GUNBOT: The automatic profit generator > Beginners & Help
How to use port knocking to hide your sshd and mitigate bruteforce attempts.
(1/1)
BZCo:
Hello guys.Before few days my vps provider had my service temporarily suspended because of a strange peaks in my traffic usage.When i digged further it appears that my vps box is a target of a bruteforce attacks mainly from China and i had around 250k authentication attempts from ~500 ips sended to my sshd for around 2 days.So i decided to hide my ssh daemon with port knocking.
What is a port knocking?
In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s).
I assume you already have openssh installed.
1.Install knockd.Thats the daemon that controls port knocking.
--- Code: ---sudo apt-get install knockd
--- End code ---
2.Setting up iptables:
Flush existing rules:
--- Code: ---iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
iptables --policy OUTPUT ACCEPT
--- End code ---
Allow all established connections and on-going sessions through the firewall:
--- Code: ---iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
--- End code ---
Block incoming port 22:
--- Code: ---iptables -A INPUT -p tcp --destination-port 22 -j DROP
--- End code ---
Save iptables rules:
--- Code: ---apt-get install iptables-persistent
--- End code ---
If you already have iptables-persistent installed:
--- Code: ---sudo netfilter-persistent save
--- End code ---
Now, you will remain connected to your existing connection while blocking other connections on the SSH port.
3.Configure knockd:
Edit the configuration file /etc/knockd.conf:
--- Code: ---sudo nano /etc/knockd.conf
--- End code ---
Change the port numbers in sequence because thats the default config and its equivalent of admin admin for user and pass :):
--- Code: ---[options]
logfile = /var/log/knockd.log
[SSH]
sequence = 7000,8000,9000
seq_timeout = 20
command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
cmd_timeout = 10
stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
--- End code ---
Edit the file /etc/default/knockd and change:
START_KNOCKD=0
to
START_KNOCKD=1
--- Code: ---sudo nano /etc/default/knockd
--- End code ---
Start knockd:
--- Code: --- sudo /etc/init.d/knockd start
--- End code ---
To knock from linux system:
--- Code: ---knock yourserversip 7000 8000 9000
--- End code ---
Then just connect to ssh on 22.
To knock from windows system:
You could download microsoft's telnet client or use some other tool.
I tested this one and its working good and you can save different knocking profiles in it.
LINK
criptonauta:
Hi BZCo!
Thanks again for sharing the info, first in the telegram group then here. After you pointed out your issue and we've talked, I managed to avoid many breaching intents, thus protecting my assets and of my clients.
I hope every user implement those steps, since it'll make our community safer.
Best regards!
Navigation
[0] Message Index
Go to full version