敲击之间可能有最大的间隔(超时)。
有没有办法在敲门之间留出最小的空间(暂停/延迟/睡眠)?有类似的东西:
{#meta
爆破234超时5秒暂停2秒,
敲dport 123超时5秒暂停2秒,
敲dport 123超时3秒暂停1秒,
敲dport 234超时3秒暂停1秒,
敲dport 123超时5秒暂停1秒接受{ssh}
}
类似的东西
set SSH_OK { type ipv6_addr; flags timeout; elements = { 2001:DB8:: expires 30s }}
set Knock1 { type ipv6_addr; timeout 5s; }
set Knock2 { type ipv6_addr; timeout 5s; }
set Knock3 { type ipv6_addr; timeout 5s; }
set Knock4 { type ipv6_addr; timeout 5s; }
set Knock5 { type ipv6_addr; timeout 5s; }
#
chain Input {
type filter hook input priority 0; policy drop;
ct state established,related counter accept
icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
tcp dport ssh ip saddr @SSH_OK counter packets 0 bytes 0 accept
iifname != lo ip6 daddr ::1/128 counter drop
iif lo accept
drop
}
#
chain SFAE {
type filter hook prerouting priority -300; policy accept;
tcp dport {ssh} set add ip saddr @Knock1 drop
ip6 saddr @Knock1 tcp dport 234 set add ip saddr @Knock2 drop; sleep 2s
ip6 saddr @Knock2 tcp dport 123 set add inet saddr @Knock3 drop; sleep 2s
ip6 saddr @Knock3 tcp dport 123 set add inet saddr @Knock4 drop; sleep 1s
ip6 saddr @Knock4 tcp dport 234 set add inet saddr @Knock5 drop; sleep 1s
ip6 saddr @Knock5 tcp dport 123 set add inet saddr timeout 5s; sleep 2s @SSH_OK drop
}
(也许延迟/睡眠应该在set Knock{1..5}中?)
我认为,这种通过敲门声节律选择的选项会因模糊不清(STOP)而降低安全性,而更像是用于端口扫描的密码短语扩展(argon2)。