How to secure SSH logins with port knocking

3 years ago 498

Knock, sound ... who's there? SSH. SSH who? You request to fastener down your servers truthful that lone you person entree via SSH. One mode to assistance that is with knockd. Jack Wallen shows you how.

SSH implicit    servers

Image: Funtap/Shutterstock

Secure Shell is the de-facto modular for logging into distant Linux servers. It's served galore an head good implicit the years. But conscionable due to the fact that it has the connection "secure" successful its title, doesn't mean that it ever lives up to that name. In fact, determination are ever things you tin bash to marque SSH much secure.

SEE: Checklist: Server inventory (TechRepublic Premium)

One specified mode is with the assistance of larboard knocking. Now, earlier we get into this I privation to marque it wide that anyone utilizing SSH should ever bash 2 things:

Both of the supra should beryllium considered modular champion practices for utilizing Secure Shell. With that said, I privation to present you to a instrumentality that's been astir for immoderate time. The thought is to make 2 knocking sequences connected your server, 1 to unfastened the SSH larboard and 1 to adjacent it. Until you nonstop the opening sound sequence, SSH entree is closed off. Once you nonstop the opening sequence, you tin SSH into that machine. When you're done working, nonstop the adjacent series and SSH is locked backmost down.

It's not perfect, but successful conjunction with SSH cardinal authentication, SSH volition beryllium considerably much unafraid connected your servers. 

Let maine amusement you however to instal and usage knockd for larboard knocking connected SSH.

What you'll need

I'll beryllium demonstrating connected Ubuntu Server 20.04, truthful you'll request a moving lawsuit of that OS and a idiosyncratic with sudo privileges. You'll besides request a idiosyncratic with sudo privileges connected a lawsuit instrumentality arsenic well. For the client, I'll show connected Pop!_OS.

How to instal knockd

The archetypal happening we'll bash is instal knockd connected our server and client. Log successful to the server and contented the command:

sudo apt-get instal knockd -y

Head implicit to your lawsuit and contented the aforesaid command.

Once you've knockd installed, you request to instrumentality attraction of immoderate configurations.

How to configure knockd

The archetypal happening we request to bash is configure the knockd service. Open the knockd configuration record with:

sudo nano /etc/knockd.conf

In that record alteration the unfastened series from the default 7000,8000,9000 to immoderate larboard series you privation to use. You tin configure up to 7 ports for this. The enactment to configure is nether [openSSH] and is:

sequence = 7000,8000,9000

Change the larboard numbers to a series you tin remember.

Next, alteration the adjacent series successful the aforesaid mode (using antithetic larboard numbers). That enactment is nether [closeSSH] and is:

sequence = 9000,8000,7000

Next, you request to alteration the -A to -I successful the [openSSH] bid line, truthful it volition beryllium the archetypal regularisation successful the iptables chain.

Save and adjacent the file.

Next, we request to find the sanction of the web interface utilized for SSH traffic. Issue the command:

ip a

Locate the IP code you usage and past find a series that looks similar this:

2: ens5:

In my case, the sanction of the interface is ens5.

Open the knockd daemon record with:

sudo nano /etc/default/knockd

In that file, alteration the daemon to commencement astatine footwear by changing 0 to 1 successful the line:

START_KNOCKD=

Next, alteration eth0 to the sanction of your web interface (and region the starring # character) successful the line:

#KNOCKD_OPTS="-i eth0"

So this enactment (in my case) would look similar this:

KNOCKD_OPTS="-i ens5"

Save and adjacent the file.

Start and alteration knockd with the command:

sudo systemctl commencement knockd sudo systemctl alteration knockd

How to adjacent larboard 22

Next, we request to adjacent larboard 22, truthful postulation can't bypass the knockd system. Issue the command:

sudo ufw presumption numbered

If you person rules that let SSH traffic, they volition beryllium numbered and request to beryllium deleted arsenic such. Say, for example, your SSH rules are 1 and 2; delete them with:

sudo ufw delete 2 sudo ufw delete 1

How to usage knockd

Move implicit to your lawsuit machine. What we'll archetypal bash is nonstop the unfastened sound sequence, truthful SSH postulation is allowed through. If your sound series is 7001,8001,9001, you'd contented the command:

knock -v SERVER: 7001 8001 90001

Where SERVER is the IP code of the distant server.

You should spot output like:

hitting tcp 192.168.1.111:7001 hitting tcp 192.168.1.111:8001 hitting tcp 192.168.1.111:9001

After the sound sequence, you should past beryllium capable to SSH into that server. When you're done with the distant work, you'll exit from the server and past nonstop the closing sound series similar so:

knock -v SERVER 9001 8001 7001

After the closing sound sequence, you should nary longer beryllium capable to entree that distant server via SSH (until you nonstop the opening sound series again). 

And that's each determination is to utilizing knockd to amended unafraid SSH entree connected your distant Linux servers. Just retrieve to instal knockd connected immoderate lawsuit instrumentality that needs SSH entree to those servers.

Open Source Weekly Newsletter

You don't privation to miss our tips, tutorials, and commentary connected the Linux OS and unfastened root applications. Delivered Tuesdays

Sign up today

Also see

Read Entire Article