The easiest way to configure port knocking on CentOS and RHEL systems is by using the CSF Firewall. The following tutorial assumes that you already have the CSF Firewall running well on your server.
Enable Port Knocking
The syntax to enable port knocking can be found at:
PORTKNOCKING is a comma separated list of: openport;protocol;timeout;kport1;kport2;kport3[...;kportN]
For example, if you set this:
PORTKNOCKING = "22;TCP;20;100;200;300;400" means:
22 is the SSH Port that will be opened for 20 seconds so you can establish the connection with the remote host. 100,200,300 and 400 are the knocking ports that will be knocked with the SYN packet.
The knock ports you choose must not be in use and not appear in TCP_IN (UDP_IN for udp packets). The port to be opened must also not appear in TCP_IN (UDP_IN for udp packets).
If you have a fast internet connection, then you can use 4 or more knock ports. However, if you have normal to low internet connection speeds, then you should use 2 to 3 knock ports.
Configuration on your Client Host
## Install Nmap on your Client. Nmap will be needed to knock the ports of your remote SSH server.
apt-get install nmap
yum install nmap
Edit /etc/sudoers file and add your system user at the end (replace ‘user’ with your real system user):
user ALL=(ALL) NOPASSWD: ALL
Log into your local client box as root and run this command:
echo "sudo nmap -p PORT1 XX.XX.XX.XX > /dev/null; sudo nmap -p PORT2 XX.XX.XX.XX > /dev/null; sudo nmap -p PORT3 XX.XX.XX.XX > /dev/null; ssh -p SSHPORT [email protected]" > /usr/local/bin/connect
- PORT1, PORT2 and PORT3 with the real knock ports you defined in your CSF Firewall configuration
- [email protected] with your real user and IP address of your SSH server
- XX.XX.XX.XX with your remote server IP.
- SSHPORT with your remote SSH Server port.
Set execution permissions to your new SSH connect file:
chmod +x /usr/local/bin/connect
Try to connect to your SSH server by typing:
If it asks for a password to run nmap, then remove all of the “sudo” words from the file: /usr/local/bin/connect
If everything is fine, you should be prompted for the user password or logged in if you are using public key authentication in:
[[email protected] ~]$ connect Last login: Sat Oct 31 16:39:21 2015 from XX.XX.XX.XX ALERT! You are entering a secured area! Your IP and login information have been recorded. System administration has been notified. This system is restricted to authorized access only. All activities on this system are recorded and logged. Unauthorized access will be fully investigated and reported to the appropriate law enforcement agencies. [[email protected] ~]$
As you see, enabling Port Knocking on CentOS is pretty easy if you use the CSF Firewall. It allows you to configure the knock ports, the open SSH port, and the timeout with a clean and easy syntax. Make sure to always test it and ensure it’s working before leaving it as your predefined SSH way to connect to your SSH server.