Just to elaborate a bit about
port knocking first. Port knocking is a technique which can be used by a server to respond if there's only a specific sequence of packets hitting a port. I remember testing out a trojan called
Sadoor which used port knocking.
A hacker would install the
Sadoor server on a machine. However it would respond only if the
Sadoor client which obviously the hacker has in this case sends packets in a preddefined order. So for eg. You could configure Sadoor to give you a shell only if it received:
Code:
a) TCP packets from port 25
b) UDP packets from port 53
c) An ICMP echo reply packet
Note that these are all fake packets created on the fly by the
Sadoor client just so it can connect to the
Sadoor server loaded on the compromised host. So only if the
Sadoor server receives these packets in the exact same order will it let the attacker in else it'll just keep waiting.
So if you apply it to a real world scenario , port knocking on say
port 80 would be a big pain as you said coz all your users would need to know what packets to construct and send which is impractical
.
Regarding your hiding
ssh port I guess it'll be possible but how would you do it? You'll need to somehow tell
sshd that it shouldn't directly accept requests made by a normal
ssh client. It must listen for the proper
port knocking sequence and allow an
ssh client in only if this is true.
I'm pretty sure you will need to write a bit of code independently and have ssh call it before it responds to your request or modify the code for sshd itself. Neither of this is very practical or really needed as there are better methods of locking down / controlling access to SSH.
If there's any other way to do it without writing any fresh code I'd be glad to hear it. You might also want to look at
Sadoor and its excellent documentation for an even better understanding.
Cheers
Arvind