Hello

I'm looking for a way to open up the SSH port on a remote server behind a NAT firewall so I can connect from the Net (from a Windows host) while reducing the risk of running SSHd at all times.

I've never used it, but it seems like Knockd is close to what I'm looking for (trying to connect to several specific ports within a certain timeframe will launch SSHd), but that would require opening up several ports on the router just for Knockd. I find the alternative of using one-time sequences too complicated.

Does someone know of a simpler system, where the daemon would be listening to a _single port_ and launch SSHd if it got -_specific data patterns_ in TCP packets?

Thank you.

Not sure, but wouldn't a "specific pattern" basically be a password? if so, I'd rather pass that password over a secure ssh connection than a raw tcp socket. You could easily write a simple xinetd daemon to listen on a port and use netcat to pipe whatever recieved data you get into a simple script, but the point of port knocking is that no data is ever allowed IN to the system, which wouldn't be that case in your model.

If you do want to persist with this, you can do most of it within iptables, no need for a daemon in itself.

http://www.debian-administration.org/articles/268

Based on this you could introduce a "-m match" check to watch the contents of a stream. As to how to get that stream set up in the first place though, again i'd suggest netcat just sending everything to /dev/null