Just to elaborate a bit about port knocking
first. Port knocking is a technique which can be used by a server to respond if there's only a specific sequence of packets hitting a port. I remember testing out a trojan called Sadoor
which used port knocking.
A hacker would install the Sadoor server
on a machine. However it would respond only if the Sadoor client
which obviously the hacker has in this case sends packets in a preddefined order. So for eg. You could configure Sadoor to give you a shell only if it received:
a) TCP packets from port 25
b) UDP packets from port 53
c) An ICMP echo reply packet
Note that these are all fake packets created on the fly by the Sadoor client
just so it can connect to the Sadoor server
loaded on the compromised host. So only if the Sadoor server
receives these packets in the exact same order will it let the attacker in else it'll just keep waiting.
So if you apply it to a real world scenario , port knocking on say port 80
would be a big pain as you said coz all your users would need to know what packets to construct and send which is impractical
Regarding your hiding ssh
port I guess it'll be possible but how would you do it? You'll need to somehow tell sshd
that it shouldn't directly accept requests made by a normal ssh client
. It must listen for the proper port knocking sequence
and allow an ssh client
in only if this is true.
I'm pretty sure you will need to write a bit of code independently and have ssh call it before it responds to your request or modify the code for sshd itself. Neither of this is very practical or really needed as there are better methods of locking down / controlling access to SSH.
If there's any other way to do it without writing any fresh code I'd be glad to hear it. You might also want to look at Sadoor
and its excellent documentation for an even better understanding.