Posted January 19Jan 19 You are reading Part 20 of the 57-part series: Harden and Secure Linux Servers. [Level 2]This series covers progressive security measures, from fundamental hardening techniques to enterprise-grade defense strategies. Each article delves into a specific security practice, explaining its importance and providing step-by-step guidance for implementation.To explore more security best practices, visit the main guide for a full breakdown of all levels and recommendations.Port knocking is a security technique that hides your SSH port from attackers. Instead of leaving SSH (port 22) open, the server keeps it closed by default. Only users who send a specific sequence of connection attempts ("knocks") to predefined ports will unlock SSH access, making it significantly harder for attackers to find and exploit.By implementing port knocking, you reduce the risk of brute-force attacks, automated scanners, and unauthorized SSH access.How to Set Up Port Knocking on Your Server1. Install the knockd ServiceFor Debian/Ubuntu:bashCopyEditsudo apt install knockd -yFor CentOS/RHEL:bashCopyEditsudo yum install knockd -y2. Configure Port Knocking RulesEdit the knockd configuration file:bashCopyEditsudo nano /etc/knockd.confAdd the following rule to require a specific sequence of knocks to open SSH (port 22):cssCopyEdit[openSSH] sequence = 7000,8000,9000 seq_timeout = 5 command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPTsequence = 7000,8000,9000 → Users must send connection requests to these ports in order.seq_timeout = 5 → The sequence must be completed within 5 seconds.command = iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT → Allows SSH access only for the knocking IP.3. Start and Enable the Knockd ServiceStart the knockd service and enable it to run at boot:bashCopyEditsudo systemctl start knockd sudo systemctl enable knockd4. Test Port Knocking from a Client MachineFrom another machine, send the correct knocking sequence using knock:bashCopyEditknock -v server_ip 7000 8000 9000(Replace server_ip with your actual server's IP address.)Once the sequence is completed, port 22 will be opened for the client’s IP for a limited time, allowing SSH access.Try connecting to SSH:bashCopyEditssh username@server_ip5. Automatically Close SSH After a Time Period (Optional)To close SSH access after a session, add a rule to /etc/knockd.conf:cssCopyEdit[closeSSH] sequence = 9000,8000,7000 seq_timeout = 5 command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPTNow, after executing:bashCopyEditknock -v server_ip 9000 8000 7000SSH access will be closed again.Best Practices for Port Knocking Security✅ Use a strong knocking sequence (more ports, random order).✅ Use knockd with UFW or iptables to limit access to trusted users.✅ Combine port knocking with key-based SSH authentication for maximum security.✅ Monitor logs (/var/log/syslog or /var/log/knockd.log) for knocking attempts.✅ Use Single Packet Authorization ({{wiki-Port_knocking}}SPA{{/wiki}}) as a more secure alternative (e.g., fwknop).By implementing port knocking, you hide your SSH service from attackers, making it virtually invisible to port scanners and greatly reducing brute-force attack risks.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.