Why bother? Why not just use SPA secure port knocking with GPG users and expiring tickets that just hides the port completely using firewall rules unless authorized? fwknop is just one example, and it works for any and all services.
Also, there are these internal network creation systems called VPNs.
Sensitive ports should be guarded behind VPNs on private networks. And, the VPN port itself should be guarded with SPA port knocking.
Stop putting ssh on everything and on public IPs on the actual public internet. Don't do this. Do you know how many weeks were spent cleaning-up after idiots who did this with desktops contracting W32/Blaster? One "secured" Oracle database box on a public IP got an unknown trojan rootkit Mark Russinovich was like: what is this voodoo that they do? The "only" solution, since it "couldn't ever be taken down," was to block everything it didn't explicitly need to function and general outbound internet access. Lack of security, idempotent automation of configuration management, and restoration caused these issues. It languished on for years with what effectively was an "endogenous retrovirus" that "couldn't" be removed.
It isn't really secure... Because an attacker on the network can see which port you're about to connect to, and which IP you're connecting from, and connect to the target milliseconds before you do.
I prefer to keep the word 'secure' for things that provide at least man-in-the-middle protection, which this approach doesn't.
Single Packet Authorization doesn't claim to do anything about encryption, authentication, integrity, auditing, or anything else.
Leave ambiguous terminology hair-splitting at the door and get to specifics.
It's securing the keyhole of the padlock. No sense moving the padlock around when it can be closed to begin-with, and opened with a special knock that is extremely complicated: time, service, and identifies which user.
Port knocking on top of VPN, SSL, SSH, Wireguard, or whatever. You don't do this with telnet because common sense. Duh!
Also, there are these internal network creation systems called VPNs.
Sensitive ports should be guarded behind VPNs on private networks. And, the VPN port itself should be guarded with SPA port knocking.
Stop putting ssh on everything and on public IPs on the actual public internet. Don't do this. Do you know how many weeks were spent cleaning-up after idiots who did this with desktops contracting W32/Blaster? One "secured" Oracle database box on a public IP got an unknown trojan rootkit Mark Russinovich was like: what is this voodoo that they do? The "only" solution, since it "couldn't ever be taken down," was to block everything it didn't explicitly need to function and general outbound internet access. Lack of security, idempotent automation of configuration management, and restoration caused these issues. It languished on for years with what effectively was an "endogenous retrovirus" that "couldn't" be removed.