How to obscure open ports with knockd
Learn how to obfuscate SSH login with port knocking.
Say you have Linux servers in your company and you need access to them from either the LAN or WAN, but you’re leery of leaving the SSH ports open. What do you do? One way to secure those ports is to obscure them a tool called knockd. Knockd works with port knocking, which is a method of dynamically opening network ports by connecting via a predefined sequence. With knockd, you define a knocking sequence that, when used, will allow the SSH connection through. It’s like adding a secret knock that must be used before SSH will allow you in.
I want to walk you through the installation and usage of knockd. I’ll be demonstrating on Ubuntu Server 19.10, but the process should work fine on any Debian or Ubuntu-based server.
SEE: Mastermind con man behind Catch Me If You Can talks cybersecurity (TechRepublic download)
What you’ll need
The only things you’ll need to make this work are:
- A running instance of Ubuntu Server
- A Linux client to connect to the server
- A user with sudo privileges
How to install
There are two pieces of software that must be installed, both of which can be found in the standard repositories. To install these packages, open a terminal window on the server and issue the command:
sudo apt-get install knockd iptables-persistent
That’s it for the installation on the server.
How to configure knockd
Let’s first backup the original knockd configuration file with the command:
sudo mv /etc/knockd.conf /etc/knockd.conf.bak
Now, create a new file with the command:
sudo nano /etc/knockd.conf
In that file paste the following:
[options] UseSyslog Interface = IFACE [SSH] sequence = 1100,2200,3300 seq_timeout = 15 tcpflags = syn start_command = /sbin/iptables -I INPUT -s %IP% -p tcp...