How to Secure SSH Service with Port Knocking

If you want to allow users to access specific services on your server without open a firewall, you can use port knocking. Port knocking is a method that allows you to secure your service from unauthorized users. Port knocking allows incoming connections when a correct sequence of connection attempts is received.

In this post, we will secure open SSH port 22 with port knocking. This port will only be opened when someone requests the ports 7000, 8000, 9000 in sequence.

Step 1 – Install and Configure Knockd

By default, the knockd package is included in the Ubuntu 20.04 default repository. You can install it using the following command:

apt-get install knockd -y

Once the package is installed, edit the port knocking default configuration file:

nano /etc/knockd.conf

Find the default sequence shown below:

        sequence    = 7000,8000,9000
        sequence    = 9000,8000,7000

And replace them with the following sequence:

        sequence    = 7777,8888,9999
        sequence    = 9999,8888,7777

Also, find the following line:

        command     = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

And replace it with the following line:

        command     = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

Save and close the file when you are finished.

In the above configuration file, the sequence 7777, 8888, 9999 is used to open port 22 for a client system, and the sequence 9999, 8888, 7777 is used to close port 22 for a client system.

Next, edit the /etc/default/knockd configuration file:

nano /etc/default/knockd

Change the following lines:

# Start the Knockd service
START_KNOCKD=1

# Name of your network interface
KNOCKD_OPTS="-i eth0"

Save and close the file when you are finished, then restart the Knockd service and enable it to start at system reboot:

systemctl restart knockd
systemctl enable knockd

Next, verify the status of Knockd service with the following command:

systemctl status knockd

Sample output:

● knockd.service - Port-Knock Daemon
     Loaded: loaded (/lib/systemd/system/knockd.service; disabled; vendor preset: enabled)
     Active: active (running) since Sun 2021-08-15 13:26:31 UTC; 5s ago
       Docs: man:knockd(1)
   Main PID: 6555 (knockd)
      Tasks: 1 (limit: 2353)
     Memory: 296.0K
     CGroup: /system.slice/knockd.service
             └─6555 /usr/sbin/knockd -i eth0

Aug 15 13:26:31 ubuntu2004 systemd[1]: Started Port-Knock Daemon.
Aug 15 13:26:31 ubuntu2004 knockd[6555]: starting up, listening on eth0

Step 2 – Install and Configure Iptables

Knockd uses the Iptables rule to open and close the SSH port, so you will need to install the Iptables package on your server.

Run the following command to install the Iptables package:

apt-get install iptables iptables-persistent -y

Once the package is installed, create an Iptables rule to block SSH port 22 for all users:

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j REJECT

Next, save the Iptables rule and reload it with the following command:

netfilter-persistent save
netfilter-persistent reload

At this point, port knocking is configured for OpenSSH in your server.

Step 3 – Check OpenSSH Connection from Client System

Next, go to the client system and check whether the OpenSSH port 22 is blocked or not.

You can check it using the NMAP command:

nmap your-server-ip

You should see that port 22 is filtered on the server.

Nmap scan report for your-server-ip
Host is up (0.38s latency).
Not shown: 998 closed ports
PORT   STATE    SERVICE
21/tcp open     ftp
22/tcp filtered ssh
Nmap done: 1 IP address (1 host up) scanned in 277.58 seconds

Now, try to connect to your server using SSH from the client machine:

ssh root@your-server-ip

You should see the connection refused message:

ssh: connect to host your-server-ip port 22: Connection refused

Step 4 – Configure Knockd on Client to Connect SSH Server

Now you will need to install Knock client on the client system to connect to the SSH server.

First, run the following command to install the Knockd client package:

apt-get install knockd -y

Now use the following knock sequence to open the SSH port 22 on the server.

knock -v your-server-ip 7777 8888 9999

When your server receives a correct sequence that you have defined in the Knockd configuration file, it will open the SSH port 22 for your client machine, and you will be able to connect to the SSH server.

ssh root@your-server-ip

After completing your task on the remote SSH server, you can use the following sequence from the client machine to close the SSH port again.

knock -v your-server-ip 9999 8888 7777

Conclusion

In the above guide, you learned how to secure an SSH server with port knocking. You can use the same method to secure other ports on a Linux server. Try it on VPS hosting from Atlantic.Net!