Science & Technology

How to protect SSH login with port knock

Knock, knock … who is there? SSH. SSH who? You need to lock down the server so that only you can access it via SSH. One way to help with that is to knock. Jack Warren explains how to do that.

Image: Funtap / Shutterstock

Secure Shell is the de facto standard for logging in to remote Linux servers. It has helped many admins over the years. However, just because the title contains the word “safety” does not mean that it is always true to the name. In fact, there’s always something you can do to make SSH more secure.

look: Checklist: Server inventory (TechRepublic Premium)

One such method is with the help of port knocking. Before we get into this, I would like to clarify that SSH users always have to do two things.

Both of the above should be considered standard best practices for using Secure Shell. That said, I would like to introduce you to the tools that have been around for some time. The idea is to create two knocking sequences on the server. One is for opening the SSH port and the other is for closing the SSH port. SSH access will be closed until you send the opening knock sequence. You can SSH into the machine by sending the opening sequence. When you’re done, send a close sequence to lock down SSH.

It’s not perfect, but when combined with SSH key authentication, it makes SSH much more secure on the server.

I will show you how to install and use knockd for port knocking with SSH.

Things necessary

We will be demonstrating on Ubuntu Server 20.04, so we need a running instance of that OS and a user with sudo privileges. You also need a user with sudo privileges on the client machine. For clients, Pop! Demonstrate with _OS.

How to install knock

The first thing to do is a knocked installation on the server and client. Log in to the server and issue the following command:

sudo apt-get install knockd -y

Issue the same command to the client.

After knocking on the installation, you need to be aware of some configurations.

How to configure knock

The first thing you need to do is configure the knocked service. Open the knocked configuration file with the following command:

sudo nano /etc/knockd.conf

In that file, change the open sequence from the default 7000,8000,9000 to the port sequence you want to use. You can configure up to 7 ports for this.The line to set is below [openSSH] and:

sequence = 7000,8000,9000

Change the port numbers in an order that is easy to remember.

Then modify the close sequence in the same way (using different port numbers).That line is below [closeSSH] and:

sequence = 9000,8000,7000

Then you need to change -A to -I in. [openSSH] Since it is a command line, it is the first rule in the iptables chain.

Save and close the file.

Next, you need to find the name of the network interface used for SSH traffic. Issue the following command:

ip a

Find the IP address you want to use, then find the following sequence:

2: ens5:

In my case, the name of the interface is ens5.

Open the knockd daemon file with the following command:

sudo nano /etc/default/knockd

In that file, change the 0 on the next line to 1 so that the daemon can start at boot time.


Then rename eth0 to the name of the network interface on the next line (and remove the leading # character).

#KNOCKD_OPTS="-i eth0"

So this line (in my case) looks like this:

KNOCKD_OPTS="-i ens5"

Save and close the file.

Start knocking and enable it with the following command:

sudo systemctl start knockd
sudo systemctl enable knockd

How to close port 22

Next, you need to close port 22. This prevents traffic from bypassing the knocked system. Issue the following command:

sudo ufw status numbered

If there are rules that allow SSH traffic, they are numbered and should be removed as such. For example, suppose your SSH rules are 1 and 2. Remove them:

sudo ufw delete 2
sudo ufw delete 1

How to use knock

Go to the client machine. The first thing to do is send an open knock sequence. This allows SSH traffic to pass through. If the knock sequence is 7001,8001,9001, issue the following command:

knock -v SERVER: 7001 8001 90001

Where SERVER is the IP address of the remote server.

You should see output similar to the following:

hitting tcp
hitting tcp
hitting tcp

After the knock sequence, you will be able to SSH into that server. When the remote work is finished, shut down the server and send a finish knock sequence as follows:

knock -v SERVER 9001 8001 7001

After the end knock sequence, you will not be able to access the remote server via SSH (until you send the start knock sequence again).

And that’s all about using knockd to make SSH access more secure on remote Linux servers. Don’t forget to install Knock on client machines that require SSH access to those servers.

See also

How to protect SSH login with port knock How to protect SSH login with port knock

Back to top button