Changes sshd port every 30 seconds, using Two Factor Auth to login

> a joke for all of the people who say "Changing your port is security by obscurity"

This always tickled me. I don't do it for security; I do it because (on public-facing servers) it keeps the constant stream of doorknob-rattling out of the logs!

Fun project. With my more serious hat on, I think what most people are missing about all these port-knocking schemes -- is that they all boil down to poor key based authentication.

In the case of TOTP, the key is stored in plain text two places: the server and the TOTP client (or similarly, for other port knocking schemes, on the server to calculate the next port, and on the client to do the same).

Contrast this with disabling password login, and using only key-based authentication: Now the secret key is only stored in one place: on the client (although, to be fair, there's a secret key you can steal on the server too, in order to compromise the system).

The way to improve security beyond simply requiring key-based auth, is to move away from trust-on-first-use to using ssh certificates. To improve on that, require certificates and TOTP. It's still somewhat hard to see how the latter really improves on security - perhaps with some kind of dedicated TOTP hw token. I would guess that compromising the TOTP-key stored on a smartphone is probably one of the easiest attack vectors, so it's unclear how much more secure it is, beyond simply using ssh certificates.

Couple of enhancements - there should be port map for ports which not to connect to. Also - you will have a hell of a time with synchronization, timezone etc.

Aren't you worried that systemd won't silently kill the background process? :)

> as a joke for all of the people who say "Changing your port is security by obscurity"

That's simply not true. Changing the sshd safes you a lot of trouble in risky environments. You prevent services which rely on ssh from failing during automated dos/bf attempts.

Unfortunately people have taken this a little too seriously, I wrote this as a joke/PoC of silly "Security by obscurity" methods, and yet people are for some reason viewing this as a serious solution...

I recognize that this is a joke, in the words of the OP. However I think SPA-type port knocking is completely legitimate, and I second the use of fwknopd. I depend on fwknopd a lot, so if that is not secure idea, I would like someone to point that out to me. NOTE that fwknopd does not depend on expecting a client to connect to a short sequence of different port numbers. That is not what fwknopd does, at least not the latest fwknopd. Instead, fwknopd listens for an encrypted packet on a specified port, which it will not acknowledge. The firewall does not allow the packet through, technically speaking. But fwknopd recognizes the arrival of the packet by scanning logs when the firewall drops the packet and logs the dropped packet. etc. etc. If you know this type of fwknopd deployment and don't think it is a good idea, please comment.

Again, I am not taking the OP seriously, but I do take seriously that people either don't know about fwknopd, or maybe, don't think that is good security (in which case I want to hear from you).

People get their wires crossed about port knocking because it doesn't add much security when I'm trying to find a way to hack you. It does add something when I'm trying randomly to find you to hack.

They make the valid criticism of the first case while you argue the second and somehow the arguments miss in the middle.

It does seem a little silly, the readme does also mention it was written as a joke.

Was looking at ways to decrease logspam from ssh login bots some years ago, port knocking seemed like the most elegant solution. I ended up simply moving ssh away from port 22, the logspam disappeared.

I've used fail2ban in other setups, it also has the advantage of being easy to integrate with other systems such as wordpress, sftp/ftps, nginx, apache.

"I don't understand why this is seen as acceptable, yet port knocking is derided every time it's brought up."

I have been in this business for a long time and I still look very fondly at port-knocking as a thing that genuinely makes things better.

Almost zero complexity added, super stable knockd daemon, and does a single, simple thing very, very well.

I love port knocking, I love using it, I love the idea of it, and I wouldn't build a server without hiding sshd (and others) behind a knock.

All criticism of port knocking (weirdly) assumes that you also disable all other forms of security and that you rely solely on port knocking, which of course is false.

It is true that port knocking adds just a marginal additional amount of security, but it's still additive and it's still a high return on the (very low) complexity and maintenance.

If you chain two sshd and have a certificate on the first and password on the second, the second sshd will have the exact same number of attempts as your current setup.

I dislike Go as well, but it does compile to a static binary, so you shouldn't need to install any runtime at all.

Seems possible (though very time-consuming) if you just use it to protect your hobby/toy machines. As soon as your protocol becomes important enough that it attracts the attention of human hackers and not just bots they can easily reverse-engeneer it.

By the way, I think you could view encrypted connections as a sort of automation of that practice: A crypto algorithm could be seen as a machine that generates "custom protocols" given a key...

There is an existing solution to give you this protection, it's called port knocking.

<shameless_plug> Check out fwknop, https://www.cipherdyne.org/fwknop/ It's one solution to this problem. Instead of answering with garbage, it allows for keeping the firewall closed/default drop stance. It's port knocking, but with real cryptography instead of just relying on hitting port numbers, and does it with just a single packet. </shameless_plug> Full disclosure: I'm one of the Fwknop devs.

The very description of the project says "Take security by obscurity to the next level (You must be insane to run this)", so I'm not sure why you're trying to convince the author here.

Two men walking in the woods enter grizzly country. One stops and swaps his hiking boots for running shoes. The other says, that's stupid, you'll never out run a grizzly bear.

The technical concerns fall under the category of security. The business concerns fall under risk mitigation. These concerns converge as the value of an enterprise's assets rises. Banks and blogs are toward different ends of the spectrum. At the lower end, this sort of measure probably keeps a wordpress site in the middle of the herd when wolves invite themselves to dinner.

a) It's not explicitly said that the ssh password is the last digits from the code. That's the intuition I got as well, but that would be pure craziness. I assume only the port is affected, and you're using your normal authentication scheme (key or password) to login.

b) Straight from the GitHub's README, which was not edited after submission to HN:

>> Beware, currently I would not really recommend running this software, it was only written as a joke.

Can't a scan like that be detected by a simple firewall?

Isn't it safer to keep the ssh port below 1024 so that another user other than root can't start a listener on that port?

Yeah, me too! I would not call this security by obscurity because it actually helps making the auth logfile more readable ;-)

> On high security servers forcing the users to use public key authentication is another way to stop guessing.

Public key and IP limiting is standard practice, eliminating passwords should be top priority for anyone running SSH servers.