SSH: Port Knocking Cheat Sheet

# Knockd installation
apt update
apt install -y knockd iptables-persistent
# iptables rules
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --destination-port 22 -j DROP
iptables-save > /etc/iptables/rules.v4

These commands will do the following:

  • Instruct iptables to keep existing connections alive.
  • Instruct iptables to drop any connection to port tcp/22 (if your SSH daemon is listening on a port other than 22, you should modify the above command accordingly.)
  • Save these two rules so they will persist after a reboot.
# Knockd configuration

Open the file /etc/knockd.conf

You will see:

[openSSH]
sequence    = 7000,8000,9000
seq_timeout = 5
command     = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags    = syn

Change the opening sequence:

[openSSH]
sequence    = x,y,z

Change the command value :

command     = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

Change the closing sequence accordingly:

[closeSSH]
sequence    = z,y,x

Save your changes and exit, and open the file /etc/default/knockd

  • Replace START_KNOCKD=0 with START_KNOCKD=1.
  • Add the following line to the end of the file: KNOCKD_OPTS="-i ens3" (replace ens3 with the name of your public network interface if it differs.)
  • Save and exit.

Start Knockd:

systemctl start knockd

Leave a Reply

Your email address will not be published. Required fields are marked *