[olug] restricting ports on SSH forwarding

Eric W. Biederman ebiederm at xmission.com
Fri May 29 22:34:39 CDT 2020


Trent Melcher <trentm at trackd.run> writes:

> It is, just don't use sequential ports. I did that when I first started
> testing it and a port scan like Nmap will trip it, since it typically scans
> ports in sequence.

There is a neat variation on the idea, I think wireguard may have
incorporated it I can't remember.

The idea that instead of port knocking you never reply on a port unless
you receive an appropriately signed packet.

That also protects you from port scanning, and does not require any
local state to implement.  So it is easier to deploy and scales better.

Eric


More information about the OLUG mailing list