Last updated at Thu, 29 Aug 2024 15:14:20 GMT
Synopsis
Port Knocking is a method used to secure your port access from unauthorised users. Port Knocking works by opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall will open the port that was previously closed. The main purpose of port knocking is to defend yourself against port scanners. Changing your default ssh port is not a secure method to protect your server, because the attacker often use a port scanner to do automated scans for open ports before attacking a server. So the port knocking is best method to secure ssh server.
For example, if you want to setup port knocking for port 22, this port will only be open when you requests to the port 10001, 10002, 10003 in sequence. When you complete the sequence correctly the firewall will open the port 22 for you.
In this tutorial, we will learn how to install port knocking and set up port knocking on Ubuntu 16.04 server.
System Requirements
- A server running Ubuntu 16.04 with ssh installed.
- A root password is setup on your server.
Getting Started
Before starting, it is recommended to update your repository with the latest version with the following command:
apt-get update -y
apt-get upgrade -y
Once the repository is updated, restart your system to apply all the changes.
Install and Configure Iptables
By default, UFW firewall is installed in Ubuntu 16.04 server. So you will need to disable UFW before installing iptables. You can disable UFW with the following command:
ufw disable
Next, install iptables by running the following command:
apt-get install iptables iptables-persistent
Once iptables is installed, you will need to allow all established connections and on-going sessions through iptables. You can do this with the following command:
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
Next, block incoming SSH port 22 with the following command:
iptables -A INPUT -p tcp --dport 22 -j REJECT
Next, save the firewall rules with the following command:
netfilter-persistent save
netfilter-persistent reload
Next, you can test whether SSH port is blocked or not by issuing the following command from remote system:
nmap 192.168.0.190
You should see that SSH port is filterd:
Starting Nmap 6.40 ( http://nmap.org ) at 2017-09-25 9:01 IST
Nmap scan report for 192.168.0.190
Host is up (0.00037s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp filtered ssh
80/tcp open http
443/tcp open http
3306/tcp open mysql
MAC Address: 08:00:27:7C:5B:40 (Cadmus Computer Systems)
Nmap done: 1 IP address (1 host up) scanned in 1.69 seconds
Note : 192.168.0.190 is the IP address of the Server.
Install and Configure Knockd
By default, knockd is available in Ubuntu 16.04 default repository. You can install it by just running the following command:
apt-get install knockd -y
Once knockd is installed, you will need to enable knockd service to start on boot. You can do this by editing /etc/default/knockd
file:
nano /etc/default/knockd
Change the line from
START_KNOCKD=0
to
START_KNOCKD=1
Save and close the file when you are finished.
Next, you will need to configure knockd. You can configure it by editing /etc/knockd.conf
file:
nano /etc/knockd.conf
Change the [openSSH]
and [closeSSH]
section default knock sequence as per your requirements:
[options]
logfile = /var/log/knockd.log
[openSSH]
sequence = 10001,10002,10003
seq_timeout = 20
tcpflags = syn
command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
[closeSSH]
sequence = 10003,10002,10001
seq_timeout = 20
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
Save the file when you are finished, then start knock service to apply these changes:
systemctl start knockd
Note:
- sequence = 10001,10002,10003 : Knock will open the SSH port when the sequence is completed from client machine.
- seq_timeout = 20 : This option defines how long you have time to complete the sequenct for the knock.
- command = /sbin/iptables -I INPUT -s %IP% -p tcp –dport 22 -j ACCEPT : This command will open the port 22.
- sequence = 10003,10002,10001 : Knock will close the SSH port when the sequence is completed from client machine.
- command = /sbin/iptables -D INPUT -s %IP% -p tcp –dport 22 -j ACCEPT : This command will close the port 22.
Test Knockd from Client System
Your knockd server is now ready. It’s time to test knocking from the client system. You can test knocking using Telnet, Nmap or Knockd client.
Here, we will test knocking using Telnet client. So you will need to install Telnet to your client system. Run the following command to install Telnet :
apt-get install telnet -y
Next, run the following command in correct sequence within 20 seconds:
telnet 192.168.0.190 10001
telnet 192.168.0.190 10002
telnet 192.168.0.190 10003
Once all the command is successful. Knockd will open SSH port by adding firewall rules for client system.
You can also see the knockd log by running the following command on the server.
tail -f /var/log/syslog
Output:
[2017-09-25 09:11] 192.168.0.191: openSSH: Stage 1
[2017-09-25 09:12] 192.168.0.191: openSSH: Stage 2
[2017-09-25 09:13] 192.168.0.191: openSSH: Stage 3
[2017-09-25 09:13] 192.168.0.191: openSSH: OPEN SESAME
[2017-09-25 09:13] openSSH: running command: /sbin/iptables -I INPUT -s 192.168.0.191 -p tcp --dport 22 -j ACCEPT
You can now able to connect your server via SSH from the client system. You can also use nmap to scan your server by running the following command from the client system.
nmap 192.168.0.190
You should see that SSH port is open for your IP:
Starting Nmap 6.40 ( http://nmap.org ) at 2017-09-25 9:20 IST
Nmap scan report for 192.168.0.190
Host is up (0.00037s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open http
3306/tcp open mysql
MAC Address: 08:00:27:7C:5B:40 (Cadmus Computer Systems)
Nmap done: 1 IP address (1 host up) scanned in 1.69 seconds
After you have done all your work and want to close the SSH port for your IP. Run the following command in correct sequence within 20 seconds:
telnet 192.168.0.190 10003
telnet 192.168.0.190 10002
telnet 192.168.0.190 10001
Once all the command is successful. Knockd will close the SSH port by adding firewall rules for client system.
Note : 192.168.0.190
is the IP address of the server machine and 192.168.0.191
is the IP address of the client machine.
Conclusion
Congratulations! you have successfully tested knockd on ubuntu 16.04. You can now easily gain access of the server via SSH from any location or any system.