For what it's worth to those who want to play with SPA, here is a demo i whipped up. It is very easy to set up, and i almost guarantee anyone can get this running. What we will demonstrate: Bascially: An SPA demo. Requirements: Very little - a minimal setup of centos. This setup will demonstrate a client who initially cannot connect to a an ssh port on the server (the server is DROPing packets and appears to not be running sshd). After a successful encrypted SPA (Single Packet Authorization) packet is sent to the server, in which a shared key and usercode is required, the ssh port is opened for the client IP only, and the client can then continue to connect with the normally required ssh credentials. After a timeout, the port is CLOSED to all traffic from the client IP, however firewall ESTABLISHED and RELATED rules will allow the connected client to continue to communicate. Setup Details; Server; Almost any kind of CentOS, but i use CentOS 4.4 installed on a VM (vmware workstation build 36983) SELinux Disabled Firewall enabled, no services allowed. "Minimal" installation performed. IP=10.1.1.155 Client; Almost any *nix, but i have used CentOS 4.4 installed on a VM (vmware workstation build 36983) SELinux Disabled Firewall enabled, no services allowed. "Minimal" installation performed. IP=10.1.1.8 =================== Setup the server Optional : Update the server; #yum -y update #reboot Install fwknop #cd /tmp #wget http://www.cipherdyne.org/fwknop/download/fwknop-1.0.1-1.i386.rpm #rpm -i fwknop-1.0.1-1.i386.rpm Backup fwknop's access.conf file and make our own. #mv /etc/fwknop/access.conf /etc/fwknop/access.conf.orig #access=/etc/fwknop/access.conf #echo "SOURCE: ANY;">>$access #echo "OPEN_PORTS:tcp/22;">>$access #echo "DATA_COLLECT_MODE: ULOG_PCAP;">>$access #echo "KEY: pkpassword;">>$access #echo "FW_ACCESS_TIMEOUT: 30;">>$access #echo "REQUIRE_USERNAME: mbr;">>$access Note ... the usercode and password we need to tell the client is; usercode:mbr , password:pkpassword Change the firewall (by default in a CentOS build it REJECTS everything. We want it to DROP instead, so that no-one knows if sshd is running or not) (this step is optional) #service iptables stop #joe /etc/sysconfig/iptables change -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited to -A RH-Firewall-1-INPUT -j DROP Restart the firewall #service iptables start Start fwknopd --debug Leave this debug window open, and you will see the rules that fwknop adds to the firewall. Setup the Client; Install fwknop (the same package contains server and client tools) #cd /tmp #wget http://www.cipherdyne.org/fwknop/download/fwknop-1.0.1-1.i386.rpm #rpm -i fwknop-1.0.1-1.i386.rpm Proof : Try to connect to server on port 22 #nc -v 10.1.1.155 nc will apear to hang waiting for a response. -> no response. (unless you skipped the step above for changing the firewall rules, in which case i think you get a 'no route to host' message) Now knock to open the port, using the usercode and password as above; (password will be prompted for ) #fwknop -A tcp/22 -k 10.1.1.155 --Spoof-user mbr -a 10.1.1.8 -A is the port to send the SPA packet to -k is the server to send to --Spoof-user is because we are not mbr (i am root) we wouldnt need this if we were logged on as 'mbr' -a 10.1.1.8 is because i am on a NATed subnet, and without it fwknop will resolve my IP to a public one, and then tell the server to open port 22 to that public IP, which wont help me. You have 30 seconds to try to connect now ... #nc -v 10.1.1.155 22 pc-00155.xx_hidden_xx.org [10.1.1.155] 22 (ssh) open SSH-1.99-OpenSSH_3.9p1 Ctrl-c to kill this. So we have proved that port 22 has been opened by our knock. Watching the servers debug output as mentioned above will show you the exact rule which was added to iptables to achieve this. If you have exceeded your 30 sec, just run the knock again; #fwknop -A tcp/22 -k 10.1.1.155 --Spoof-user mbr -a 10.1.1.8 and then try to connect; #ssh root at 10.1.1.155 If you are quick enough you can run #service iptables status|grep 10.1.1.8 ACCEPT tcp -- 10.1.1.8 0.0.0.0/0 tcp dpt:22 This shows you the rule which let you in. Note that port 22 is open to *YOUR IP* only. About 30 sec later you will see; # service iptables status|grep 10.1.1.8 # [no output] This shows you that the open port has been closed. Notes: If you get a message like 'remote time stamp is older than 120 second max age.' then you have a clock sync problem. (common when using vmware) Notes: If you have trouble with clock drift and you dont want to be bothered fixing it, you can make fwknop less sensitive; joe /etc/fwknop/fwknop.conf change MAX_SPA_PACKET_AGE 120; to MAX_SPA_PACKET_AGE 1200; or similar (20 minute window) Thanks to Michael Rash for his great pdf (http://www.usenix.org/publications/login/2006-02/pdfs/rash.pdf) which i blatently ripped content from for the good of the world.