cryptolok/OpenBSDportKnocking.sh

## OpenBSDportKnocking.sh
# Port Knocking configuration using OpenBSD with knockd on SSH

#! DISCLAIMER !
# OpenBSD isn't an OS for Unix novices, thus I will omit deep details and just make some assumptions about your configuration

# Port Knocking, despite being a known network stealthing technique, was implemented essentially for Linux, I made a reliable, stable and portable configuration for OpenBSD (might also work for FreeBSD)

# install
export PKG_PATH=http://ftp.openbsd.org/pub/OpenBSD/6.1/packages/amd64/
pkg_add autoconf
pkg_add automake
export AUTOCONF_VERSION=2.69
export AUTOMAKE_VERSION=1.14
git clone https://github.com/jvinet/knock
compile
/sbin/knockd -i re0 -c /usr/local/etc/knockd.conf

# Packet Filter
/etc/pf.conf:
block all
pass out

# Port Knocking
/usr/local/etc/knockd.conf:
[options]
        logfile = /var/log/knockd.log
[opencloseSSH]
        sequence    = 443:tcp, 80:tcp
#       ports of HTTPS and HTTP are selected because, they are less likely to be filtered if you're behind a restrictive firewall and can be done by a web browser whereas
 port scanners won't have such behavior, but you're still encouraged to change them if you desire so
        seq_timeout = 1
        tcpflags    = syn
        start_command     = /bin/echo 'pass in on re0 proto tcp from %IP% to re0:0 port 22' >> /etc/pf.conf && /sbin/pfctl -f /etc/pf.conf
        cmd_timeout = 10
        stop_command     = /usr/bin/sed -i '$ d' /etc/pf.conf && /sbin/pfctl -f /etc/pf.conf
#       this will open SSH port on interface re0 for 10 seconds which will allow you to connect and since, PF is a state-full firewall, it won't block already established connection
#       note that it is a mistake to think that I reload all of PF rules, this is true for Netfilter (iptables), but PF will change the rules in a smart manner

# connecting from your PC
sudo aptitude install knock || yaourt knock || echo 'you know what to do'
knock $IP 443 80
ssh $IP
# I advise to repeat it few times in order to avoid network delays and lost packets in some circumstances
# alternatively, you can also use your web browser or wget
firefox https://$IP || wget https://$IP
firefox http://$IP || wget http://$IP
ssh $IP
	# Port Knocking configuration using OpenBSD with knockd on SSH

	#! DISCLAIMER !
	# OpenBSD isn't an OS for Unix novices, thus I will omit deep details and just make some assumptions about your configuration

	# Port Knocking, despite being a known network stealthing technique, was implemented essentially for Linux, I made a reliable, stable and portable configuration for OpenBSD (might also work for FreeBSD)

	# install
	export PKG_PATH=http://ftp.openbsd.org/pub/OpenBSD/6.1/packages/amd64/
	pkg_add autoconf
	pkg_add automake
	export AUTOCONF_VERSION=2.69
	export AUTOMAKE_VERSION=1.14
	git clone https://github.com/jvinet/knock
	compile
	/sbin/knockd -i re0 -c /usr/local/etc/knockd.conf

	# Packet Filter
	/etc/pf.conf:
	block all
	pass out

	# Port Knocking
	/usr/local/etc/knockd.conf:
	[options]
	logfile = /var/log/knockd.log
	[opencloseSSH]
	sequence = 443:tcp, 80:tcp
	# ports of HTTPS and HTTP are selected because, they are less likely to be filtered if you're behind a restrictive firewall and can be done by a web browser whereas
	port scanners won't have such behavior, but you're still encouraged to change them if you desire so
	seq_timeout = 1
	tcpflags = syn
	start_command = /bin/echo 'pass in on re0 proto tcp from %IP% to re0:0 port 22' >> /etc/pf.conf && /sbin/pfctl -f /etc/pf.conf
	cmd_timeout = 10
	stop_command = /usr/bin/sed -i '$ d' /etc/pf.conf && /sbin/pfctl -f /etc/pf.conf
	# this will open SSH port on interface re0 for 10 seconds which will allow you to connect and since, PF is a state-full firewall, it won't block already established connection
	# note that it is a mistake to think that I reload all of PF rules, this is true for Netfilter (iptables), but PF will change the rules in a smart manner

	# connecting from your PC
	sudo aptitude install knock \|\| yaourt knock \|\| echo 'you know what to do'
	knock $IP 443 80
	ssh $IP
	# I advise to repeat it few times in order to avoid network delays and lost packets in some circumstances
	# alternatively, you can also use your web browser or wget
	firefox https://$IP \|\| wget https://$IP
	firefox http://$IP \|\| wget http://$IP
	ssh $IP