If you want to allow users to access specific services on your server without open a firewall, you can use port knocking. Port knocking is a method that allows you to secure your service from unauthorized users. Port knocking allows incoming connections when a correct sequence of connection attempts is received.
In this post, we will secure open SSH port 22 with port knocking. This port will only be opened when someone requests the ports 7000, 8000, 9000 in sequence.
- An Ubuntu 20.04 server on the Atlantic.Net Cloud Platform
- A root password configured on your server
Step 1 – Create Atlantic.Net Cloud Server
First, log in to your Atlantic.Net Cloud Server. Create a new server, choosing Ubuntu 20.04 as the operating system with at least 2GB RAM. Connect to your Cloud Server via SSH and log in using the credentials highlighted at the top of the page.
Once you are logged in to your Ubuntu 20.04 server, run the following command to update your base system with the latest available packages.
apt-get update -y
Step 2 – Install and Configure Knockd
By default, the knockd package is included in the Ubuntu 20.04 default repository. You can install it using the following command:
apt-get install knockd -y
Once the package is installed, edit the port knocking default configuration file:
Find the default sequence shown below:
sequence = 7000,8000,9000
sequence = 9000,8000,7000
And replace them with the following sequence:
sequence = 7777,8888,9999
sequence = 9999,8888,7777
Also, find the following line:
command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
And replace it with the following line:
command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
Save and close the file when you are finished.
In the above configuration file, the sequence 7777, 8888, 9999 is used to open port 22 for a client system, and the sequence 9999, 8888, 7777 is used to close port 22 for a client system.
Next, edit the /etc/default/knockd configuration file:
Change the following lines:
# Start the Knockd service
# Name of your network interface
Save and close the file when you are finished, then restart the Knockd service and enable it to start at system reboot:
systemctl restart knockd
systemctl enable knockd
Next, verify the status of Knockd service with the following command:
systemctl status knockd
● knockd.service - Port-Knock Daemon
Loaded: loaded (/lib/systemd/system/knockd.service; disabled; vendor preset: enabled)
Active: active (running) since Sun 2021-08-15 13:26:31 UTC; 5s ago
Main PID: 6555 (knockd)
Tasks: 1 (limit: 2353)
└─6555 /usr/sbin/knockd -i eth0
Aug 15 13:26:31 ubuntu2004 systemd: Started Port-Knock Daemon.
Aug 15 13:26:31 ubuntu2004 knockd: starting up, listening on eth0
Step 3 – Install and Configure Iptables
Knockd uses the Iptables rule to open and close the SSH port, so you will need to install the Iptables package on your server.
Run the following command to install the Iptables package:
apt-get install iptables iptables-persistent -y
Once the package is installed, create an Iptables rule to block SSH port 22 for all users:
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j REJECT
Next, save the Iptables rule and reload it with the following command:
At this point, port knocking is configured for OpenSSH in your server.
Step 4 – Check OpenSSH Connection from Client System
Next, go to the client system and check whether the OpenSSH port 22 is blocked or not.
You can check it using the NMAP command:
You should see that port 22 is filtered on the server.
Nmap scan report for your-server-ip
Host is up (0.38s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp filtered ssh
Nmap done: 1 IP address (1 host up) scanned in 277.58 seconds
Now, try to connect to your server using SSH from the client machine:
ssh [email protected]
You should see the connection refused message:
ssh: connect to host your-server-ip port 22: Connection refused
Step 5 – Configure Knockd on Client to Connect SSH Server
Now you will need to install Knock client on the client system to connect to the SSH server.
First, run the following command to install the Knockd client package:
apt-get install knockd -y
Now use the following knock sequence to open the SSH port 22 on the server.
knock -v your-server-ip 7777 8888 9999
When your server receives a correct sequence that you have defined in the Knockd configuration file, it will open the SSH port 22 for your client machine, and you will be able to connect to the SSH server.
ssh [email protected]
After completing your task on the remote SSH server, you can use the following sequence from the client machine to close the SSH port again.
knock -v your-server-ip 9999 8888 7777
In the above guide, you learned how to secure an SSH server with port knocking. You can use the same method to secure other ports on a Linux server. Try it on VPS hosting from Atlantic.Net!