I am trying to setup port knocking in unusual way. Usually there is strict order that you use to “knock” ports, like 2566 → 4789 → 3556. It is easily done by creating dynamic src address lists.
I’d like to make a setup where you can knock 3 ports one by one in any order, but they should not repeat. Using only src address lists in this case gives excessive amount of rules and I want so there are no more than 8-9 rules. Also I wouldn’t like to use scripts.
Why would you like to allow random order? Not only it’s harder to implement (as you found out), it’s also less secure. In traditional port knocking sequence there are 4 bits of information necessary: 3 port numbers and additionally the right sequence. If you allow random sequence, then security is reduced to 3 required bits of information.
The answer to that likely depends on how import that security is. I have several port knock sequences that vary from 2 step to 6 step. Some of them are pretty low importance - for example, two of them trigger a Wake On LAN in order to boot up one of two computers. Does not help you access them, just boots them. I also have another trick or two up my sleeve that improves the security of various sequences.
Interesting appraoch their k6, , but has no bearing on what the op is doing or my comment…
How does a port knocking affect a wake on LAN for PCs… not sure how I see that would work.
The port knock completion writes an entry in the log. A script checks for that log entry every minute. When it sees the correct text in the log, it executes the WOL.
Took a while to come up with that one, but it works quite well.
One could easily replace the port knocking with my cell phone connecting to wireguard ( logged ) and script uses that for WOL.
Food for thought.
Assuming you has already thought of that but its not so easy maybe…
One could easily replace the port knocking with my cell phone connecting to wireguard ( logged ) and script uses that for WOL.
Food for thought.
Assuming you has already thought of that but its not so easy maybe
