27.Tablet Connections Blocks Lock

You've probably read the usual things admins do with the Secure Shell (SSH), such as changing the port, preventing root logins, using fail2ban, using SSH key authentication, etc. But there's another technique you can employ that does a great job of protecting your servers from unwanted SSH logins.

That technique is called port knocking and can be enabled with the help of knockd, a Linux port-knock server. This works by closing off all ports and only opening them "on demand," according to a pre-determined sequence of pings. Although you wouldn't use port knocking for every server or deployment (and you wouldn't rely on it alone), it's a very novel way of adding security to SSH. 

Of course, along with port knocking, you must always keep SSH up to date, ensure your /etc/ssh/sshd_config file is configured with best practices, and consider employing SSH key authentication.

But if you want to add this extra layer to the system, read on, and I'll show you how it's done.

What You'll Need

The only things you'll need for this are a running instance of Ubuntu Server (preferably a recent release), a second Ubuntu machine (which can be either the server or desktop version) to serve as a client, a user with sudo privileges, and a network connection. That's it. Let's get to knocking.

How Can I Install knockd?

Linux Security Esm W500You'll need to install knockd on both the server and client. Log into your server and install the software with the command:

sudo apt-get install knockd -y

When that installation completes, log into your client machine and run the same command.

Believe it or not, that's it for the installation. You will want to make sure the knockd service is running with the command:

systemctl status knockd

You'll probably find the service isn't running, and you won't be able to get it running out of the box. Why? Because knockd defaults to the old-school network device naming convention. We must change the configuration file to fit the newer device naming scheme. Open the default configuration with:

sudo nano /etc/default/knockd

At the bottom of the file, you'll see the line:

#KNOCKD_OPTS="-i eth1"

Locate the name of your networking device with the command:

ip -a

It might be something like enp0s3. If that's the case, you'd change the line to:

KNOCKD_OPTS="-i enp0s3"

Save and close the file.

You can now start and enable the service with:

sudo systemctl enable --now knockd

How Can I Configure knockd?

The knockd service is configured in the /etc/knockd.conf file. Open it for editing with the command:

sudo nano /etc/knockd.conf

In the [openSSH] section, the first line is:

sequence = 7000, 8000, 9000

That's a port knocking sequence; you can change it to whatever you want. For example, you could reverse it with:

sequence = 9000, 8000, 7000

Go to the command line (which is two lines below the sequence line) and change -A to -I, which ensures it will be the first line in the new iptables chain.

Save and close the file.

Restart knockd with:

sudo systemctl restart knockd

How Can I Close a Port?

Next, we will close port 22, so incoming traffic won't be able to bypass the knockd system. We'll have UFW list our rules in a numbered sequence so they're easier to delete. Issue the command:

sudo ufw status numbered

If you have an SSH rule allowing incoming traffic to port 22, it'll show up and have an associated number. Say, the rule is number 1. To delete that rule, issue the command:

sudo ufw delete 1

If you have more than 1 rule pertaining to SSH, make sure to delete them all.

Using knockd

Business Cybersecurity Esm W500Now it gets fun. Return to your client machine, where you'll send the knock sequence you configured in the knockd.conf file. So, if you configured a knock sequence of 8000, 7000, 9000, you would issue the open command:

knock -v SERVER 8000 7000 9000

Where SERVER is the IP address of the server you want to log into. The output of the above command should look something like this:

hitting tcp 192.168.1.100:8000

hitting tcp 192.168.1.100:7000

hitting tcp 192.168.1.100:9000

Of course, the IP address in the above output will reflect the address of your destination server. Once the knock open sequence is complete, you can SSH into that server as you normally would.

After you're certain it works, exit from the server (with the exit command). Once you've exited the remote server, you must send the closing knock sequence, which is done by reversing the order of the opening knock sequence. So, if your knock sequence is 8000 7000 9000, the closing sequence will be 9000 7000 8000. You'd close it with:

knock -v SERVER 9000 7000 8000

Where SERVER is the IP address of the remote server.

Once the closing sequence succeeds, you will not be able to SSH back into the server until you send the opening knock sequence.

Congratulations, you've just locked down SSH with the help of knockd. As I said, this system won't be ideal for every application, but it can certainly come in handy for certain use cases. Try it and see if it doesn't work to help secure some of your deployments.

Have additional questions about port knocking for more secure SSH? Connect with us on X @lnxsec - we're here to help!