Port Knocking on Debian

By now, you've probably changed your default SSH port. Still, hackers can easily scan port ranges to discover that port - but with port knocking, you can fool port scanners. How it works is that your SSH client attempts to connect to a sequence of ports, all of which will refuse your connection, but unlock a specified port that does allow your connection. Very secure, and simple to install. Port knocking is one of the best ways to protect your server from unauthorized SSH connection attempts.

This article will teach you how to setup port knocking. It was written for Debian 7 (Wheezy), but may also work on other versions of Debian and Ubuntu.

Step 1: Installing the required packages

I am assuming that you have already installed an SSH server. If you haven't, run the following commands as root:

apt-get update
apt-get install openssh-server
apt-get install knockd

Then, install iptables.

apt-get install iptables

There aren't many packages to install - that's what makes it the perfect solution to protect against brute force attempts while also being easy to setup.

Step 2: Configuring iptables to use this feature

Because your SSH port will close after you connect, we need to make sure the server allows you to remain connected while blocking other connection attempts. Execute these commands on your server as root.

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --destination-port 22 -j DROP
apt-get install iptables-persistent
iptables-save

This will allow existing connections to remain, but block anything else to your SSH port.

Now, let's configure knockd.

This is where the magic happens - you'll be able to choose what ports will need to be knocked at first. Open a text editor to the file /etc/knockd.conf.

nano /etc/knockd.conf

There will be a section that looks like the following block.

[openSSH]
    sequence    = 7000,8000,9000
    seq_timeout = 5
    command     = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
    tcpflags    = syn

In this section, you'll be able to change the sequence of ports that need to be knocked. For now, we'll stay with ports 7000, 8000, and 9000. Change the seq_timeout = 5 to seq_timeout = 10, and for the closeSSH section, do the same for the seq_timeout line. There's also a sequence line in the closeSSH section that you need to modify as well.

We need to enable knockd, so open your editor as root again.

nano /etc/default/knockd

Change the 0 in the section START_KNOCKD to 1, then save and exit.

Now, start knockd:

service knockd start

Great! Everything is installed. If you disconnect from your server, you'll have to knock ports 7000, 8000 and 9000 to connect again.

Step 3: Let's try it out

If everything was installed correctly, you shouldn't be able to connect to your SSH server.

You can test port knocking with a telnet client.

Windows users can launch telnet from the command prompt. If telnet isn't installed, access the "Programs" section of Control Panel, then locate "Turn Windows features on or off". On the features panel, locate "Telnet Client" and enable it.

In your terminal/command prompt type:

telnet youripaddress 7000
telnet youripaddress 8000
telnet youripaddress 9000

Do this all in ten seconds, as that's the limit imposed in the configuration. Now, attempt to connect to your server via SSH. It will be accessible.

To close the SSH server, run the commands in reverse order.

telnet youripaddress 9000
telnet youripaddress 8000
telnet youripaddress 7000

Conclusion

The best part about using port knocking is that if it is configured alongside of private key authentication, there's virtually no chance that someone else could get in unless someone knew the ports and private key.