]

Well, that's the answer. Thank you.

[raffraffraff]

I wonder could you combine command line TOTP tools with port knock for a fully time-based unique knock codes? Or even use the TOTP code for the ssh port?

I'm totally gonna do this.

[ikiris]

Because it's a stupid low entropy key put in front of a service that you should be using MUCH harder keys on instead of passwords as of circa the 90s.

You're wanting to add a screen door on a sub, and its just a feel good option for those who don't understand the math involved.

The proper solution is to stop using passwords and use keys or proper cert auth.

[mscdex]

I think it goes without saying that you would still want to be using keys instead of passwords for the actual authentication. Port knocking should always be an additional layer, not a replacement layer.

[jethro_tell]

I find adding dynamic dns entries to my firewalls much more efficient and to have a more meaningful protection value.

A timed job that checks the up of your clients and updates the firewall every 30 seconds seems a much more secure method than having a magic sequence of ports that can be captured in the wild.

It’s hard to spoof a full tcp connection (with a key) needed to update your ddns.

Best part is you can leave your ddns to a separate box or service which complicates the compromise of a single host