Port knocking for a secure SSH server.
Why port knock?
Open SSH ports are vulnerable to: scans revealing information, brute-force attempts, exploits attempts, and even password/key compromises.
Port knocking reduces the surface area at the TCP level via iptables firewall rules.
Port knocking is a good add-on to help improve existing techniques:
- scans - obfuscate version, info
- brute-force - use fail2ban, account attempt restrictions
- exploit attempts - keep systems updated; teams aware of CVE’s
- compromises - no passwords, key rotation, user-identiy management (accounts, logins, SSO, etc
What is port knocking?
Port knocking is sending a series of TCP SYNs to a set series of ports. The knockd daemon listens to these ports.
Knockd will open the port to the host IP source of the knock.
Knockd setup also allows established sessions, maintaining usability once initial knock and connection.
How does one ‘knock?’
- Install knockd on the workstation doing the knocking.
- Run the command
knock -v hostname.example.com 5000 5001 5002 - SSH as usual, e.g.
ssh -p 2222 hostname.example.com
How does one set up port knocking?
- Coming soon. Stay tuned for Ansible scripts.