-- Leo's gemini proxy
-- Connecting to tilde.pink:1965...
-- Connected
-- Sending request
-- Meta line: 20 text/gemini;
There are quite a few known methods for securing an **OpenSSH** server that you should already be familiar with, such as disabling remote root access, disabling password login or changing the port (22 by default).
Another highly effective method applicable to SSH ports is port knocking.
Port knocking is a method of opening ports on a machine by making a series of connections to closed ports. The firewall will then react accordingly.
This is very useful, as it allows you to keep your SSH port closed, so it won't show up on port scans (nmap or other).
This can be done directly by configuring iptables, but I've opted to use ufw coupled with knockd.
knockd is the port-knock server that will run on the target machine as a daemon. It is going to handle the connection on the specified ports in the configuration.
ufw, our netfilter firewall program, will be called by knockd and in ou case edit iptables rules.
The whole installation have been done on a Debian system (Debian 12).
So first, install the packages for both of them
apt install ufw knockd
Now, let's see how to configure this tools. I assume that you are using Systemd.
The default ufw configuration is enough to perform port knocking, it should be as the following. ufw has to be enabled to show its default policies.
ufw enable ufw status verbose | grep Default
Output
Default: deny (incoming), allow (outgoing), deny (routed)
If it is not the case, you can change the default policies.
ufw default allow incoming ufw default deny outgoing
Once it is done, you can reload the ufw configuration to make sure the modifications take effect immediatly.
ufw reload
First of all, make sure that you are using the network interface you want.
In /etc/default/knockd, you can edit the knockd options that will be used with the executed command by the Systemd service.
... # command line options KNOCKD_OPTS="-i eth0"
Now we describe how will knockd act by editing /etc/knockd.conf.
Here is an example of what could be done, in this example our SSH port is 47612.
[options]
UseSyslog
[openSSH]
sequence = 7264,3981,5410
seq_timeout = 5
start_command = ufw allow from %IP% to any port 47612
[tmpOpenSSH]
sequence = 8792,6137,2058
seq_timeout = 5
start_command = ufw allow from %IP% to any port 47612
tcpflags = syn
cmd_timeout = 10
stop_command = ufw delete allow from %IP% to any port 47612
[closeSSH]
sequence = 4496,1625,7349
seq_timeout = 5
start_command = ufw delete allow from %IP% to any port 47612
In this configuration are described three knockd knocks.
**openSSH** will add a new ufw rule to allow the client IP address on the port 47612 after the received TCP sequence 7264,3981,5410.
**tmpOpenSSH** will add a ufw rule that allowed the client IP address on the port 47612 after the received TCP sequence 8792,6137,2058. This rule is going to timeout and then be removed after 10 seconds
**closeSSH** will remove a ufw rule that allowed the client IP address on the port 47612 after the received TCP sequence 4496,1625,7349.
You can finally start the port-knock server.
systemctl restart knockd
Now everything is setup, you can use the port-knock client knock (from the package knockd) to perform TCP connections on your target machine.
As example:
knock -v localhost 7264 3981 5410
-- Response ended
-- Page fetched on Sun May 19 14:43:00 2024