Port knocking on linux

Table of Contents

Port knocking on linux

In the world of Linux server security, Port Knocking has emerged as a popular technique for adding more layers of protection to your system. By using Port Knocking, you can hide open ports and block unauthorized access attempts, making it a useful tool for preventing common attacks such as port scanning and brute-force attacks.


So, how does Port Knocking work? Port Knocking involves sending a sequence of connection attempts on a predefined set of ports in a particular order. When the correct sequence is detected, the firewall rules are automatically updated to allow access to the desired Port. This means that ports are not permanently open, and only authorized users who know the correct sequence can gain access.


There are two main types of Port Knocking techniques – Single Packet Authentication (SPA) and Sequence Number Obfuscation (SNO). SPA involves sending a single packet with the correct sequence, while SNO sends multiple packets with a randomly generated sequence. SPA is considered more straightforward and more secure, but SNO can be more difficult for attackers to detect.


To implement Port Knocking on Linux, there are several tools available, including knockd, fwknop, and Portspoof. These tools provide various features and customization options, allowing you to configure Port Knocking to suit your specific needs.


While Port Knocking can provide an additional layer of security to your Linux server, it is not considered a foolproof method of access control. It is essential to use Port Knocking in conjunction with other security measures such as strong passwords, two-factor authentication, and regular security audits. It is also important to keep your Port Knocking sequence confidential and change it regularly to prevent attackers from guessing it.


In conclusion, Port Knocking is a useful technique for enhancing the security of your Linux server. By hiding open ports and blocking unauthorized access attempts, it can help prevent common attacks and provide an additional layer of protection. However, it is essential to use Port Knocking.

 

Port knocking is defense in depth. Initially, port knocking was implemented to prevent attackers from analyzing systems for vulnerable services through a port scan, as without sending the correct knock sequences, protected ports would appear inaccessible for the attacker.

 

port knocking

 

 

It’s still possible for hackers to discover a port range – however, port knocking can trick scanners. In this case, your SSH client attempts to connect to various ports, but none of them will allow your connection, until you unlock a particular port. The client is very safe to use. This is one of the most effective ways of protecting your server from unauthorized attempts to connect via SSH.

 

You will learn how to set up port knocking in this article. This article was written for Debian 7, but it could be used for Ubuntu as well.

 

 

Here we go,

 

 

Step 1: Installing the required packages

 

SSH should already be installed on your computer. For those who don’t have it, execute the following commands as root:

 

apt-get update
apt-get install openssh-server
apt-get install knockd

 

On some servers, the UFW firewall is installed by default, in which case you will need to disable UFW before installing IPtables. Here’s how you do that:

 

ufw disable

 

 

Then, install iptables.

 

apt-get install iptables

 

Step 2: Configuring iptables

 

 

The SSH connection will end once you are connected, so it is important to make sure you can stay connected while blocking other connections. Run these commands as root on your server.

 

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --destination-port 22 -j DROP
apt-get install iptables-persistent
iptables-save

 

The next step is to configure knockd.

It will be possible for you to select which ports will need to be knocked first. Open a text editor to the file /etc/knockd.conf.

nano /etc/knockd.conf

 

 

Following is an example of a section that will look like this.

 

[openSSH]
    sequence    = 7000,8000,9000
    seq_timeout = 5
    command     = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
    tcpflags    = syn

 

Here, you can specify which ports should be knocked first. As of right now, we’re going to stick with ports 7000, 8000, and 9000. Set seq_timeout = 5 to seq_timeout = 10, and for the closeSSH section, do the same for the seq_timeout line. Similarly, there is a sequence line in the closeSSH  script that must also be modified.  

 

Knockd needs to be enabled, so open the editor as root again.

 

nano /etc/default/knockd

 

Change the 0 in the section START_KNOCKD to 1, then save and exit.

 

 

Now, start knockd:

 

service knockd start

 

The installation has been completed. Once you have disconnected, you have to knock ports 7000, 8000, and 9000 to connect again.

 

 

 

Let’s do it!

Your SSH server should not be accessible if everything was installed correctly. A telnet client should be able to check the port.

 

In your terminal/command prompt type:

telnet {IP} 7000
telnet {IP} 8000
telnet {IP} 9000

The process should take no longer than ten seconds, as specified in the configuration. Now try connecting via SSH. It should be accessible.

 

Now close the SSH server, execute the commands in reverse order.

 

telnet {IP} 9000
telnet {IP} 8000
telnet {IP} 7000

That’s it!

 

t is our hope that this article provides you with more information.

 

Set Static IP on Ubuntu 

Port Knocking is a security technique that allows a user to open a closed port on a server by sending a sequence of connection attempts on other ports.

Port Knocking works by sending a sequence of connection attempts on a predefined set of ports in a particular order. When the correct sequence is detected, the firewall rules are automatically updated to allow access to the desired Port.

 Port Knocking can provide an additional layer of security to your Linux server by hiding open ports and blocking unauthorized access attempts. This can prevent common attacks such as port scanning and brute-force attacks.

There are two main types of Port Knocking techniques – Single Packet Authentication (SPA) and Sequence Number Obfuscation (SNO). SPA sends a single packet with the correct sequence, while SNO sends multiple packets with a randomly generated sequence.

Yes, Port Knocking is compatible with most Linux distributions, as long as the server is running a firewall that supports Port Knocking.

Some common tools for implementing Port Knocking on Linux include knocked, fwknop, and Portspoof.

While Port Knocking can provide an additional layer of security, it is not considered a foolproof method of access control. It is recommended to use Port Knocking in conjunction with other security measures such as strong passwords, two-factor authentication, and regular security audits.

Share on
Facebook
Twitter
LinkedIn
Print
VPSie Cloud service

Unlock Your

20% Discount

The First 3 orders get 20% discount! Try Sign up on VPSie to get a chance to get the discount.