SSH security training using Port Knocking (in Ubuntu and Debian)

What is Port Knocking in SSH? Port tapping is a way that allows only legitimate users to access the server’s services. In the continuation of this article from the Pars Pack blog, we intend to learn the security of the SSH service using Port Knocking. We will also discuss how to install and configure knockd and set firewall rules. So stay tuned.

Configure Port Knocking for SSH service security

The SSH service runs on the server, but the SSH port is closed by firewall rules, so no one can connect directly to SSH port 22. The server also runs Daemon Knockd, which has the ability to change the firewall rule and temporarily opens SSH port 22 for the user. Of course, if this user hits several specific ports in a row.

So Knock Sequence is something like a password for the SSH port. Only users authorized to use the Knock Sequence can use knocked to open the SSH port. Note that when another legitimate user tries to log out, another Knock Sequence is used to close the SSH port.

Steps to configure Port Knocking in SSH

To protect the SSH service using the Knocking port, you need to follow the steps below.

Step 1: Install and configure Knockd on a Debian / Ubuntu server

Use the following command to install knocked from the default software store:

sudo apt-get install knockd

Edit the original configuration file with the command line text editor, such as Nano:

sudo nano /etc/knockd.conf

You need to change three items in this file. in part [openSSH], The default is set to 7000, 8000, 9000 for the hammer sequence when opened. You can change it as you wish.

For example, you can set it to 10001.10002.10003. You can also define 4 or more ports for the sequence. Note that you do not need to open these ports in the firewall.

Then change the expression A- to I- in the iptables command; So this iptables rule will be the first rule in firewall rules. The orders of the iptables chain are very important. When you send the Right Knock Sequence, Knockd executes the iptables command to open the SSH port for your IP address only. Note that other IP addresses are not yet allowed to connect to the SSH port.

Now in the section [closeSSH], You can change the sequence of closing strokes as desired. For example, you can change it to 10003.10002.10001.

Start Port Knocking

Set up hammer ports to increase security

Save the file now and close it.

In the next step, run the following command to display the name of the server’s main network interface:

ip addr

What is port fucking?

Steps to activate Port Knocking

In this example, the main network interface ens18 f. Now you need the configuration file etc / default / knockd / Editing:

sudo nano /etc/default/knockd

Find the following line:


Change 0 to 1 to activate automatically when the system starts.


Knockd Default to eth0 Is connected. Your server network interface can be eth0 No connection; So you have to change it. To do this, find the following line:

#KNOCKD_OPTS="-i eth1"

Delete # and rename eth1 as your server’s primary network interface:

KNOCKD_OPTS="-i ens18"

Save the file and close it. Then run Knockd Daemon:

sudo systemctl start knockd

Enable autostart now:

sudo systemctl enable knockd

Check the status of the knockd and see if it works.

systemctl status knockd

A tutorial on setting up port killing

Protect SSH by tapping ports

Step 2: Close SSH port 22

To close SSH port 22 in the UFW firewall, you must first list the current firewall rules:

sudo ufw status numbered

Launch Debian and Ubuntu ports

Use hammer ports in Debian and Ubuntu as a security layer

As you can see, the first and third rules open the SSH port. To close TCP port 22, delete these two rules:

sudo ufw delete 3
sudo ufw delete 1

Note: Note that you must first delete the rule with a larger index. For example, we need to delete rule 3 before 1.

Now, if you want to try SSH on your server, the SSH service will not respond to your request.

Step 3: Use the Knock Client to send the Knock Sequence

Knockd Daemon comes with a Knock Client called Knock. So you can install it on your Debian or Ubuntu client by running the following command:

sudo apt-get install knockd

To configure a server firewall on TCP port 22, you must send the correct Knock Sequence from the client computer:

knock -v 10001 10002 10003

In this step you will see the following output:

hitting tcp

hitting tcp

hitting tcp

If there is a long delay between the client and your server, the Knock attempt may fail. If the SSH port is still closed, you may need to send the Knock Sequence several times.

Once Knock is successful, you can use SSH. Once you’re done, you can use Port Knocking to close your IP SSH port:

knock -v 10003 10002 10001

Note that Knockd only corresponds to the Knock Sequence sent to the primary network interface (known as the primary IP address). If the server has multiple IP addresses and you try to send the Knock Sequence to another IP address, Knockd will not be able to open the SSH port.

How to automatically restart Knockd

If the Knockd Daemon stops working, you will not be able to import SSH. To prevent this from happening, you can create a Cron Job to automatically restart Knockd every hour. To do this, do the following.

You must first edit the Crontab file of the root user:

sudo crontab -e

Then add the following line to the file.

@hourly systemctl restart knockd

Finally, save and close the file.

If Knockd stops, you can still access your server using a web-based hosting console. You can then start Knockd manually. So you will have access to SSH again.

Login without SSH password

Enabling public key authentication (passwordless login) can further improve the security of your SSH service.

Summary of the port knock setting

Run Port Knocking in SSH; As mentioned earlier, Knock Sequence is like an SSH port password. Only authorized users with the appropriate Knock Sequence can allow it to open the SSH port. I hope this tutorial has helped you set up a hit port on your Ubuntu / Debian server.

Frequently Asked Questions

1. What does Port Security do?

Port Security helps protect the network by preventing packets from being forwarded from anonymous devices. When the link fails, all locked URLs are released dynamically. With port security, you can limit the number of MAC addresses in a port.

2. Is the SSH port secure?

SSH provides password or public key authentication and encrypts connections between two network endpoints. This is a secure alternative to older login protocols (such as telnet, rlogin) and insecure file transfer methods (such as FTP).

{“@context”: “”, “@type”: “FAQPage”, “mainEntity”: [{
“@type”: “Question”,
“name”: “Port Security چه می‌کند؟”,
“acceptedAnswer”: {
“@type”: “Answer”,
“text”: “Port Security با جلوگیری از فوروارده پکت‌ها توسط دستگاه‌های ناشناس، به ایمن‌سازی شبکه کمک می‌کند. هنگامی که یک لینک از کار می‌افتد، تمام آدرس‌های قفل‌شده به صورت داینامیک آزاد می‌شوند. با امنیت پورت می‌توانید تعداد آدرس‌های MAC را در یک پورت معین محدود کنید.”
“@type”: “Question”,
“name”: “آیا پورت SSH امن است؟”,
“acceptedAnswer”: {
“@type”: “Answer”,
“text”: “SSH احراز هویت مبتنی بر رمز عبور یا کلید عمومی را فراهم می کند و اتصالات بین دو نقطه پایانی شبکه را رمزگذاری می کند. این یک جایگزین امن برای پروتکل های ورود به سیستم قدیمی (مانند telnet، rlogin) و روش های ناامن انتقال فایل (مانند FTP) است.”

Published in SSH Immunization Tutorial Using Port Knocking (in Ubuntu and Debian) for the first time in Parsupak. appear.

Leave Your Comment

Your email address will not be published.

Supportscreen tag