How to Secure SSH Service with Port Knocking on Ubuntu/Debian and CentOS
Port knocking is a security technique that keeps the SSH port closed until a predefined sequence of "knocks" (specific port requests) is detected. The SSH port will only open for the client once the correct sequence is sent, making it more difficult for attackers to identify the port.
Install and Configure Knockd for Ubuntu/Debian
Install the knockd package from the default Ubuntu repository:
apt-get install knockd -yEdit the knockd.conf configuration file:
nano /etc/knockd.confReplace the default port sequences with your own custom sequence:
sequence = 7777,8888,9999
sequence = 9999,8888,7777Modify the line that opens port 22 to:
command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPTSave and close the file.
Enable the Knockd service by editing the /etc/default/knockd file:
nano /etc/default/knockdChange the following lines:
START_KNOCKD=1
KNOCKD_OPTS="-i eth0"Save and close the file. Restart and enable the knockd service:
systemctl restart knockd
systemctl enable knockdCheck the status of knockd to ensure it's running:
systemctl status knockd Install and Configure Iptables
Install iptables and the persistent module:
apt-get install iptables iptables-persistent -yBlock SSH port 22 for all incoming connections:
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j REJECTSave and Reload Iptables
Save the iptables rule and reload it:
netfilter-persistent save
netfilter-persistent reload Check OpenSSH Connection from Client
From the client machine, use nmap to verify port 22 is filtered (closed):
nmap your-server-ipYou should see:
PORT STATE SERVICE
22/tcp filtered ssh Test SSH Connection
Try to connect via SSH:
ssh root@your-server-ipYou should receive:
ssh: connect to host your-server-ip port 22: Connection refused Configure Knockd on Client to Open SSH Port
Install knockd client on your local machine:
apt-get install knockd -ySend the configured knock sequence to open the SSH port on the server:
knock -v your-server-ip 7777 8888 9999Once the correct sequence is received, the SSH port will open, and you can connect:
ssh root@your-server-ipAfter completing your task, use the reverse knock sequence to close port 22:
knock -v your-server-ip 9999 8888 7777 Install and Configure Knockd For CentOS
Install and Configure Knockd First, enable the EPEL repository and install knockd:
yum install epel-release -y
yum install knockd -yEdit the knockd.conf configuration file:
nano /etc/knockd.confReplace the default port sequences with your own:
sequence = 7777,8888,9999
sequence = 9999,8888,7777Modify the line that opens port 22 to:
command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPTSave and close the file.
Edit the /etc/sysconfig/knockd file to enable the Knockd service:
nano /etc/sysconfig/knockdChange the following lines:
START_KNOCKD=YES
KNOCKD_OPTS="-i eth0"Save and close the file.
Restart and enable knockd:
systemctl restart knockd
systemctl enable knockdVerify the status of knockd:
systemctl status knockd Install and Configure Iptables
Install iptables and iptables-services:
yum install iptables iptables-services -yBlock SSH port 22 for all incoming connections:
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j REJECTSave the iptables rules and reload them:
service iptables save systemctl restart iptables
Check OpenSSH Connection from Client
From the client machine, use nmap to verify port 22 is filtered (closed):
nmap your-server-ipYou should see:
PORT STATE SERVICE
22/tcp filtered ssh Test SSH Connection
Try to connect via SSH:
ssh root@your-server-ipYou should receive:
ssh: connect to host your-server-ip port 22: Connection refused Configure Knockd on Client to Open SSH Port
Install the knockd client on your local machine:
yum install knockd -ySend the configured knock sequence to open the SSH port on the server:
knock -v your-server-ip 7777 8888 9999Once the correct sequence is received, the SSH port will open, and you can connect:
ssh root@your-server-ipClose the SSH Port
After completing your task, use the reverse knock sequence to close port 22:
knock -v your-server-ip 9999 8888 7777CrownCloud - Get a SSD powered KVM VPS at $4.5/month!
Use the code WELCOME for 10% off!
1 GB RAM / 25 GB SSD / 1 CPU Core / 1 TB Bandwidth per month
Available Locations: LAX | MIA | ATL | FRA | AMS