Port knocking on linux

Table of Contents

Port knocking on linux



Port knocking is defense in depth. Initially, port knocking was implemented to prevent attackers from analyzing systems for vulnerable services through a port scan, as without sending the correct knock sequences, protected ports would appear inaccessible for the attacker.




port knocking



It’s still possible for hackers to discover a port range – however, port knocking can trick scanners. In this case, your SSH client attempts to connect to various ports, but none of them will allow your connection, until you unlock a particular port. The client is very safe to use. This is one of the most effective ways of protecting your server from unauthorized attempts to connect via SSH.




You will learn how to set up port knocking in this article. This article was written for Debian 7, but it could be used for Ubuntu as well.




Here we go,




Step 1: Installing the required packages




SSH should already be installed on your computer. For those who don’t have it, execute the following commands as root:



apt-get update
apt-get install openssh-server
apt-get install knockd




On some servers, the UFW firewall is installed by default, in which case you will need to disable UFW before installing IPtables. Here’s how you do that:


ufw disable




Then, install iptables.


apt-get install iptables




Step 2: Configuring iptables




The SSH connection will end once you are connected, so it is important to make sure you can stay connected while blocking other connections. Run these commands as root on your server.


iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --destination-port 22 -j DROP
apt-get install iptables-persistent




The next step is to configure knockd.




It will be possible for you to select which ports will need to be knocked first. Open a text editor to the file /etc/knockd.conf.


nano /etc/knockd.conf



Following is an example of a section that will look like this.



    sequence    = 7000,8000,9000
    seq_timeout = 5
    command     = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
    tcpflags    = syn


Here, you can specify which ports should be knocked first. As of right now, we’re going to stick with ports 7000, 8000, and 9000. Set seq_timeout = 5 to seq_timeout = 10, and for the closeSSH section, do the same for the seq_timeout line. Similarly, there is a sequence line in the closeSSH  script that must also be modified.  





Knockd needs to be enabled, so open the editor as root again.




nano /etc/default/knockd


Change the 0 in the section START_KNOCKD to 1, then save and exit.





Now, start knockd:



service knockd start



The installation has been completed. Once you have disconnected, you have to knock ports 7000, 8000, and 9000 to connect again.





Let’s do it!



Your SSH server should not be accessible if everything was installed correctly. A telnet client should be able to check the port.




In your terminal/command prompt type:



telnet {IP} 7000
telnet {IP} 8000
telnet {IP} 9000


The process should take no longer than ten seconds, as specified in the configuration. Now try connecting via SSH. It should be accessible.




Now close the SSH server, execute the commands in reverse order.


telnet {IP} 9000
telnet {IP} 8000
telnet {IP} 7000



That’s it!





t is our hope that this article provided you with more information.





Get the most out of learning with VPSie.com

Share on