How to obscure open ports with knockd
Learn how to obfuscate SSH login with port knocking.
Say you have Linux servers in your company and you need access to them from either the LAN or WAN, but you’re leery of leaving the SSH ports open. What do you do? One way to secure those ports is to obscure them a tool called knockd. Knockd works with port knocking, which is a method of dynamically opening network ports by connecting via a predefined sequence. With knockd, you define a knocking sequence that, when used, will allow the SSH connection through. It’s like adding a secret knock that must be used before SSH will allow you in.
I want to walk you through the installation and usage of knockd. I’ll be demonstrating on Ubuntu Server 19.10, but the process should work fine on any Debian or Ubuntu-based server.
SEE: Mastermind con man behind Catch Me If You Can talks cybersecurity (TechRepublic download)
What you’ll need
The only things you’ll need to make this work are:
- A running instance of Ubuntu Server
- A Linux client to connect to the server
- A user with sudo privileges
How to install
There are two pieces of software that must be installed, both of which can be found in the standard repositories. To install these packages, open a terminal window on the server and issue the command:
sudo apt-get install knockd iptables-persistent
That’s it for the installation on the server.
How to configure knockd
Let’s first backup the original knockd configuration file with the command:
sudo mv /etc/knockd.conf /etc/knockd.conf.bak
Now, create a new file with the command:
sudo nano /etc/knockd.conf
In that file paste the following:
[options] UseSyslog Interface = IFACE [SSH] sequence = 1100,2200,3300 seq_timeout = 15 tcpflags = syn start_command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT cmd_timeout = 20
Where IFACE is the name of your network interface on the server.
You can also change the knock sequence to whatever you like. Save and close the file.
Next we need to enable knockd. Issue the command:
sudo nano /etc/default/knockd
In that file, change:
Save and close the file.
Create a new systemd file with the command:
sudo nano /etc/systemd/system/knockd.service
In that file, paste the following:
[Unit] Description=Port-Knock Daemon After=network.target Requires=network.target Documentation=man:knockd(1) [Service] EnvironmentFile=-/etc/default/knockd ExecStartPre=/usr/bin/sleep 1 ExecStart=/usr/sbin/knockd $KNOCKD_OPTS ExecReload=/bin/kill -HUP $MAINPID KillMode=mixed Restart=always SuccessExitStatus=0 2 15 ProtectSystem=full CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN [Install] WantedBy=multi-user.target
Save and close the file.
Enable and start the new service with the following commands:
sudo systemctl daemon-reload sudo systemctl enable --now knockd
How to modify the firewall
Next we must modify the firewall to deny access to SSH port 22. To do that, issue the following commands:
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT sudo ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT sudo iptables -A INPUT -p tcp --destination-port 22 -j DROP sudo ip6tables -A INPUT -p tcp --destination-port 22 -j DROP
Make those rules persistent between reboots with the following commands:
sudo -s sudo iptables-save > /etc/iptables/rules.v4 sudo ip6tables-save > /etc/iptables/rules.v6 exit
How to test knockd
In order to SSH into the knockd-enabled server, any remote client must have knockd installed as well. Log in to the second Linux machine and issue the command:
sudo apt-get install knockd -y
After the installation, first attempt to SSH into the server with the command:
Where USER is the remote username and SERVER_IP is the IP address of the knockd-enabled server. You should not be able to log in.
Now, invoke the knock sequence you configured in knockd.conf with the command:
knock SERVER_IP 1100 2200 3300
Where SERVER_IP is the IP address of the knockd server and the knock sequence matches the one you configured.
The command should return no output.
If you run the SSH command now, you should be given access.
And that’s all there is to obscuring ports with the help of knockd.