Secure SSH Service Using Port Knocking on Debian and Ubuntu
In this tutorial, I’m going to show you how to use port knocking to secure SSH service on Debian and Ubuntu server. So you may ask what exactly is port knocking? And how is it going to help you secure your Debian or Ubuntu server?
Basic Idea of Port Knocking
Port knocking is a way to let only legitimate users to access services on a server and the service in this tutorial is the SSH service. The idea behind port knocking is that the SSH port on the server is protected by a firewall. The SSH service is running on the server but the SSH port is closed from the eyes of the outside world because of firewall rules. So in this situation, no one can directly connect to SSH port 22.
The server also has a knockd daemon running. knockd has the ability to change the firewall rule and thus to temporarily open SSH port 22 to a user if that user hit (or knock) some specific ports in a sequence. So the knock sequence is kind of like a password for the SSH port. Only the legitimate user with the right knock sequence can trigger the SSH port to open. When the legitimate user has finished his work, he then use another knock sequence to close SSH port.
Now let’s get our hands dirty. First we will install and configure knockd and then setup firewall rule.
Install Knockd on Debian and Ubuntu
sudo apt-get install knockd
Enable autostart on system boot
Edit /etc/default/knockd config file with nano or your favorite text editor.
sudo nano /etc/default/knockd
Find this line
Change 0 to 1.
Save and close the file.
Edit main configuration file.
sudo nano /etc/knockd.conf
You need to change three items in this file. In the [openSSH] section, the default opening knock sequence is 7000,8000,9000. You can change this to your own liking, such as 10001,10002,10003. You can also define 4 or more ports for the sequence. These ports need not be open.
Then in the iptables command, change -A to -I so that this iptables rule will be the first in the rule chain. Order in iptables rule chain matters. When you send the right knock sequence, knockd will execute this iptables command to open SSH port for your IP.
Next, in the [closeSSH] section, change the default closing knock sequence to your liking, such as 10003,10002,10001.
Save and close the file, then start knockd daemon
sudo /etc/init.d/knockd start or sudo service knockd start
Note that knockd by default listens on eth0 interface. You server’s network interface might not be eth0. In this case, you will see the following error when starting knockd daemon.
[FAIL] Starting Port-knock daemon: knockd failed (could not open eth0: eth0: No such device exists (SIOCGIFHWADDR: No such device)).
You need to change the listening port of knocked. Open /etc/default/knockd and find this line
Remove # and change eth1 to your server’s network interface. If your server is using openvz virtualization, then the interface name is venet0:0
Setup Firewall Rule Using iptables
First, you want to make sure your establish SSH connection goes on and won’t be killed by firewall rules by running the command:
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
Now reject all incoming connections to port 22 using iptables:
sudo iptables -A INPUT -p tcp --dport 22 -j REJECT
The above command will append a rule to the INPUT chain telling the Linux kernel firewall to reject all TCP connections to port 22. To list kernel firewall rules, use -L option.
sudo iptables -L
Now if you use nmap to scan your server, you will see that port 22 is filtered.
And ssh connection will be rejected.
Use iptables-save to save firewall rule to a file.
sudo iptables-save > firewall.rule
To restore firewall rule, use iptables-restore.
sudo iptables-restore < firewall.rule
The knockd daemon can die for reasons that you can not control. To prevent locking youself out I advise that your server does not restore this firewall rule automatically when system boot up and always restore it manually. When knockd dies, you can reboot your machine in the control panel of your hosting provider and access your server again.
Use Knock Client to Send Knock Sequence
The knockd daemon is bundled with a knock client called knock, so on your Debian or Ubuntu workstation, you can install it by running:
sudo apt-get install knockd
knock -v 192.168.1.104 10001 10002 10003
hitting tcp 192.168.1.104:10001 hitting tcp 192.168.1.104:10002 hitting tcp 192.168.1.104:10003
Knock attempt can fail if there’s a high latency between your workstation and your server, so you may need to knock three or more times until the server acknowledge all your knock sequence.
Once all knock attempt is successful, you can ssh into your server. If you use nmap to scan your server again, you will find SSH port is open for your IP.
PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https
After you’ve done all your work, you can use port knocking to close SSH port for your IP.
knock -v 192.168.1.104 10003 10002 10001
Port knocking should not be your only protection for SSH service. Combining it with other form of protection such SSH passwordless login is highly recommended.
Do not automatically restore the above firewall rule on system boot. If the knockd daemon dies, you can reboot your server in the control panel provided by your hosting provider. Sometimes you can click a button called “console access” in the control panel to directly login. This is different from SSH login.