How to Use Port Knocking To Secure SSH Service in Linux

Port Knocking is a nifty technique of controlling access to a port by only allowing legitimate users access to the service running on a server. It works in such a way that when the right sequence of connection attempts is made, the firewall gladly opens the port that was closed.

The logic behind port knocking is to safeguard your Linux system from automated port scanners which prowl for open ports. In this guide, we examine how you can install port knocking and how you can configure it to secure SSH service. For demonstration purposes, we will use Ubuntu 18.04.

Step 1: Install and Configure knockd

To get started, log in to your Linux system and install the knockd daemon as shown.

$ sudo apt install knockd

Once installed, open the knockd.conf configuration with your preferred text editor. Here, we are using the vim command-line text editor.

$ sudo vim /etc/knockd.conf

The default configuration file appears as follows.

knockd Configuration File
knockd Configuration File

Under the [openSSH] section, we need to change the default knocking sequence – 7000,8000,9000 – to something else. This is because these values are already known and can compromise the security of your system.

For testing purposes, we have set the values to 10005, 10006, 10007. This is the sequence that will be used to open the SSH port from a client system.

In the third line – beginning with command, change -A to -I just after the /sbin/iptables command and before INPUT.

And lastly, under the [closeSSH] section, again, change the default sequence to your preferred choice. This is the sequence that will be used to close the SSH connection once the user is done and logs out of the server.

Here’s our complete configuration.

knockd Configuration Settings
knockd Configuration Settings

Once you are done, save the changes and exit.

Another configuration we need to modify is the /etc/default/knockd. Once again, open it using your text editor.

$ sudo vim /etc/default/knockd
Default knockd Configuration Settings
Default knockd Configuration Settings

Locate the line START_KNOCKD=0. Uncomment it and set the value to 1.

Next, head over to the line KNOCKD_OPTS=”-i eth1” Uncomment it and replace the default eth1 value with the active network interface of your system. To check your network interface simply run the ip addr or the ifconfig command.

For our system, enp0s3 is the active network card.

Active Network Interface
Active Network Interface

The complete configuration is as shown.

knockd Configurations Values
knockd Configurations Values

Save the changes and exit.

Then start and enable knockd daemon as shown.

$ sudo systemctl start knockd
$ sudo systemctl enable knockd

To check the status of knockd daemon, run the command:

$ sudo systemctl status knockd
Check knockd Status
Check knockd Status

Step 2: Close SSH Port 22 On Firewall

Since the objective of the knockd service is to either grant or deny access to ssh service, we are going to close the ssh port on the firewall. But first, let’s check the status of the UFW firewall.

$ sudo ufw status numbered
Check UFW Status
Check UFW Status

From the output, we can clearly see that SSH port 22 is open on both IPv4 and IPv6 protocols numbered 5 and 9 respectively.

We need to delete these two rules as shown, starting with the highest value – which is 9.

$ sudo ufw delete 9
$ sudo ufw delete 5
Delete UFW Rules
Delete UFW Rules

Now, if you attempt to log in remotely to the server, you will get a connection timeout error as shown.

SSH Connection Timeout
SSH Connection Timeout

Step 3: Configure a knock client to Connect to SSH Server

In the final step, we will configure a client and attempt to log in by first sending the knock sequence that we configured on the server.

But first, install knockd daemon just as you did on the server.

$ sudo apt install knockd

Once the installation is complete, send the knock sequence using the syntax shown

$ knock -v server_ip knock_sequence

In our case, this translates to:

$ knock -v 192.168.2.105 10005 10006 10007

You should get output similar to what we have, depending on your sequence. This shows that the knock attempts were successful.

Knock Sequence
Knock Sequence

At this point, you should be in a position to successfully log in to the server using SSH.

Connect to Server Using Knockd
Connect to Server Using Knockd

Once you are done doing your job on the remote server, close the SSH port by sending the closing knock sequence.

$ knock -v 192.168.2.105 10007 10006 10005

Any attempts to log in to the server will fail as demonstrated.

Close SSH Ports
Close SSH Ports
Closing Thoughts

This wraps up this guide on how to leverage port knocking to secure the SSH service on your server. A better and easier approach would be to configure password SSH authentication using SSH key pairs. This ensures that only the user with the private key can authenticate with the server on which the public key is stored.

James Kiarie
This is James, a certified Linux administrator and a tech enthusiast who loves keeping in touch with emerging trends in the tech world. When I'm not running commands on the terminal, I'm taking listening to some cool music. taking a casual stroll or watching a nice movie.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

4 thoughts on “How to Use Port Knocking To Secure SSH Service in Linux”

  1. Hello, I’ve followed all the instructions but it seems like I cannot connect from my client server even if the sequence were accepted.

    Do I need to install iptables even if I already have ufw set up? When I ran iptables -L, it returned a lot of results while checking the systemctl status don’t. It just says service not found. But ufw is active.

    Reply
  2. While this is security through obscurity, this is still a good enough approach if other security practices are still followed (no root, specific ip, complex password, preferably keys, etc.)

    I would love it if the closing sequence is time-triggered rather than depending on users to knock to close. E.g. closes after 30 mins of opening.

    Reply
    • I’d rather say “don’t *rely*” on this. Even if you configure port knocking don’t forget to also disable passwords and use secure RSA keys, etc. If you have strong security you are free to add port knocking as another “security measure” in case you have messed up something.

      Reply

Got something to say? Join the discussion.

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.