SSH Port Knocking installation on Ubuntu
Written by vaheeD on January 7, 2013
I had a nice discussion with a friend about securing SSH servers.
The only options he thought was changing the port, disabling password interactive login, and enabling public/private key pair to authenticate.This should be enough in most cases. But, there’s more.
One of them is version cloaking.This can be done with a patch applied to the source of OpenSSH and recompile it.
Another way to secure remote access is port knocking.
Its main principle is this:
Port 22 is locked and you have to knock in a custom manner in order to get the port opened only for the incoming IP that knocked. The server side, includes a daemon called knockd looking for specific sequence of knocking on the server door. You can configure a specific order of ports to knock, a specific flag those packets should have, a sequence timeout, commands, and few more options. The command, in this case, will be to open port 22 for the incoming IP that knocked exactly in the same order the server is setup to listen. You can also use another sequence of knocking to close the same port, that actually deletes the firewall rule added earlier.
Installation on Ubuntu is a very easy
apt-get install knockd.
You’ll be able to start the daemon by enabling it in /etc/default/knockd.
Configuration file is /etc/knockd.conf:
vi /etc/knockd.conf
[options] logfile = /var/log/knockd.log [openSSH] sequence = 7000,8000,9000 seq_timeout = 10 tcpflags = syn command = /usr/sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT [closeSSH] sequence = 9000,8000,7000 seq_timeout = 10 tcpflags = syn command = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
Ok…so, this configuration, listens for TCP packets, with the flag syn, in a sequence of 7000, 8000, 9000, with a timeout of 10 seconds. After it detects that, it automatically grants port 22 access to the incoming IP. If the daemon gets the reverse order of knocking, it will automatically delete the rule, so, closing the port again for all IPs. Unfortunately, those knockings can be easily read on a packet sniffer between you and the secured server, but, it’s how you can secure more a SSH server.
But because I won’t post my personal config here, this will have to do for the blog’s purpose.
Note: Oh, and, in case you don’t want to be left outside on the server, in case of daemon failure, you should get a script running that automatically checks if the daemon is running, and automatically restart it in case it’s stopped.