Home / server / Questions / 535061
Accepted
dotancohen
Asked: 2013-08-31 00:34:49 +0800 CST

Connecting to a port-knocking protected resource

  • 772

Considering the excellent answers on the SF question "Preventing brute force attacks against SSH", I am considering configuring port knocking on a test server. I am debating how I will connect to this server and to other port-knocking servers easily.

I usually configure rsa authentication, addresses, and user names in /.ssh/config as such:

Host msUpdate
    User bgates
    Hostname updates.microsoft.com
    IdentityFile ~/.ssh/id_rsa.bgates.pub

Thus, I can simply type ssh msUpdate to log into the server. So far as I know /.ssh/config has no facility for configuring port knocking. Thus, I am considering a wrapper script for ssh that will automatically handle knocking:

$ cat login
#!/bin/bash

msUpdate=( 2000 3000 4000 )
otherServer=( 1024 2048 4096 )

for PORT in ${$@}; do
    ssh -p $PORT
    sleep 1
done

ssh $@

My question is how to write the for line. I cannot seem to get the script to recognise the argument as the name of an array to substitute. Although ostensibly a Bash question, I ask on SF because I feel that the completed script will be most useful to users of this site, and also because if there is a better way than it will most likely be here that someone will let me know about it.

security

2 Answers

  1. You need to use the array name in your for loop 

    for PORT in "${msUpdate[@]}"
do
    ssh -p $PORT host.tld
done

    Better is subjective, I've seen port knocking implemented with a script like this but it used nmap to do the knocking not ssh

    for PORT in "${msUpdate[@]}"
do
   nmap -Pn --host_timeout 100 --max-retries 0 -p $PORT host.tld
done
ssh -p someport host.tld

    You may also want to consider an alternative like Duo Security's two factor authentication.

    • 2
  2. Best Answer

    You're trying to use indirection, but an associative array (AKA "hash") is the better approach. You will need to use a language that supports this feature such as Bash 4, AWK, ksh93, Perl, Python, etc.

    If you have Bash 4, you can use associative arrays as follows. The values can't be arrays, but you can use space-separated lists of ports since the list members won't include spaces.

    #!/bin/bash

declare -A servers
servers[msUpdate]='2000 3000 4000'
servers[otherServer]='1024 2048 4096'

for port in ${servers[$1]}
do
    ssh -p "$port" "$1"
    sleep 1
done

ssh "$1"

    Call the script with the name of the server you want to log in to:

    ./scriptname otherServer

    Use something other than "login" for your script name since that's the name of an existing executable.

    Always avoid using all-caps variable names to prevent possible name collision with shell variables.

    • 2