Site icon DED9

How to Use Port Knocking To Secure SSH Service (Debian/Ubuntu)

At the beginning of reading the article, you may have a question about what SSH is and what its uses are. So, we will start with a brief explanation of the concept of SSH and the protocol. SSH is actually a secure protocol for remote connection to a computer or a server. So why do we mention that it is safe?

Port Knocking is a defense layer with an authentication mechanism in Linux that identifies authorized users and allows them to access the server using closed ports and the correct order of port knocking. In this method, all the server ports (even those that are in use) are closed, and if a connection request is sent with the correct order of port knocking, the firewall changes its rules dynamically and momentarily and allows the user access by opening a specific port. Gives. This article explains the method of creating SSH security through Port Knocking in Ubuntu and Debian.

There is a protocol called TelNet, by which computers can communicate easily, without the need for the Internet, and locally, but the local connection established through this protocol is not safe in the long term and through the global Internet network. And it is in this situation that the empty place of a secure protocol is seen.

By installing SSH, we fill the void of the secure protocol. After purchasing a Linux virtual server, SSH is the best protocol to connect to it. Now, what should we do to make SSH more secure? There are different ways to create SSH security, in this article, we will explain the SSH Port Knocking method in Ubuntu and Debian.

Table of Contents

 

How to Secure SSH via Port Knocking?

Now, after installing the SSH protocol, we need to create more security when using it. One smart way is to create SSH security through Port Knocking in Ubuntu.

The default port that the SSH protocol connection is set to is port 22. In the Port Knocking method, all ports are usually unavailable, and a method is considered to open a specific port for connection. Suppose we have three buttons; pressing them in the correct order opens the entry port, and if the order of pressing even one of them is not correct, the port remains closed.

In general, in the Port Knocking method, we define a signal that is the correct order of connecting to ports (or the correct pressing of buttons) so that when the firewall receives this signal, it will make the desired port available for connection. Basically, all the ports to connect to the server are out of reach and cannot be seen, and the login attempt will fail. But we define some kind of attempt to enter the firewall as a signal to open a port.

And this is how the desired IP will be able to access the server through SSH. In this article, which is part of the series of tutorials on how to connect to a Linux virtual server, we will teach you to go through the process of securing SSH in Ubuntu yourself through Port Knocking and create a Port Knocking signal for the SSH protocol of your server.

What are the benefits of securing SSH in Ubuntu and Debian with the Port Knocking method?

Port Knocking is a very simple, cheap, yet smart way to secure SSH. The most important advantage of SSH Port Knocking is that all ports are safe from port scanners and are identified as ‘unreachable’. The second advantage is the significant reduction of bandwidth consumption and occupation by attacks such as brute force.

The tasks of opening the port for entry and closing it after the user exits are automatically performed by daemon programs such as Knockd. Also, this method hides the server from attackers.

Steps to create SSH security through Port Knocking in Ubuntu and Debian

In the rest of the article, we will describe step by step the process of setting up port knocking for SSH security in Ubuntu and Debian Linux. Note that to hide the server’s input ports and use Port Knocking, you must act through a user who has root access.

Step 1: Install and configure knockd on the Linux server

Once you’re logged into your Linux server, use the following command line in a terminal environment to install knocked:

$ sudo apt install knockd

 

After installation, open the knockd.conf file with a Text Editor software such as nano editor through the following command.

sudo nano /etc/knockd.conf

Now we have to change 3 parameters in this file.

1. Find the [openSSH] section in this file. Since the order of knock is set on ports 7000, 8000, 9000 and is known and exploitable for all, set it on your desired ports. The order you choose will be the order we define for the firewall for user access to the server. You can also specify more ports. Pay attention that we do not need to open these ports.

2. In the iptables command, change the parameter A- to I-. While all other IPs cannot access the server, after running this iptables by knockd, any IP that performs knocking in the correct order can access the server.

3. In order to prevent the port from being opened after the user exits, we must define this for the firewall. In the [closeSSH] section, set the default knocking sequence to your desired value (such as 10003, 10002, 10001). The new sequence will be the sequence that will be used to close the port after the user exits.

After successfully completing the above three actions, save the changes and exit the application. To see the main name of the network interface on the server, run the following command in the terminal:

ip addr

We also need to edit another configuration file. Run the following command in the terminal:

$ sudo nano /etc/default/knockd

Look for the line START_KNOCKD=0. To enable auto-start when booting the system, change the parameter from 0 to 1 (START_KNOCKD=1).
By default, knockd checks the order of knocking through the eth0 interface, which may not apply to your server. To change this interface, find the following line:

#KNOCKD_OPTS="-i eth1"

Now, to change the eth1 interface to your server’s default interface, just remove the #.

KNOCKD_OPTS="-i ens18"

Save the changes and close the file.
Now it’s time to run and activate the knockd daemon. Run the following commands:

$ sudo systemctl start knockd
$ sudo systemctl enable knockd

 

To check that the knockd daemon is enabled, run the following command:

$ sudo systemctl status knockd

Second step: close port 22 in SSH

In the second step of the SSH security process through Port Knocking in Ubuntu, now that we have activated knockd, knockd is responsible for opening and closing ports and giving access to the server. For more security, we must close SSH port 22 in the firewall. To start, check the rules and status of the UFW firewall with the following code:

$ sudo ufw status numbered

 

If you see that SSH port 22 is open on lines 3 and 9 (for example), use the following lines to close them:

sudo ufw delete 9

sudo ufw delete 3

 

Pay attention that you have to close the line with the bigger number first.

After closing port 22, any attempt to remotely connect to the SSH server will be met with a ‘connection timeout’ error and the SSH service will not respond to your request.

Step 3: Connect to the SSH server through Knock Client

To complete the steps of setting up port knocking to protect ssh in Ubuntu and Debian, you need to learn how to configure the Knock client. For this purpose, perform Port Knocking in the order you have set and enter the server. In the Debian or Ubuntu environment, install the knockd daemon by running the following command:

$ sudo apt install knockd

After completing the installation, send the knock order by running the following command.

$ knock -v server_ip knock_sequence

Now send the correct knock order from the client computer to activate the server firewall on TCP port 22.

knock -v 10.0.0.104 10001 10002 10003

 

You can login to your server via SSH by knocking in the correct order. Also, by knocking with the same IP, you can close the port in the order you defined to close the port.

knock -v 10.0.0.104 10003 10002 10001

 

Since knockd only responds to knock requests sent to the main network interface, if the server has multiple IPs and you send the request to a secondary IP, you will not be able to log in.

Now you have successfully completed the process of creating SSH security through Port Knocking in Ubuntu. From now on, knockd will automatically handle port opening and closing and respond to port knocking requests.

Concludion

In this article, you learned how to secure SSH through Port Knocking in Ubuntu and Debian. We suggest that you do not consider this security method as the only defense strategy for your server and use it along with other security methods.

We briefly learned what SSH is and where Port Knocking is used. We also learned how Port Knocking works and we saw that by observing the correct order in sending connection requests to ports, we actually send a signal to the firewall to open a special port so that we can access the server.

Exit mobile version