How to secure SSH logins with port knocking – TechRepublic

Register for your free TechRepublic membership or if you are already a member, sign in using your preferred method below.
We recently updated our Terms and Conditions for TechRepublic Premium. By clicking continue, you agree to these updated terms.
Invalid email/username and password combination supplied.
An email has been sent to you with instructions on how to reset your password.
By registering, you agree to the Terms of Use and acknowledge the data practices outlined in the Privacy Policy.
You will also receive a complimentary subscription to TechRepublic’s News and Special Offers newsletter and the Top Story of the Day newsletter. You may unsubscribe from these newsletters at any time.
Username must be unique. Password must be a minimum of 6 characters and have any 3 of the 4 items: a number (0 through 9), a special character (such as !, $, #, %), an uppercase character (A through Z) or a lowercase (a through z) character (no spaces).
How to secure SSH logins with port knocking
Your email has been sent
Knock, knock … who’s there? SSH. SSH who? You need to lock down your servers so that only you have access via SSH. One way to help that is with knockd. Jack Wallen shows you how.
Secure Shell is the de-facto standard for logging into remote Linux servers. It’s served many an administrator well over the years. But just because it has the word “secure” in its title, doesn’t mean that it always lives up to that name. In fact, there are always things you can do to make SSH more secure.
SEE: Checklist: Server inventory (TechRepublic Premium)
One such way is with the help of port knocking. Now, before we get into this I want to make it clear that anyone using SSH should always do two things:
Both of the above should be considered standard best practices for using Secure Shell. With that said, I want to introduce you to a tool that’s been around for some time. The idea is to create two knocking sequences on your server, one to open the SSH port and one to close it. Until you send the opening knock sequence, SSH access is closed off. Once you send the opening sequence, you can SSH into that machine. When you’re done working, send the close sequence and SSH is locked back down.
It’s not perfect, but in conjunction with SSH key authentication, SSH will be considerably more secure on your servers. 
Let me show you how to install and use knockd for port knocking on SSH.
I’ll be demonstrating on Ubuntu Server 20.04, so you’ll need a running instance of that OS and a user with sudo privileges. You’ll also need a user with sudo privileges on a client machine as well. For the client, I’ll demonstrate on Pop!_OS.
The first thing we’ll do is install knockd on our server and client. Log in to the server and issue the command:
sudo apt-get install knockd -y
Head over to your client and issue the same command.
Once you’ve knockd installed, you need to take care of some configurations.
The first thing we need to do is configure the knockd service. Open the knockd configuration file with:
sudo nano /etc/knockd.conf
In that file change the open sequence from the default 7000,8000,9000 to whatever port sequence you want to use. You can configure up to seven ports for this. The line to configure is under [openSSH] and is:
sequence = 7000,8000,9000
Change the port numbers to a sequence you can remember.
Next, change the close sequence in the same way (using different port numbers). That line is under [closeSSH] and is:
sequence = 9000,8000,7000
Next, you need to change the -A to -I in the [openSSH] command line, so it will be the first rule in the iptables chain.
Save and close the file.
Next, we need to find the name of the network interface used for SSH traffic. Issue the command:
ip a
Locate the IP address you use and then locate a sequence that looks like this:
2: ens5:
In my case, the name of the interface is ens5.
Open the knockd daemon file with:
sudo nano /etc/default/knockd
In that file, enable the daemon to start at boot by changing 0 to 1 in the line:
Next, change eth0 to the name of your network interface (and remove the leading # character) in the line:
#KNOCKD_OPTS="-i eth0"
So this line (in my case) would look like this:
KNOCKD_OPTS="-i ens5"
Save and close the file.
Start and enable knockd with the command:
sudo systemctl start knockd
sudo systemctl enable knockd

Next, we need to close port 22, so traffic can’t bypass the knockd system. Issue the command:
sudo ufw status numbered
If you have rules that allow SSH traffic, they will be numbered and need to be deleted as such. Say, for example, your SSH rules are 1 and 2; delete them with:
sudo ufw delete 2
sudo ufw delete 1

Move over to your client machine. What we’ll first do is send the open knock sequence, so SSH traffic is allowed through. If your knock sequence is 7001,8001,9001, you’d issue the command:
knock -v SERVER 7001 8001 9001
Where SERVER is the IP address of the remote server.
You should see output like:
hitting tcp
hitting tcp
hitting tcp

After the knock sequence, you should then be able to SSH into that server. When you’re done with the remote work, you’ll exit from the server and then send the closing knock sequence like so:
knock -v SERVER 9001 8001 7001
After the closing knock sequence, you should no longer be able to access that remote server via SSH (until you send the opening knock sequence again). 
And that’s all there is to using knockd to better secure SSH access on your remote Linux servers. Just remember to install knockd on any client machine that needs SSH access to those servers.
How to secure SSH logins with port knocking
Your email has been sent
Your message has been sent
Google Tasks has never had a solid interface … until now. Jack Wallen shows you how to turn Tasks into a kanban board-like workflow with the help of TasksBoard.
Don’t pack your bags and move to Bozeman yet. This micro-scale warp bubble won’t be capable of propulsion, but it could have myriad other applications, says its discoverer Dr. Sonny White.
Based on job demand, Python is the top language, followed by Java, JavaScript, C++, C# and C, says CodingNomads.
If you’re not certain whether your Java project is free from Log4j vulnerabilities, you should try this easy-to-use scanning tool immediately.
If you missed in-person tech events in 2020 and 2021, here’s some good news: It’s looking promising that in 2022 many conferences will get back to (almost) normal.
The comprehensive bundle covers a range of subjects, including app development, game development, machine learning, computer vision, deep learning, NFTs, Java and website building.
Storage has always been a key aspect of data management in the enterprise. Now, in the era of big data, understanding storage options and technologies has taken on an even greater significance. This glossary offers essential terms that will help you tune up your storage vocabulary. From the glossary: Cloud storage Cold storage is the …
Electronic data is likely to be more prevalent in today’s organizations than physical printed data. Reams worth of documents can now be stored on computer hard drives, handheld devices and storage cards smaller than a fingernail. The bulk of many strategic operations depend on this digital information and the safe handling thereof. Data often has …
The concept of a metaverse, or a computer-generated universe, has been around for decades, certainly longer than when it was recently commandeered by Mark Zuckerberg in his attempt to rebrand Facebook as a new company called Meta. Massively multiplayer games, which can be classified as early metaverses, have been widely available to the gaming public …
The OneDrive Cloud Usage Policy from TechRepublic Premium defines the practices and behaviors organization representatives must follow when using any Microsoft OneDrive Cloud file storage account to execute organization services, process organization data, or access or store organization information. Whether organization representatives access Microsoft OneDrive file storage capabilities using an organization-provided, organization-reimbursed or personal OneDrive …


Leave a Reply

Your email address will not be published. Required fields are marked *