In this tutorial, we shall learn how we can secure our Ubuntu server to combat massive attacks on internet. There are many other ways to secure your SSH port like use of certificate and disabling password based authentication. But if you still want to use password based authentication securely, you need to learn about port knocking and then test on your lab and implement on your production machines. So lets get started.
What is Port Knocking?
Port Knocking is a method used to secure SSH port access from unauthorized users. Port Knocking works by opening ports on a firewall by generating a connection attempt on a set of pre-specified closed ports. Once a correct sequence of connection attempts is received, the firewall will open the port that was previously closed. The main purpose of port knocking is to defend yourself against port scanners. Changing your default SSH port is not a secure method to protect your server, because the attacker often use a port scanner to do automated scans for open ports before attacking a server. So the port knocking is best method to secure SSH server.
For example, if you want to setup port knocking for port 22, this port will only be open when you requests to the port 10001, 10002, 10003 in sequence. When you complete the sequence correctly the firewall will open the port 22 for you.
In this tutorial, we will learn how to install port knocking and set up port knocking on Ubuntu 18.04 server. Below is the list of topics in this post for your assistance.
System Requirements for Port Knocking
Following are the requirement to setup port knocking on your Linux box.
- A server running Ubuntu 18.04 with SSH installed.
- A root password is setup on your server.
Upgrade Your Repositories
Before starting, it is recommended to update your repository with the latest version with the following command:
sudo apt update && apt upgrade -y
Once the repository is updated, restart your system to apply all the changes.
Install and Configure IPTables
By default, UFW firewall is installed in Ubuntu 18.04 server. So you will need to disable UFW before installing iptables. You can disable UFW with the following command:
Now, install iptables by running the following command:
apt install iptables iptables-persistent
Once iptables is installed, you will need to allow all established connections and on-going sessions through iptables. You can do this with the following command:
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
Next, block incoming SSH port 22 with the following command:
iptables -A INPUT -p tcp --dport 22 -j REJECT
Next, save the firewall rules and reload iptables with the following command:
netfilter-persistent save netfilter-persistent reload
Next, you can test whether SSH port is blocked or not by issuing the following command from remote system:
Install and Configure knockd
Now that iptables have been installed and configured, its time to set up and configure knockd. be default knockd service is available in ubuntu default repository. so we can install it by running below command.
apt install knockd -y
Once knockd is installed, you will need to enable knockd service to start on boot. You can do this by editing /etc/default/knockd file as follows:
Change the line START_KNOCKD=0 TO START_KNOCKD=1 and save the changes in the file editor. Next configure knockd by editing its configuration file placed at /etc/knockd.conf. Enter into editing mode by using your favorite file editor and Change the [openSSH] and [closeSSH] section default knock sequence as per your requirements:
[openSSH] sequence = 9001,9002,9003 seq_timeout = 15 tcpflags = syn command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT [closeSSH] sequence = 9003,9002,9001 seq_timeout = 15 command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn
Save the file when you are finished, then start knock service to apply these changes:
systemctl start knockd
[openSSH] instructs the knockd to open SSH port when sequence is executed from the client machine with a timeout of 15 seconds. Similarly [closeSSH] instructs knockd to close SSH once the sequence is executed in reverse.
Your knockd server is now ready. It’s time to test knocking from the client system. You can test knocking using Telnet, Nmap or Knockd client. Here, we will test knocking using Telnet client.
As we know the over knockd server have been configured to accept sequence 9001, 9002 & 9003 so from our telnet client we shall execute telnel three times in sequence within 15 seconds to open SSH port like so.
telnet 188.8.131.52 9001 telnet 184.108.40.206 9002 telnet 220.127.116.11 9003
Once the command is successful, You can now connect your server via SSH from the client system as knockd has opened SSH port specifically for your IP. After you have done all your work and want to close the SSH port for your IP. Run the following command in correct sequence within 15 seconds:
telnet 18.104.22.168 9003 telnet 22.214.171.124 9002 telnet 126.96.36.199 9001
In this tutorial we have learned to install and configure knockd on ubuntu 18.04, we have installed and configured iptables and disabled any previously active firewall like UFW,