Username: Password:

Author Topic: How to use port knocking to hide your sshd and mitigate bruteforce attempts.  (Read 5525 times)

Offline BZCo

  • Rookie
  • *
  • Posts: 4
    • View Profile
Hello guys.Before few days my vps provider had my service temporarily suspended because of a strange peaks in my traffic usage.When i digged further it appears that my vps box is a target of a bruteforce attacks mainly from China and i had around 250k authentication attempts from ~500 ips sended to my sshd for around 2 days.So i decided to hide my ssh daemon with port knocking.
What is a port knocking?
In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s).

I assume you already have openssh installed.

1.Install knockd.Thats the daemon that controls port knocking.
Code: [Select]
sudo apt-get install knockd
2.Setting up iptables:
   Flush existing rules:
Code: [Select]
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
iptables --policy OUTPUT ACCEPT
    Allow all established connections and on-going sessions through the firewall:
Code: [Select]
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT    Block incoming port 22:
Code: [Select]
iptables -A INPUT -p tcp --destination-port 22 -j DROP    Save iptables rules:
Code: [Select]
apt-get install iptables-persistent    If you already have iptables-persistent installed:
Code: [Select]
sudo netfilter-persistent saveNow, you will remain connected to your existing connection while blocking other connections on the SSH port.

3.Configure knockd:
    Edit the configuration file /etc/knockd.conf:
Code: [Select]
sudo nano /etc/knockd.conf    Change the port numbers in sequence because thats the default config and its equivalent of admin admin for user and pass :):
Code: [Select]
      logfile = /var/log/knockd.log

      sequence    = 7000,8000,9000
      seq_timeout = 20
      command     = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
      tcpflags    = syn
      cmd_timeout   = 10
      stop_command  = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
    Edit the file /etc/default/knockd  and change:

Code: [Select]
sudo nano /etc/default/knockd    Start knockd:
Code: [Select]
sudo /etc/init.d/knockd start
To knock from linux system:
Code: [Select]
knock yourserversip 7000 8000 9000Then just connect to ssh on 22.

To knock from windows system:
You could download microsoft's telnet client or use some other tool.
I tested this one and its working good and you can save different knocking profiles in it.

Offline criptonauta

  • Contributor
  • **
  • Posts: 137
    • View Profile
Hi BZCo!

Thanks again for sharing the info, first in the telegram group then here. After you pointed out your issue and we've talked, I managed to avoid many breaching intents, thus protecting my assets and of my clients.

I hope every user implement those steps, since it'll make our community safer.

Best regards!
   ✔ FAST, APPROVED AND EASY Escrow for used GunBot licenses @ 5% ..:..Gunbot licenses 10% off: 'Criptonauta_Gun' code. | Tuning, Custom Strats | No VPS? Get yours here   ✔