I'm also thinking that the last line (well. after you accept established connections really) should be along the lines of:

Otherwise all I need to do is portscan and then ssh in...

Also see http://www.debian-administration.org/articles/268 for a multi-port knock using ipt_recent
(Which also -I think - has the failing that multiple portscans will open the hole)

Eh? Plain english, please!

I thought it was

Well, when ipt sees the IP hit port $KNOCK it jumps to ssh_add
That adds the IP to the ssh_knock list
If the IP tries port 22 it goes to the ssh_filter which checks if the IP is in the ssh_knock list.
If it is then the rule succeeds.

What doesn't happen is that the IP is *removed* from the ssh_knock list if it hits any other port between hitting the $KNOCK port and port 22.

So If I do a portscan, hitting ports 1-65534 port 22 opens and stays open for a short while.

What you really want is for port 22 to be closed if the IP hits any other port after hitting $KNOCK and before hitting 22.

Hmm, even better would be if hitting $KNOCK and !22 put the IP onto a pre-KNOCK DROP blacklist for a short while - that would stop/slow brute force attacks too.

Thanks. Gotta be a bit careful there, though, as somebody could be accessing our web server legitimately from the same IP as I'm using to connect to SSH. Say, both of us behind the same hotel/corporate NAT firewall.

But yeah, good idea for ports with nothing public on them.

Something like this line, after the existing -j ssh_add line:

ipt -A INPUT -p tcp --syn -m recent --name ssh_knock --rcheck -j ssh_del

Cheers!

I used -I by mistake since my chain doesn't exist in your example, sorry. Actually I just did:
ipt -A tcp_packets -m recent --name ssh_knock --remove
which is just what you used but without the logging.

In my rules this is at the end of the tcp_packets/tcp_filter list before the default DROP.

Ensuring it comes after any 'accept' ports and 'established' should do what you want though.

Yup, that's where it is in the script here now, too.
Nice little improvement over the original, that is.

Cheers!

Curiously, the connection attempts on my ssh port have completely stopped. Do you suppose they gave up after I went public-key-auth-only?