How to Secure SSH Server using Port Knocking on Ubuntu Linux

Last updated at Fri, 08 Dec 2017 21:57:56 GMT

Synopsis

Port Knocking is a method used to secure your port access from unauthorised users. Port Knocking works by opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall will open the port that was previously closed. The main purpose of port knocking is to defend yourself against port scanners. Changing your default ssh port is not a secure method to protect your server, because the attacker often use a port scanner to do automated scans for open ports before attacking a server. So the port knocking is best method to secure ssh server.

For example, if you want to setup port knocking for port 22, this port will only be open when you requests to the port 10001, 10002, 10003 in sequence. When you complete the sequence correctly the firewall will open the port 22 for you.

In this tutorial, we will learn how to install port knocking and set up port knocking on Ubuntu 16.04 server.

System Requirements

• A server running Ubuntu 16.04 with ssh installed.
• A root password is setup on your server.

Getting Started

Before starting, it is recommended to update your repository with the latest version with the following command:

apt-get update -y

apt-get upgrade -y

Once the repository is updated, restart your system to apply all the changes.

Install and Configure Iptables

By default, UFW firewall is installed in Ubuntu 16.04 server. So you will need to disable UFW before installing iptables. You can disable UFW with the following command:

ufw disable

Next, install iptables by running the following command:

apt-get install iptables iptables-persistent

Once iptables is installed, you will need to allow all established connections and on-going sessions through iptables. You can do this with the following command:

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Next, block incoming SSH port 22 with the following command:

iptables -A INPUT -p tcp --dport 22 -j REJECT

Next, save the firewall rules with the following command:

netfilter-persistent save

netfilter-persistent reload

Next, you can test whether SSH port is blocked or not by issuing the following command from remote system:

nmap 192.168.0.190

You should see that SSH port is filterd:

 Starting Nmap 6.40 ( http://nmap.org ) at 2017-09-25 9:01 IST 
 Nmap scan report for 192.168.0.190 
 Host is up (0.00037s latency). 
 Not shown: 996 closed ports 
 PORT STATE SERVICE 
 22/tcp filtered ssh 
 80/tcp open http 
 443/tcp open https 
 3306/tcp open mysql 
 MAC Address: 08:00:27:7C:5B:40 (Cadmus Computer Systems)
 
 Nmap done: 1 IP address (1 host up) scanned in 1.69 seconds

Note : 192.168.0.190 is the IP address of the Server.

Install and Configure Knockd

By default, knockd is available in Ubuntu 16.04 default repository. You can install it by just running the following command:

apt-get install knockd -y

Once knockd is installed, you will need to enable knockd service to start on boot. You can do this by editing /etc/default/knockd file:

nano /etc/default/knockd

Change the line from

START_KNOCKD=0

to

START_KNOCKD=1

Save and close the file when you are finished.

Next, you will need to configure knockd. You can configure it by editing /etc/knockd.conf file:

nano /etc/knockd.conf

Change the [openSSH] and [closeSSH] section default knock sequence as per your requirements:

 [options] 
     logfile = /var/log/knockd.log
 
 [openSSH] 
     sequence = 10001,10002,10003 
     seq_timeout = 20 
     tcpflags = syn 
     command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
 
 [closeSSH] 
     sequence = 10003,10002,10001 
     seq_timeout = 20 
     command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT 
     tcpflags = syn

Save the file when you are finished, then start knock service to apply these changes:

systemctl start knockd

Note:

• sequence = 10001,10002,10003 : Knock will open the SSH port when the sequence is completed from client machine.
• seq_timeout = 20 : This option defines how long you have time to complete the sequenct for the knock.
• command = /sbin/iptables -I INPUT -s %IP% -p tcp –dport 22 -j ACCEPT : This command will open the port 22.
• sequence = 10003,10002,10001 : Knock will close the SSH port when the sequence is completed from client machine.
• command = /sbin/iptables -D INPUT -s %IP% -p tcp –dport 22 -j ACCEPT : This command will close the port 22.

Test Knockd from Client System

Your knockd server is now ready. It’s time to test knocking from the client system. You can test knocking using Telnet, Nmap or Knockd client.

Here, we will test knocking using Telnet client. So you will need to install Telnet to your client system. Run the following command to install Telnet :

apt-get install telnet -y

Next, run the following command in correct sequence within 20 seconds:

telnet 192.168.0.190 10001

telnet 192.168.0.190 10002

telnet 192.168.0.190 10003

Once all the command is successful. Knockd will open SSH port by adding firewall rules for client system.

You can also see the knockd log by running the following command on the server.

tail -f /var/log/syslog

Output:

 [2017-09-25 09:11] 192.168.0.191: openSSH: Stage 1 
 [2017-09-25 09:12] 192.168.0.191: openSSH: Stage 2 
 [2017-09-25 09:13] 192.168.0.191: openSSH: Stage 3 
 [2017-09-25 09:13] 192.168.0.191: openSSH: OPEN SESAME 
 [2017-09-25 09:13] openSSH: running command: /sbin/iptables -I INPUT -s 192.168.0.191 -p tcp --dport 22 -j ACCEPT

You can now able to connect your server via SSH from the client system. You can also use nmap to scan your server by running the following command from the client system.

nmap 192.168.0.190

You should see that SSH port is open for your IP:

 Starting Nmap 6.40 ( http://nmap.org ) at 2017-09-25 9:20 IST 
 Nmap scan report for 192.168.0.190 
 Host is up (0.00037s latency). 
 Not shown: 996 closed ports 
 PORT STATE SERVICE 
 22/tcp open ssh 
 80/tcp open http 
 443/tcp open https 
 3306/tcp open mysql 
 MAC Address: 08:00:27:7C:5B:40 (Cadmus Computer Systems)
 
 Nmap done: 1 IP address (1 host up) scanned in 1.69 seconds

After you have done all your work and want to close the SSH port for your IP. Run the following command in correct sequence within 20 seconds:

telnet 192.168.0.190 10003

telnet 192.168.0.190 10002

telnet 192.168.0.190 10001

Once all the command is successful. Knockd will close the SSH port by adding firewall rules for client system.

Note : 192.168.0.190 is the IP address of the server machine and 192.168.0.191 is the IP address of the client machine.

Conclusion

Congratulations! you have successfully tested knockd on ubuntu 16.04. You can now easily gain access of the server via SSH from any location or any system.

References

• Knockd Manual