How to obscure open ports with knockd

Say you have Linux servers in your company and you need access to them from either the LAN or WAN, but you're leery of leaving the SSH ports open. What do you do? One way to secure those ports is to obscure them a tool called knockd. Knockd works with port knocking, which is a method of dynamically opening network ports by connecting via a predefined sequence. With knockd, you define a knocking sequence that, when used, will allow the SSH connection through. It's like adding a secret knock that must be used before SSH will allow you in.

I want to walk you through the installation and usage of knockd. I'll be demonstrating on Ubuntu Server 19.10, but the process should work fine on any Debian or Ubuntu-based server.

SEE: Mastermind con man behind Catch Me If You Can talks cybersecurity (TechRepublic download)

What you'll need

The only things you'll need to make this work are:

How to install

There are two pieces of software that must be installed, both of which can be found in the standard repositories. To install these packages, open a terminal window on the server and issue the command:

That's it for the installation on the server.

How to configure knockd

Let's first backup the original knockd configuration file with the command:

Now, create a new file with the command:

In that file paste the following:

Where IFACE is the name of your network interface on the server.

You can also change the knock sequence to whatever you like. Save and close the file.

Next we need to enable knockd. Issue the command:

In that file, change:


Save and close the file.

Create a new systemd file with the command:

In that file, paste the following:

Save and close the file.

Enable and start the new service with the following commands:

How to modify the firewall

Next we must modify the firewall to deny access to SSH port 22. To do that, issue the following commands:

Make those rules persistent between reboots with the following commands:

How to test knockd

In order to SSH into the knockd-enabled server, any remote client must have knockd installed as well. Log in to the second Linux machine and issue the command:

After the installation, first attempt to SSH into the server with the command:

Where USER is the remote username and SERVER_IP is the IP address of the knockd-enabled server. You should not be able to log in.

Now, invoke the knock sequence you configured in knockd.conf with the command:

Where SERVER_IP is the IP address of the knockd server and the knock sequence matches the one you configured.

The command should return no output.

If you run the SSH command now, you should be given access.

And that's all there is to obscuring ports with the help of knockd.

Also see