23 January, 2023 by Ashley

How to Use Port Knocking in Linux to Secure SSH Server

Knock-Knock! Do you need to protect your Linux system from automated port scanners to secure the SSH server? Join us with this guide to learn How to Use Port Knocking in Linux to Secure SSH Server. By creating a connection attempt on a set of predetermined closed ports, port knocking is a technique used in computer networking to externally open firewall ports. By limiting access to the server service to authorized users, port knocking is a clever method of restricting access to a port.

One of this method’s pros is that ports protected by Port Knocking will display as unavailable for a standard port scan. Port Knocking works with the help of the firewall to provide effective blocking by detecting legitimate users and allowing customers to connect to the correct port. Then, the firewall opens the port that was closed.

If you have purchased your own Linux VPS recently and consider improving its security, port knocking is one of the best techniques to secure your server.

Table of Contents

Tutorial Use Port Knocking in Linux to Secure SSH Server

Using port knocking, you can restrict access to a server’s services to only authorized users. Since the firewall closes the SSH port from the outside world, users would not be able to connect to SSH port 22 directly. To change the firewall rule temporarily and open SSH port 22 to a user, the server runs a knockd daemon. Only authorized users with the proper knock sequence have the ability to cause knocked to open an SSH port. Another knock sequence is used to close the SSH port when the authorized user requests to log out.

In this way, only authorized users with the proper knock sequence have the ability to cause knocked to open an SSH port. Another knock sequence is used to close the SSH port when the authorized user requests to log out. So, to use Port Knocking in Linux to Secure SSH Server, you need to learn how to install and configure knockd and set up the firewall rule to hide SSH servers to not let malicious users discover them on public networks.

For more information on how to use port knocking, please refer to our knowledge base article Check Open Ports in Linux.

You have already learned How to enable SSH on Ubuntu, this guide will also demonstrate installing and configuring Port Knocking to secure your SSH service using Ubuntu.

Note: To hide an SSH server using SSH Port Knocking, you will need to have a Linux OS with OpenSSH sever try to hide it. So, ensure to have SSH access to the server with sudo privileges.

If you’re all set, let’s go through the steps of this guide to secure SSH service.

Step 1: Install and Configure knockd on Linux Server

While you are logged in to your Linux system, use the command below to install the knockd daemon. This can be used on Ubuntu and Debian.

$ sudo apt install knockd

After a successful installation, use your favorite text editor to open the knockd.conf configuration with it. In this guide, the nano text editor is being used.

sudo nano /etc/knockd.conf

Now, you must change three items in this file; let’s see what are they.

1- Find the [openSSH] section in the output to change the default knocking sequence – 7000,8000,9000 – to anything you consider (Such as 10001,10002,10003) since these values are already known and may jeopardize your system’s security.

This is the sequence that will be used to open the SSH port from a client system. If you need to freshen your mind, refer to What is SSH.

2- In the iptables command, change -A to -I. While all other IP addresses are not allowed to connect to the SSH port, knockd can execute this iptables command to open the SSH port for your IP address. You just need to send the right knock sequence.

3- Finally, change the default sequence to your liking (such as 10003,10002,10001) under the [closeSSH]. The selected sequence will be the one that will be used to close the SSH connection once the user decides to log out of the server.

When you are done with changing the three explained above, save the changes and close the file to exit.

Next, to check and see the main network interface name on the server, run the following command:

ip addr

Here, there is another config file that should be edited. Again, open your text editor to modify:

$ sudo nano /etc/default/knockd

Look for the line:

START_KNOCKD=0

To enable autostart at system boot change 0 to 1.

START_KNOCKD=1

While knockd listens on eth0 interface by default, you may find out that yours is not. To change it, find the line below:

#KNOCKD_OPTS="-i eth1"

Now, to change eth1 to the name of the main network interface on your server, you just need to remove #.

KNOCKD_OPTS="-i ens18"

Save and close the file.

Now, it is time to start and enable knockd daemon. So, run:

$ sudo systemctl start knockd
$ sudo systemctl enable knockd

Also, to check if it is running, type the command below to view the current status:

$ sudo systemctl status knockd

Step 2: Close SSH Port 22

As you learned so far, knockd service grants or denies access to SSH service. So, you need to close the ssh port on the firewall. To start, check the status of the UFW firewall and view its rules.

$ sudo ufw status numbered

For example, if you see that SSH port 22 is open on lines 3 and 9, run the command below to delete the rules which open the SSH port.

sudo ufw delete 9

sudo ufw delete 3

In this way, the connection timeout error will occur if you attempt to log in remotely and the SSH service will not respond to your request. Beginning with the bigger index number is not optional, and you should delete the rules in the same order.

Step 3: Use Knock Client to Connect to SSH Server

To complete what you learned in the recent two steps of this guide, you need to learn how to configure a client. To do this, attempt to log in by sending the knock sequence that you configured on the server.

As you guess, the knockd daemon must be installed.

$ sudo apt install knockd

When you are done with the installation, run the command below to send the knock sequence.

$ knock -v server_ip knock_sequence

Send the correct knock sequence from the client computer to trigger the server firewall to TCP port 22.

knock -v 10.0.0.104 10001 10002 10003

After a successful knock attempt, you will be able to SSH into your server. Then, it is possible to use port knocking to close the SSH port for your specific IP address.

knock -v 10.0.0.104 10003 10002 10001

Since knockd responds only to the knock sequence sent to the main network interface, the knock would not be able to open SSH port when the server has multiple IP addresses, and you want to send the knock sequence on another IP address.

How to start knockd manually?

If knockdstopped running, you can access your server with the help of your hosting provider’s web-based console. In this way, you will be able to start knockd manually and have SSH access again.

How to restart knockd when it stops running?

Once an hour, create a cron job:

sudo crontab -e

Then, add the line below in the file.

@hourly systemctl restart knockd

And finally, save and close the file.

I am sure SSH port 22 is open on numbered 3 and 8 but the commands $ sudo ufw delete 3 $ sudo ufw delete 8 do not work:

As we mentioned in this guide, it is important to delete the rule with a bigger index number first. So, just run:

$ sudo ufw delete 8

$ sudo ufw delete 3

I followed all the steps correctly. SSH port is still closed.

I guess there is a high latency between your client and your server. Just try again and again and keep sending knock sequence.

Conclusion

In this article, you learned How to Use Port Knocking in Linux to Secure SSH Server. Keep in mind that port knocking shouldn’t be used alone as a security measure; it should be used in conjunction with other security measures. If you follow the above steps properly then you can smoothly install Apache Tomcat on without any errors. But if you encounter any problems, please do not hesitate to contact us. Our technical support team will try their best to solve your problems.