🗄️
🌎 Reading List⛳ About Me
Port Knocking

Imagine that you live in a weird apocalyptic future, and you want to keep your home safe, so you find yourself a sturdy front door and a high-quality deadbolt to secure it with. Everything is set, and you’re satisfied that you’re safe.

Hardly a minute goes by before you hear a knock on the door. It’s a hooligan trying to get in. You know you’re still safe, and you shoo the person away the best you can without opening the door, but a minute later there’s another knock. And then yet another — it never stops. Checking who’s at the door is tiring work, and you can’t take it anymore. You could ignore all knocks, but you do occasionally get guests, and apocalypse or no, you mustn’t ignore your social circle. What do you do?

You come up with an ingenious scheme. You let your prospective guests know that when they come to your door, they will need to use a special knock sequence that you can recognize. Only when you hear this knock sequence will you bother to even check who’s at the door. “Ignore my protocol at your own peril!”, you warn them all.

The problem with running a public SSH server on your home network is less weird but otherwise not too different from the situation above. Even after securing your server with state-of-the-art certificate authentication and unbreakable ciphers, you find people (mostly automated bots) still trying all day to connect to your server with passwords. While this is not personally tiring, it does end up consuming compute resources and polluting your authentication logs (and as a consequence, obfuscating real problems). One solution to this problem is analogous to the one above — you ask your users to send a few packets to specific ports in a particular sequence, before accepting an SSH connection on the usual port. This works out especially well if the user is you — for instance, if you are using SSH to connect remotely to your home server, and you don’t need to grant access to anyone else.

Here’s how you get this going:

On the server —

  • Step 1: Enable netfilter in your Linux kernel for packet sniffing.
  • Step 2: Set up the nftables firewall to start automatically.
  • Step 3: Configure a port knocking sequence in your firewall rules.
  • Step 4: Open up the relevant ports on your home network router firewall.

Steps 1 and 2 are usually specific to the Linux distribution you use, and I would recommend looking up its documentation. For reference, Gentoo’s documentation can provide a general idea of how this is done. Step 3 is accomplished using nftables rules that you can load (and save). Step 4 is router-dependent. For instance, my eero app has a relevant section in Settings → Network settings → Reservations & port forwarding.

âś— Test that you can no longer connect directly over SSH.

On the client —

  • Step 5: Set up your SSH configuration to knock on ports.
  • Step 6: Test your SSH connectivity.
  • Step 7: DONE!

To set up Step 5 on the client-side, you can create a simple knock script in your PATH, make it executable, and configure your SSH client to execute it automatically before connecting to your server.

âś“ Test that you can once again connect over SSH.

And it’s as simple as that.

Teneriffe Falls Trail

Today’s hike was a relatively easy one, 5.6 miles roundtrip with 1,585 feet elevation gain, with the trailhead along the I-90 corridor. This is, of course, the Teneriffe Falls Trail — not to be confused with the Mount Teneriffe Trail, which begins at the same trailhead but continues for 13 miles all the way up to the summit.

The waterfall at the top was a relatively calm one. In fact, it was only on the way back that we discovered it had even been in plain view about half a mile before getting the top, and both Anu and I had completely missed it on the way up. Perhaps we had been too engrossed in our conversation then.

We picked and ate some salmonberries (rubus spectabilis) on the way down. The yellow ones taste a tad like tomato. We did not eat any of the red-berried elder (samucus racemosa) — they are poisonous if eaten raw! We found a good deal of purple foxglove (digitalis purpurea) that added to the natural beauty of the woods.

Everything Old Is New...

“The Wheel of Time turns, and Ages come and pass, leaving memories that become legend. Legend fades to myth, and even myth is long forgotten when the Age that gave it birth comes again. In one Age, called the Third Age by some, an Age yet to come, an Age long past, a wind rose above the great mountainous island of Tremalking. The wind was not the beginning. There are neither beginnings nor endings to the Wheel of Time. But it was a beginning.” –Robert Jordan, The Path of Daggers

I started reading The Wheel of Time series back in 2008, in my early heady days of joining Amazon as a college hire. I was spurred on by colleagues who seemed to care a lot about these books. More than an interest in fantasy fiction1, I think it was my desire to keep up with them that convinced me to slog through all eleven books available at the time. That was just in time for Brandon Sanderson to take over writing the remaining three books in the series. I was happy to see that the plot picked up pace, and soon it was all over.

I don’t think I was thrilled by the ending; it didn’t offer quite the release and satisfaction I was expecting after its final crescendo. But Sanderson managed to complete the ginormous feat of making the story move and guiding it to its destination despite the hundreds of plot threads weighing it down, and one must thank him for that.

I don’t recall much of the actual plotlines or characters (except for the few that turn up in the last three books of the series, which I’ve re-read a few times since). It’s funny how memory works like that — I recall the idea of reading the books, but the very concrete experience I must have had then has somehow morphed into an abstract concept in my memory. I don’t think it’s shelved away; I think all the juice that could be extracted from it has been consumed, and the pomace has been discarded. All that is left is a lingering flavor.

Blogging was of great interest to me until the year 2007, after which my interest waned, never quite enough to shut it all down, but also leaving me without much of anything to say. I “restarted” my blog every year or two with a promise of writing more about something. I realize now that the problem wasn’t that I didn’t have anything interesting to say, but that I worried about who my readers were and what they would think of it…and I found this situation unmotivating. Later, I had the idea of creating a blog focused on technical matters, called technoYak. This didn’t go anywhere, but then I created another blog with a similar focus called optimix which was great fun for a while. The big idea here was to write about anything, big or small, that I had personally built or experimented with, like a working implementation of an algorithm or a problem whose solution I had figured out. But the problem of motivation never quite went away, and content on the blog grew at a glacial pace.

But no more. For reasons I don’t understand — perhaps it has to do with my recent binge-watching of Andor — I feel energized once again by the idea of writing down my thoughts, ideas and most important of all, experiences. In essence, it is our experiences that give meaning to our consciousness, and it seems apt for them to be shared with the universe.

In a sense, I am back where I started, and that’s fantastic. I’ve decided to start blogging here again, merging my optimix blog into this one as well. I haven’t ported anything over from earlier though, nor do I intend to…except for my reading list. I now use a static website built using Zola, but the theme is very retro — it has much of the same look that my blog used to have back in 2007!

So welcome back once again, and happy reading & sharing! 🤓

1

Despite my purported love of fantasy fiction novels, I believe I have only ever read one other series of that genre: The Farseer Trilogy by Robin Hobb, which was wonderfully written but devastatingly tragic.