 |
VOOZH | about |
|
VOOZH | about |
Servers, by definition, are implemented as a means of providing services and making applications and resources accessible to users. However, any computer connected to the internet is inevitably targeted by malicious users and scripts hoping to take advantage of security vulnerabilities.
Firewalls exist and should be used to block access on ports not being utilized by a service, but there is still the question of what to do about services that you want access to, but do not want to expose to everybody. You want access when you need it, but want it blocked off otherwise.
Port knocking is one method of obscuring the services that you have running on your machine. It allows your firewall to protect your services until you ask for a port to be opened through a specific sequence of network traffic.
In this guide, we will discuss how to implement port knocking as a method of obscuring your SSH daemon on an Ubuntu 12.04 VPS using the knockd package.
Note: This tutorial covers IPv4 security. In Linux, IPv6 security is maintained separately from IPv4. For example, “iptables” only maintains firewall rules for IPv4 addresses but it has an IPv6 counterpart called “ip6tables”, which can be used to maintain firewall rules for IPv6 network addresses.
If your VPS is configured for IPv6, please remember to secure both your IPv4 and IPv6 network interfaces with the appropriate tools. For more information about IPv6 tools, refer to this guide: How To Configure Tools to Use IPv6 on a Linux VPS
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
Port knocking is a security concept that involves dynamically altering firewall rules to expose access to an otherwise protected service. This is done by sending a pre-configured special packet, or a pattern of packets that the port knocking software is listening for. In this series, we will discuss a variety of ways to configure port knocking to add an extra layer of security around your SSH daemon.
Former Senior Technical Writer at DigitalOcean, specializing in DevOps topics across multiple Linux distributions, including Ubuntu 18.04, 20.04, 22.04, as well as Debian 10 and 11.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Awesome tutorial!
Knock, Knock, Knock, who’s there?, SSH
Great tutorial. Also, don’t be dissuaded by anyone who claims this is an example of “security through obscurity”. It is not. This is more akin to another password layer and absolutely provides an excellent layer of protection from zero-day exploits, should there ever be any, on your sshd server.
Great tutorial!!! Honestly never even thought of doing this…now enabled and part of my server setup security protocols :)
this is tut is good, but I got into weird issue… The cpu jumps high because of this process “knock”… LOL my server got knocked out
by the way, does this knock process conflict with any iptables rule…?
sounds like that is what causing this issue…
any idea?
Using a virtual hosted ubuntu 14.04 LTS, knockd failed to start. ‘ip a l’ helped solve the issue.
/# ip a l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/void
inet 127.0.0.2/32 scope host venet0
inet 103.*.*.*/32 brd 103.*.*.* scope global venet0:0
/# vi /etc/default/knockd
START_KNOCKD=1
# command line options
# KNOCKD_OPTS="-i eth1"
KNOCKD_OPTS="-i venet0:0"
I first tried KNOCKD_OPTS=“-i venet0” this let the knockd service start, but did not see the knocks.
I really like your writeup.
The configuration as you state it works well for me until I implement the automatically timing out connection. When I restart the service it fails to restart. I’ve tried a number permutations, but unfortunately no luck. When I check the docs at http://www.zeroflux.org/projects/knock/ they are quite different, i.e. key names have underscores, and capitals.
Hello, when i’m trying to use knock IP PORT PORT PORT && ssh root@IP, according to my syslog the knock stop on stage 1 or 2 9 time on 10 so i have to use the commande multiple time to be able to ssh. I have followed your (awesome thank you) howto but don’t understand what append!
thank you
Very well written Justin, thank you!
Full documentation for every DigitalOcean product.
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
