How to obscure open ports with knockd

Learn how to obfuscate SSH login with port knocking.

Say you have Linux servers in your company and you need access to them from either the LAN or WAN, but you're leery of leaving the SSH ports open. What do you do? One way to secure those ports is to obscure them a tool called knockd. Knockd works with port knocking, which is a method of dynamically opening network ports by connecting via a predefined sequence. With knockd, you define a knocking sequence that, when used, will allow the SSH connection through. It's like adding a secret knock that must be used before SSH will allow you in.

I want to walk you through the installation and usage of knockd. I'll be demonstrating on Ubuntu Server 19.10, but the process should work fine on any Debian or Ubuntu-based server.

SEE: Mastermind con man behind Catch Me If You Can talks cybersecurity (TechRepublic download) 

What you'll need 

The only things you'll need to make this work are:

• A running instance of Ubuntu Server
• A Linux client to connect to the server
  
• A user with sudo privileges
  

How to install

There are two pieces of software that must be installed, both of which can be found in the standard repositories. To install these packages, open a terminal window on the server and issue the command:

sudo apt-get install knockd iptables-persistent

That's it for the installation on the server.

How to configure knockd

Let's first backup the original knockd configuration file with the command:

sudo mv /etc/knockd.conf /etc/knockd.conf.bak

Now, create a new file with the command:

sudo nano /etc/knockd.conf

In that file paste the following:

[options]
        UseSyslog
    Interface = IFACE
[SSH]
        sequence = 1100,2200,3300
        seq_timeout = 15
        tcpflags = syn
        start_command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        cmd_timeout = 20

Where IFACE is the name of your network interface on the server.

You can also change the knock sequence to whatever you like. Save and close the file.

Next we need to enable knockd. Issue the command:

sudo nano /etc/default/knockd

In that file, change:

START_KNOCKD=0

To:

START_KNOCKD=1

Save and close the file. 

Create a new systemd file with the command:

sudo nano /etc/systemd/system/knockd.service

In that file, paste the following:

[Unit]
Description=Port-Knock Daemon
After=network.target
Requires=network.target
Documentation=man:knockd(1)
[Service]
EnvironmentFile=-/etc/default/knockd
ExecStartPre=/usr/bin/sleep 1
ExecStart=/usr/sbin/knockd $KNOCKD_OPTS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=mixed
Restart=always
SuccessExitStatus=0 2 15
ProtectSystem=full
CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
[Install]
WantedBy=multi-user.target

Save and close the file.

Enable and start the new service with the following commands:

sudo systemctl daemon-reload
sudo systemctl enable --now knockd

How to modify the firewall

Next we must modify the firewall to deny access to SSH port 22. To do that, issue the following commands:

sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp --destination-port 22 -j DROP
sudo ip6tables -A INPUT -p tcp --destination-port 22 -j DROP

Make those rules persistent between reboots with the following commands:

sudo -s
sudo iptables-save > /etc/iptables/rules.v4
sudo ip6tables-save > /etc/iptables/rules.v6
exit

How to test knockd

In order to SSH into the knockd-enabled server, any remote client must have knockd installed as well. Log in to the second Linux machine and issue the command:

sudo apt-get install knockd -y

After the installation, first attempt to SSH into the server with the command:

ssh USER@SERVER_IP

Where USER is the remote username and SERVER_IP is the IP address of the knockd-enabled server. You should not be able to log in.

Now, invoke the knock sequence you configured in knockd.conf with the command:

knock SERVER_IP 1100 2200 3300

Where SERVER_IP is the IP address of the knockd server and the knock sequence matches the one you configured.

The command should return no output. 

If you run the SSH command now, you should be given access. 

And that's all there is to obscuring ports with the help of knockd.

Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Sign up today Sign up today

Also see

Image: Jack Wallen