Enable Logging for attempted connection on a closed port

**Lars Noodén** · November 27th, 2013

I'd say it's pretty outdated.

As far as the port-knocking goes, I'm pretty sure you can implement that purely in iptables. There's probably an example somewhere or you can spend enough time looking at the options (see the manual page iptables-extensions) Keys are the better way to go instead.

**bashiergui** · November 27th, 2013

I'm with Lars Nooden on this. I would set up IPTables and then send the IPTables logs to your centralized log server.
The method you described might work, but you're describing the function of a firewall so why not use a firewall to do it?

**CharlesA** · November 29th, 2013

Originally Posted by clearski

I am asking because some people (including an author of a book about SSH) suggested having a backup user (so, it is strictly an exception, not a rule) with a Match term in sshd_config that would be allowed to use passwords, in case that, somehow, a user which usually uses passwordless logins would be unable to use this type of login (he is locked out because he forgot to upload a new version of the keys on the server before an exit, for example).

As long as you are using a strong password, you should be fine.

I have my server set up to allow me to login via password from the local network, but that's only cuz I got sick of copying keys over to the VMs I would create and destroy while testing things.

With that being said, I prefer keys but I also login as a non root user and then su to root if I need to do admin tasks.

**clearski** · November 29th, 2013

Originally Posted by CharlesA

As long as you are using a strong password, you should be fine.

Thanks for the reply, it's always good to know how far one should go with each option he got.

Sorry again for being off-topic.

**ian-weisser** · November 30th, 2013

Originally Posted by termvrl

I would to know how we can set/enable a syslog logging for an attempted connection on a closed port.
I want to test for a port knocking. for e.g ; If received a attempted connection on higher port such as port 12345 three time it will start a sshd service.

Perhaps I don't understand the question - knockd already logs both successes and failures.

**termvrl** · December 11th, 2013

Originally Posted by ian-weisser

Perhaps I don't understand the question - knockd already logs both successes and failures.

Hi all,

Thanks for the reply.
i not use knockd because what im trying to do here is basically, to write a program looking for an attempt on closed port based on syslog generated.
If the combination is correct than allow to open the port.

Thanks.

**ian-weisser** · December 12th, 2013

Seems like you essentially want to duplicate the knockd functionality.
Nothing wrong with that, a good way to learn. Have you, by chance, looked at the knockd source code to see how that developer solved a very similar problem? Without duplicating it, his approach may give you good ideas.

You can monitor the log you use for dropped connections from IPTables
Or you can monitor failed connections in /var/auth/log