tilde.pink

		OpenSSH port knocking with UFW
		2023-10-21
		Last edit: 2023-10-21
		---------------------

		There are quite a few known methods for securing an OpenSSH server that you should already be familiar with, such as disabling remote root access, disabling password login or changing the port (22 by default).

		Another highly effective method applicable to SSH ports is port knocking.

		Port knocking is a method of opening ports on a machine by making a series of connections to closed ports. The firewall will then react accordingly.

		This is very useful, as it allows you to keep your SSH port closed, so it won't show up on port scans (nmap or other).

		This can be done directly by configuring `iptables`, but I've opted to use `ufw` coupled with `knockd`.

		## How does it work ?

		`knockd` is the port-knock server that will run on the target machine as a daemon. It is going to handle the connection on the specified ports in the configuration.

		`ufw`, our netfilter firewall program, will be called by `knockd` and in ou case edit `iptables` rules.

		## Installation

		The whole installation have been done on a Debian system (Debian 12).

		So first, install the packages for both of them
		```bash
		apt install ufw knockd
		```

		## Configuration

		Now, let's see how to configure this tools. I assume that you are using Systemd.

		### ufw

		The default `ufw` configuration is enough to perform port knocking, it should be as the following. `ufw` has to be enabled to show its default policies.

		```bash
		ufw enable
		ufw status verbose \| grep Default
		```

		Output

		```bash
		Default: deny (incoming), allow (outgoing), deny (routed)
		```

		If it is not the case, you can change the default policies.

		```bash
		ufw default allow incoming
		ufw default deny outgoing
		```

		Once it is done, you can reload the `ufw` configuration to make sure the modifications take effect immediatly.

		```bash
		ufw reload
		```

		### knockd

		First of all, make sure that you are using the network interface you want.

		In `/etc/default/knockd`, you can edit the `knockd` options that will be used with the executed command by the Systemd service.

		```ini
		...
		# command line options
		KNOCKD_OPTS="-i eth0"
		```

		Now we describe how will `knockd` act by editing `/etc/knockd.conf`.

		Here is an example of what could be done, in this example our SSH port is `47612`.

		```ini
		[options]
		UseSyslog

		[openSSH]
		sequence = 7264,3981,5410
		seq_timeout = 5
		start_command = ufw allow from %IP% to any port 47612

		[tmpOpenSSH]
		sequence = 8792,6137,2058
		seq_timeout = 5
		start_command = ufw allow from %IP% to any port 47612
		tcpflags = syn
		cmd_timeout = 10
		stop_command = ufw delete allow from %IP% to any port 47612

		[closeSSH]
		sequence = 4496,1625,7349
		seq_timeout = 5
		start_command = ufw delete allow from %IP% to any port 47612
		```

		In this configuration are described three `knockd` knocks.

		`openSSH` will add a new `ufw` rule to allow the client IP address on the port 47612 after the received TCP sequence `7264,3981,5410`.

		`tmpOpenSSH` will add a `ufw` rule that allowed the client IP address on the port 47612 after the received TCP sequence `8792,6137,2058`. This rule is going to timeout and then be removed after 10 seconds

		`closeSSH` will remove a `ufw` rule that allowed the client IP address on the port 47612 after the received TCP sequence `4496,1625,7349`.

		You can finally start the port-knock server.

		```bash
		systemctl restart knockd
		```

		## Usage

		Now everything is setup, you can use the port-knock client `knock` (from the package `knockd`) to perform TCP connections on your target machine.

		As example:
		```bash
		knock -v localhost 7264 3981 5410
		```

Response: application/gopher-menu

Original URL	gopher://tilde.pink/1/~nagi/knockd_ufw.gph
Content-Type	application/gopher-menu; charset=utf-8