Favorite Social Media Timesink
When you take a break from work, where are you going?
Video clips on TikTok/YouTube
X, Bluesky, Mastodon et al...
Web surfing
I do not get distracted by petty amusements
Containers / Linux / Operations / Security

Port Knocking Ubuntu Servers (or Containers) for More Secure SSH

Port knocking works by closing off all ports and only opening them 'on demand,' according to a pre-determined sequence of pings.
Jan 19th, 2024 3:00am by
Featued image for: Port Knocking Ubuntu Servers (or Containers) for More Secure SSH

You’ve probably read the usual things admins do with the Secure Shell (SSH), such as changing the port, preventing root logins, using fail2ban, using SSH key authentication, etc. But there’s another technique you can employ that does a great job of protecting your servers from unwanted SSH logins.

That technique is called port knocking and can be enabled with the help of knockd, a Linux port-knock server. This works by closing off all ports and only opening them “on demand,” according to a pre-determined sequence of pings. Although you wouldn’t use port knocking for every server or deployment (and you wouldn’t rely on it alone), it’s a very novel way of adding security to SSH.

Of course, along with port knocking you must always keep SSH up to date, ensure your /etc/ssh/sshd_config file is configured with best practices, and consider employing SSH key authentication.

But if you want to add this extra layer to the system, read on and I’ll show you how it’s done.

What You’ll Need

The only things you’ll need for this are a running instance of Ubuntu Server (preferably a recent release), a second Ubuntu machine (which can be either the server or desktop version) to serve as a client, a user with sudo privileges, and a network connection. That’s it. Let’s get to knocking.

Installing knockd

You’ll need to install knockd on both the server and client. Log into your server and install the software with the command:

When that installation completes, log into your client machine and run the same command.

Believe it or not, that’s it for the installation. You will want to make sure the knockd service is running with the command:

You’ll probably find the service isn’t running and you won’t be able to get it running out of the box. Why? Because knockd defaults to the old-school network device naming convention. We have to change the configuration file to fit the newer device naming scheme. Open the default configuration with:

At the bottom of the file you’ll see the line:

Locate the name of your networking device with the command:

It might be something like enp0s3. If that’s the case, you’d change the line to:

Save and close the file.

You can now start and enable the service with:

Configure knockd

The knockd service is configured in the /etc/knockd.conf file. Open it for editing with the command:

In the [openSSH] section, the first line is:

That’s a port knocking sequence and you can change it to whatever you want. For example, you could reverse it with:

Go to the command line (which is two lines below the sequence line) and change -A to -I, which ensures it will be the first line in the new iptables chain.

Save and close the file.

Restart knockd with:

Close a Port

Next, we’re going to close port 22, so incoming traffic won’t be able to bypass the knockd system. We’ll have UFW list our rules in a numbered sequence, so they’re easier to delete. Issue the command:

If you have an SSH rule allowing incoming traffic to port 22, it’ll show up and have an associated number. Say, the rule is number 1. To delete that rule, issue the command:

If you have more than 1 rule pertaining to SSH, make sure to delete them all.

Using knockd

Now it gets fun. Go back to your client machine, where you’ll send the knock sequence you configured in the knockd.conf file. So, if you configured a knock sequence of 8000, 7000, 9000, you would issue the open command:

Where SERVER is the IP address of the server you want to log into. The output of the above command should look something like this:

Of course, the IP address in the above output will reflect the address of your destination server. Once the knock open sequence completes, you should be able to SSH into that server as you normally would.

After you’re certain it works, exit from the server (with the exit command). Once you’ve exited the remote server, you must send the closing knock sequence, which is done by reversing the order of the opening knock sequence. So, if your knock sequence is 8000 7000 9000, the closing sequence will be 9000 7000 8000. You’d close it with:

Where SERVER is the IP address of the remote server.

Once the closing sequence succeeds, you will not be able to SSH back into the server until you send the opening knock sequence.

Congratulations, you’ve just locked down SSH with the help of knockd. As I said, this system won’t be ideal for every application but it can certainly come in handy for certain use cases. Give it a try and see if it doesn’t work to help secure some of your deployments.

Group Created with Sketch.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.