Hello guys.Before few days my vps provider had my service temporarily suspended because of a strange peaks in my traffic usage.When i digged further it appears that my vps box is a target of a bruteforce attacks mainly from China and i had around 250k authentication attempts from ~500 ips sended to my sshd for around 2 days.So i decided to hide my ssh daemon with port knocking.
What is a port knocking?
In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s).
I assume you already have openssh installed.
1.Install knockd.Thats the daemon that controls port knocking.
sudo apt-get install knockd2.Setting up iptables:
Flush existing rules:
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
iptables --policy OUTPUT ACCEPT Allow all established connections and on-going sessions through the firewall:
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT Block incoming port 22:
iptables -A INPUT -p tcp --destination-port 22 -j DROP Save iptables rules:
apt-get install iptables-persistent If you already have iptables-persistent installed:
sudo netfilter-persistent saveNow, you will remain connected to your existing connection while blocking other connections on the SSH port.
3.Configure knockd:
Edit the configuration file /etc/knockd.conf:
sudo nano /etc/knockd.conf Change the port numbers in sequence because thats the default config and its equivalent of admin admin for user and pass
:
[options]
logfile = /var/log/knockd.log
[SSH]
sequence = 7000,8000,9000
seq_timeout = 20
command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
cmd_timeout = 10
stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT Edit the file /etc/default/knockd and change:
START_KNOCKD=0to
START_KNOCKD=1sudo nano /etc/default/knockd Start knockd:
sudo /etc/init.d/knockd startTo knock from linux system:
knock yourserversip 7000 8000 9000Then just connect to ssh on 22.
To knock from windows system:
You could download microsoft's telnet client or use some other tool.
I tested this one and its working good and you can save different knocking profiles in it.
LINK
