cryptolok · May 18, 2017 21:56 · SubZr0 · Jul 19, 2017
diff --git a/OpenBSDportKnocking.sh b/OpenBSDportKnocking.sh
 # Port Knocking configuration using OpenBSD with knockd on SSH

 #! DISCLAIMER !
 # OpenBSD isn't an OS for Unix novices, thus I will omit deep details and just make some assumptions about your configuration

 # Port Knocking, despite being a known network stealthing technique, was implemented essentially for Linux, I made a reliable, stable and portable configuration for OpenBSD (might also work for FreeBSD)

 # install
 export PKG_PATH=http://ftp.openbsd.org/pub/OpenBSD/6.1/packages/amd64/
 pkg_add autoconf
 pkg_add automake
 export AUTOCONF_VERSION=2.69
 export AUTOMAKE_VERSION=1.14
 git clone https://github.com/jvinet/knock
 compile
 /sbin/knockd -i re0 -c /usr/local/etc/knockd.conf

 # Packet Filter
 /etc/pf.conf:
 block all
 pass out

 # Port Knocking
 /usr/local/etc/knockd.conf:
 [options]
        logfile = /var/log/knockd.log
 [opencloseSSH]
        sequence    = 443:tcp, 80:tcp
 #       ports of HTTPS and HTTP are selected because, they are less likely to be filtered if you're behind a restrictive firewall and can be done by a web browser whereas
 port scanners won't have such behavior, but you're still encouraged to change them if you desire so
        seq_timeout = 1
        tcpflags    = syn
        start_command     = /bin/echo 'pass in on re0 proto tcp from %IP% to re0:0 port 22' >> /etc/pf.conf && /sbin/pfctl -f /etc/pf.conf
        cmd_timeout = 10
        stop_command     = /usr/bin/sed -i '$ d' /etc/pf.conf && /sbin/pfctl -f /etc/pf.conf
 #       this will open SSH port on interface re0 for 10 seconds which will allow you to connect and since, PF is a state-full firewall, it won't block already established connection
 #       note that it is a mistake to think that I reload all of PF rules, this is true for Netfilter (iptables), but PF will change the rules in a smart manner

 # connecting from your PC
 sudo aptitude install knock || yaourt knock || echo 'you know what to do'
 knock $IP 443 80 
 ssh $IP
 # I advise to repeat it few times in order to avoid network delays and lost packets in some circumstances
 # alternatively, you can also use your web browser or wget
 firefox https://$IP || wget https://$IP
 firefox http://$IP || wget http://$IP
 ssh $IP
	# Port Knocking configuration using OpenBSD with knockd on SSH

	#! DISCLAIMER !
	# OpenBSD isn't an OS for Unix novices, thus I will omit deep details and just make some assumptions about your configuration

	# Port Knocking, despite being a known network stealthing technique, was implemented essentially for Linux, I made a reliable, stable and portable configuration for OpenBSD (might also work for FreeBSD)

	# install
	export PKG_PATH=http://ftp.openbsd.org/pub/OpenBSD/6.1/packages/amd64/
	pkg_add autoconf
	pkg_add automake
	export AUTOCONF_VERSION=2.69
	export AUTOMAKE_VERSION=1.14
	git clone https://github.com/jvinet/knock
	compile
	/sbin/knockd -i re0 -c /usr/local/etc/knockd.conf

	# Packet Filter
	/etc/pf.conf:
	block all
	pass out

	# Port Knocking
	/usr/local/etc/knockd.conf:
	[options]
	logfile = /var/log/knockd.log
	[opencloseSSH]
	sequence = 443:tcp, 80:tcp
	# ports of HTTPS and HTTP are selected because, they are less likely to be filtered if you're behind a restrictive firewall and can be done by a web browser whereas
	port scanners won't have such behavior, but you're still encouraged to change them if you desire so
	seq_timeout = 1
	tcpflags = syn
	start_command = /bin/echo 'pass in on re0 proto tcp from %IP% to re0:0 port 22' >> /etc/pf.conf && /sbin/pfctl -f /etc/pf.conf
	cmd_timeout = 10
	stop_command = /usr/bin/sed -i '$ d' /etc/pf.conf && /sbin/pfctl -f /etc/pf.conf
	# this will open SSH port on interface re0 for 10 seconds which will allow you to connect and since, PF is a state-full firewall, it won't block already established connection
	# note that it is a mistake to think that I reload all of PF rules, this is true for Netfilter (iptables), but PF will change the rules in a smart manner

	# connecting from your PC
	sudo aptitude install knock \|\| yaourt knock \|\| echo 'you know what to do'
	knock $IP 443 80
	ssh $IP
	# I advise to repeat it few times in order to avoid network delays and lost packets in some circumstances
	# alternatively, you can also use your web browser or wget
	firefox https://$IP \|\| wget https://$IP
	firefox http://$IP \|\| wget http://$IP
	ssh $IP