How to secure SSH logins with port knocking
Knock, knock … who’s there? SSH. SSH who? You need to lock down your servers so that only you have access via SSH. One way to help that is with knockd. Jack Wallen shows you how.
Secure Shell is the de-facto standard for logging into remote Linux servers. It’s served many an administrator well over the years. But just because it has the word “secure” in its title, doesn’t mean that it always lives up to that name. In fact, there are always things you can do to make SSH more secure.
SEE: Checklist: Server inventory (TechRepublic Premium)
One such way is with the help of port knocking. Now, before we get into this I want to make it clear that anyone using SSH should always do two things:
Both of the above should be considered standard best practices for using Secure Shell. With that said, I want to introduce you to a tool that’s been around for some time. The idea is to create two knocking sequences on your server, one to open the SSH port and one to close it. Until you send the opening knock sequence, SSH access is closed off. Once you send the opening sequence, you can SSH into that machine. When you’re done working, send the close sequence and SSH is locked back down.
It’s not perfect, but in conjunction with SSH key authentication, SSH will be considerably more secure on your servers.
Let me show you how to install and use knockd for port knocking on SSH.
What you’ll need
I’ll be demonstrating on Ubuntu Server 20.04, so you’ll need a running instance of that OS and a user with sudo privileges. You’ll also need a user with sudo privileges on a client machine as well. For the client, I’ll demonstrate on Pop!_OS.
How to install knockd
The first thing we’ll do is install knockd on our server and client. Log in to the server and issue the command:
sudo apt-get install knockd -y
Head over to your client and issue the same command.
Once you’ve knockd installed, you need to take care of some configurations.
How to configure knockd
The first thing we need to do is configure the knockd service. Open the knockd configuration file with:
sudo nano /etc/knockd.conf
In that file change the open sequence from the default 7000,8000,9000 to whatever port sequence you want to use. You can configure up to seven ports for this. The line to configure is under [openSSH] and is:
sequence = 7000,8000,9000
Change the port numbers to a sequence you can remember.
Next, change the close sequence in the same way (using different port numbers). That line is under [closeSSH] and is:
sequence = 9000,8000,7000
Next, you need to change the -A to -I in the [openSSH] command line, so it will be the first rule in the iptables chain.
Save and close the file.
Next, we need to find the name of the network interface used for SSH traffic. Issue the command:
ip a
Locate the IP address you use and then locate a sequence that looks like this:
2: ens5:
In my case, the name of the interface is ens5.
Open the knockd daemon file with:
sudo nano /etc/default/knockd
In that file, enable the daemon to start at boot by changing 0 to 1 in the line:
START_KNOCKD=
Next, change eth0 to the name of your network interface (and remove the leading # character) in the line:
#KNOCKD_OPTS="-i eth0"
So this line (in my case) would look like this:
KNOCKD_OPTS="-i ens5"
Save and close the file.
Start and enable knockd with the command:
sudo systemctl start knockd sudo systemctl enable knockd
How to close port 22
Next, we need to close port 22, so traffic can’t bypass the knockd system. Issue the command:
sudo ufw status numbered
If you have rules that allow SSH traffic, they will be numbered and need to be deleted as such. Say, for example, your SSH rules are 1 and 2; delete them with:
sudo ufw delete 2 sudo ufw delete 1
How to use knockd
Move over to your client machine. What we’ll first do is send the open knock sequence, so SSH traffic is allowed through. If your knock sequence is 7001,8001,9001, you’d issue the command:
knock -v SERVER 7001 8001 9001
Where SERVER is the IP address of the remote server.
You should see output like:
hitting tcp 192.168.1.111:7001 hitting tcp 192.168.1.111:8001 hitting tcp 192.168.1.111:9001
After the knock sequence, you should then be able to SSH into that server. When you’re done with the remote work, you’ll exit from the server and then send the closing knock sequence like so:
knock -v SERVER 9001 8001 7001
After the closing knock sequence, you should no longer be able to access that remote server via SSH (until you send the opening knock sequence again).
And that’s all there is to using knockd to better secure SSH access on your remote Linux servers. Just remember to install knockd on any client machine that needs SSH access to those servers.