💾 Archived View for tilde.pink › ~nagi › knockd_ufw.gmi captured on 2024-05-10 at 12:24:27. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-11-04)

-=-=-=-=-=-=-

OpenSSH port knocking with UFW

2023-10-21

There are quite a few known methods for securing an **OpenSSH** server that you should already be familiar with, such as disabling remote root access, disabling password login or changing the port (22 by default).

Another highly effective method applicable to SSH ports is port knocking.

Port knocking is a method of opening ports on a machine by making a series of connections to closed ports. The firewall will then react accordingly.

This is very useful, as it allows you to keep your SSH port closed, so it won't show up on port scans (nmap or other).

This can be done directly by configuring iptables, but I've opted to use ufw coupled with knockd.

How does it work ?

knockd is the port-knock server that will run on the target machine as a daemon. It is going to handle the connection on the specified ports in the configuration.

ufw, our netfilter firewall program, will be called by knockd and in ou case edit iptables rules.

Installation

The whole installation have been done on a Debian system (Debian 12).

So first, install the packages for both of them

apt install ufw knockd

Configuration

Now, let's see how to configure this tools. I assume that you are using Systemd.

ufw

The default ufw configuration is enough to perform port knocking, it should be as the following. ufw has to be enabled to show its default policies.

ufw enable
ufw status verbose | grep Default

Output

Default: deny (incoming), allow (outgoing), deny (routed)

If it is not the case, you can change the default policies.

ufw default allow incoming
ufw default deny outgoing

Once it is done, you can reload the ufw configuration to make sure the modifications take effect immediatly.

ufw reload

knockd

First of all, make sure that you are using the network interface you want.

In /etc/default/knockd, you can edit the knockd options that will be used with the executed command by the Systemd service.

...
# command line options
KNOCKD_OPTS="-i eth0"

Now we describe how will knockd act by editing /etc/knockd.conf.

Here is an example of what could be done, in this example our SSH port is 47612.

[options]
    UseSyslog

[openSSH]
    sequence = 7264,3981,5410
    seq_timeout = 5
    start_command = ufw allow from %IP% to any port 47612

[tmpOpenSSH]
    sequence = 8792,6137,2058
    seq_timeout = 5
    start_command = ufw allow from %IP% to any port 47612
    tcpflags = syn
    cmd_timeout = 10
    stop_command = ufw delete allow from %IP% to any port 47612

[closeSSH]
    sequence = 4496,1625,7349
    seq_timeout = 5
    start_command = ufw delete allow from %IP% to any port 47612

In this configuration are described three knockd knocks.

• *openSSH** will add a new ufw rule to allow the client IP address on the port 47612 after the received TCP sequence 7264,3981,5410.

• *tmpOpenSSH** will add a ufw rule that allowed the client IP address on the port 47612 after the received TCP sequence 8792,6137,2058. This rule is going to timeout and then be removed after 10 seconds

• *closeSSH** will remove a ufw rule that allowed the client IP address on the port 47612 after the received TCP sequence 4496,1625,7349.

You can finally start the port-knock server.

systemctl restart knockd

Usage

Now everything is setup, you can use the port-knock client knock (from the package knockd) to perform TCP connections on your target machine.

As example:

knock -v localhost 7264 3981 5410