## title: OpenSSH port knocking with UFW
## date: "2023-10-21"
/openssh.png
(IMG) /openssh.png
There are quite a few known methods for securing an OpenSSH
server that you should already be familiar with, such as
disabling remote root access, disabling password login or
changing the port (22 by default).
Another highly effective method applicable to SSH ports is
port knocking.
Port knocking is a method of opening ports on a machine by
making a series of connections to closed ports. The firewall
will then react accordingly.
This is very useful, as it allows you to keep your SSH port
closed, so it won't show up on port scans (nmap or other).
This can be done directly by configuring iptables, but I've
opted to use ufw coupled with knockd.
## How does it work ?
knockd is the port-knock server that will run on the target
machine as a daemon. It is going to handle the connection on
the specified ports in the configuration.
ufw, our netfilter firewall program, will be called by
knockd and in ou case edit iptables rules.
## Installation
The whole installation have been done on a Debian system
(Debian 12).
So first, install the packages for both of them
apt install ufw knockd
## Configuration
Now, let's see how to configure this tools. I assume that
you are using Systemd.
### ufw
The default ufw configuration is enough to perform port
knocking, it should be as the following. ufw has to be
enabled to show its default policies.
ufw enable
ufw status verbose | grep Default
Output
Default: deny (incoming), allow (outgoing), deny (routed)
If it is not the case, you can change the default policies.
ufw default allow incoming
ufw default deny outgoing
Once it is done, you can reload the ufw configuration to
make sure the modifications take effect immediatly.
ufw reload
### knockd
First of all, make sure that you are using the network
interface you want.
In /etc/default/knockd, you can edit the knockd options that
will be used with the executed command by the Systemd
service.
...
# command line options
KNOCKD_OPTS="-i eth0"
Now we describe how will knockd act by editing
/etc/knockd.conf.
Here is an example of what could be done, in this example
our SSH port is 47612.
[options]
UseSyslog
[openSSH]
sequence = 7264,3981,5410
seq_timeout = 5
start_command = ufw allow from %IP% to any port 47612
[tmpOpenSSH]
sequence = 8792,6137,2058
seq_timeout = 5
start_command = ufw allow from %IP% to any port 47612
tcpflags = syn
cmd_timeout = 10
stop_command = ufw delete allow from %IP% to any port
47612
[closeSSH]
sequence = 4496,1625,7349
seq_timeout = 5
start_command = ufw delete allow from %IP% to any port
47612
In this configuration are described three knockd knocks.
openSSH will add a new ufw rule to allow the client IP
address on the port 47612 after the received TCP sequence
7264,3981,5410.
tmpOpenSSH will add a ufw rule that allowed the client IP
address on the port 47612 after the received TCP sequence
8792,6137,2058. This rule is going to timeout and then be
removed after 10 seconds
closeSSH will remove a ufw rule that allowed the client IP
address on the port 47612 after the received TCP sequence
4496,1625,7349.
You can finally start the port-knock server.
systemctl restart knockd
## Usage
Now everything is setup, you can use the port-knock client
knock (from the package knockd) to perform TCP connections
on your target machine.
As example:
knock -v localhost 7264 3981 5410