How to secure SSH connections with port knocking

Knock Knock who is there? SSH. SSH who? You must lock down your servers so that only you can access them via SSH. One way to help is with knockd. Jack Wallen shows you how.

Image: Funtap / Shutterstock

Secure Shell is the de facto standard for connecting to remote Linux servers. He has served many directors well over the years. But just because it has the word “secure” in its title doesn’t mean it always lives up to the name. In fact, there are always things you can do to make SSH more secure.

SEE: Checklist: Server Inventory (TechRepublic Premium)

One of these ways is to use the knock port. Now, before I get into the thick of it, I want to make it clear that anyone using SSH should always do two things:

Both of the above should be considered standard best practices for using Secure Shell. Having said that, I want to introduce you to a tool that has been around for some time. The idea is to create two keystrokes on your server, one to open the SSH port and one to close it. Until you send the opening keystroke, SSH access is closed. Once you have sent the opening sequence, you can SSH into this machine. When you are done working, send the shutdown sequence and SSH is locked again.

It’s not perfect, but in conjunction with SSH key authentication, SSH will be considerably more secure on your servers.

Let me show you how to install and use knockd for port knocking over SSH.

What you will need

I will be doing a demo on Ubuntu Server 20.04, so you will need a running instance of this operating system and a user with sudo privileges. You will also need a user with sudo privileges on a client machine. For the client, I will do a demo on Pop! _OS.

How to install knockd

The first thing we are going to do is install knockd on our server and client. Connect to the server and run the command:

sudo apt-get install knockd -y

Go to your client and run the same command.

Once you have installed knockd, there are some configurations that you need to take care of.

How to configure knockd

The first thing to do is to configure the knockd service. Open the knockd config file with:

sudo nano /etc/knockd.conf

In this file, replace the default opening sequence 7000,8000,9000 with the port sequence that you want to use. You can configure up to seven ports for this. The line to configure is under [openSSH] and is:

sequence = 7000,8000,9000

Replace the port numbers with a sequence you will remember.

Then change the shutdown sequence in the same way (using different port numbers). This line is under [closeSSH] and is:

sequence = 9000,8000,7000

Then you need to change the -A to -I in the [openSSH] command line, so this will be the first rule in the iptables chain.

Save and close the file.

Next, we need to find the name of the network interface used for SSH traffic. Issue the command:

ip a

Find the IP address you are using, then look for a sequence that looks like this:

2: ens5:

In my case, the interface name is ens5.

Open the knockd daemon file with:

sudo nano /etc/default/knockd

In this file, enable the start of the daemon at startup by replacing 0 by 1 in the line:


Then replace eth0 with the name of your network interface (and remove the first # character) in the line:

#KNOCKD_OPTS="-i eth0"

So this line (in my case) would look like this:

KNOCKD_OPTS="-i ens5"

Save and close the file.

Start and activate knockd with the command:

sudo systemctl start knockd
sudo systemctl enable knockd

How to close port 22

Next, we need to close port 22, so that the traffic cannot bypass the knockd system. Issue the command:

sudo ufw status numbered

If you have rules that allow SSH traffic, they will be numbered and should be removed as such. Say, for example, your SSH rules are 1 and 2; remove them with:

sudo ufw delete 2
sudo ufw delete 1

How to use knockd

Switch to your client computer. What we’ll do first is send the open keystroke, so that SSH traffic is allowed. If your keystroke is 7001.8001.9001, you issue the command:

knock -v SERVER: 7001 8001 90001

Where SERVER is the IP address of the remote server.

You should see output like:

hitting tcp
hitting tcp
hitting tcp

After the keystroke, you should then be able to connect in SSH to this server. When you are done working remotely, you quit the server and then send the shutdown sequence as follows:

knock -v SERVER 9001 8001 7001

After the close keystroke sequence, you should no longer be able to access this remote server via SSH (until you send the open keystroke again).

And that’s all there is to using knockd to better secure SSH access on your remote Linux servers. Remember to install knockd on any client machine that requires SSH access to these servers.

Also look

About Jon Moses

Check Also

Explore the main types of AWS storage for files, blocks, and objects

Organizations new to AWS are sometimes surprised to learn that Amazon offers several types …

Leave a Reply

Your email address will not be published.