How to Enable Port Knocking on CentOS

Port Knocking is a very interesting way to secure your SSH Server access. As the word implies, it consists of basically knocking on different ports with a predefined sequence. If the connection is making the knocks on the right ports with the right sequence, then the definitive SSH port allows the incoming connection.

The easiest way to configure port knocking on CentOS and RHEL systems is by using the CSF Firewall. The following tutorial assumes that you already have the CSF Firewall running well on your server.

Enable Port Knocking

The syntax to enable port knocking can be found at:

/etc/csf/csf.conf

Example:

PORTKNOCKING is a comma separated list of:
openport;protocol;timeout;kport1;kport2;kport3[...;kportN]

For example, if you set this:

PORTKNOCKING = "22;TCP;20;100;200;300;400" means:

22 is the SSH Port that will be opened for 20 seconds so you can establish the connection with the remote host. 100,200,300 and 400 are the knocking ports that will be knocked with the SYN packet.

The knock ports you choose must not be in use and not appear in TCP_IN (UDP_IN for udp packets). The port to be opened must also not appear in TCP_IN (UDP_IN for udp packets).

If you have a fast internet connection, then you can use 4 or more knock ports. However, if you have normal to low internet connection speeds, then you should use 2 to 3 knock ports.

Configuration on your Client Host

## Install Nmap on your Client. Nmap will be needed to knock the ports of your remote SSH server.

For Ubuntu/Debian:

apt-get install nmap

For CentOS/RHEL:

yum install nmap

Edit /etc/sudoers file and add your system user at the end (replace ‘user’ with your real system user):

user   ALL=(ALL)       NOPASSWD: ALL

Log into your local client box as root and run this command:

echo "sudo nmap -p PORT1 XX.XX.XX.XX > /dev/null; sudo nmap -p PORT2 XX.XX.XX.XX > /dev/null; sudo nmap -p PORT3 XX.XX.XX.XX > /dev/null; ssh -p SSHPORT [email protected]" > /usr/local/bin/connect

Replace:

  • PORT1, PORT2 and PORT3 with the real knock ports you defined in your CSF Firewall configuration
  • [email protected] with your real user and IP address of your SSH server
  • XX.XX.XX.XX with your remote server IP.
  • SSHPORT with your remote SSH Server port.

Set execution permissions to your new SSH connect file:

chmod +x /usr/local/bin/connect

Try to connect to your SSH server by typing:

connect

If it asks for a password to run nmap, then remove all of the “sudo” words from the file: /usr/local/bin/connect

If everything is fine, you should be prompted for the user password or logged in if you are using public key authentication in:

[[email protected] ~]$ connect
Last login: Sat Oct 31 16:39:21 2015 from XX.XX.XX.XX

ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.

This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.

[[email protected] ~]$ 

As you see, enabling Port Knocking on CentOS is pretty easy if you use the CSF Firewall. It allows you to configure the knock ports, the open SSH port, and the timeout with a clean and easy syntax. Make sure to always test it and ensure it’s working before leaving it as your predefined SSH way to connect to your SSH server.

 

Leave a Reply