Port knocking in Ubuntu : Hide SSH Daemon on HP Cloud

Port knocking is used to stop port scan by the attackers who seeks the vulnerable services to attack. Here is guide for the HP Helion Public Cloud Users to use Port Knocking in Ubuntu 14.04 LTS or equivalent Deb Linux. HP Helion Public Cloud has Private Key (.pem) based login system to the instances. Also on HP Cloud, we need to configure the router, subnet, Ingress-Egress Policies to properly SSH to the instances. There is some theory in this article, which is important to know before we proceed to hide the SSH daemon on HP Cloud running latest Ubuntu LTS edition as Partner Image.
Note the Title – Port knocking in Ubuntu NOT Port knocking on Ubuntu. There is philosophical difference.

You should use a developmental server, not a production server. Else take a snapsot before proceeding.

Port Knocking in Ubuntu : Basic Theory About Port Knocking and IPTables

The port knocking is a mechanism for the externally opened ports (we opened using the Ingress, Egress policies for the External Network (Ext Net)) using a predetermined sequence of connection attempts to close the ports. Once the firewall receives a correct connection sequence, rules are modified to allow the host who made ‹‹attempts to connect to a specific port. The main purpose of port knocking is to prevent a port scan by an attacker who seeks possible vulnerable services to run major attacks. We talked about Man in the Middle Attack, Advanced Persistent Threat like bigger matters as well as small scale attacks. Port knocking does not generally lower the security of an unix system, it works as an another layer of security for minimal overhead. However, port knocking software can introduce new security problems or even lower the security. There is another thing named Single Packet Authorization, here only a single knock is needed.

We set a service to review the log or log firewall to detect this sequence of connection attempts. Another method is to have a process examining packets with a packet capture interface.

Linux system is fully customizable and is not restricted to the opening and closing of ports. Normally, we set the description of a sequence of knock tied to an action, such as running a bash script. Once, the sequence is detected by the port knocking demon, only then the associated script is executed. This script can add rules in the firewall to open ports. Knocks of different kinds can be used on the same Linux machine to perform different actions.

As we have SELinux running by default at runlevel and IP spoofing actually exists; you should use Port Knocking for definite purpose on Linux Distro which are not commonly used. We gave example with Ubuntu as it possibly most commonly used distort for the servers.

This is How Port knocking Works in Theory :

1. The client can not connect to an application that is listening on port n.
2. The client attempts to connect to a predefined set of ports in sequence, sending certain packets. The client has prior knowledge of the port knocking service and configuration, but receives no response during this phase because the firewall rules do not allow.
3. The port knocking service intercepts the connection attempts and decodes to verify a real knock. The server performs specific tasks based on the knocking of ports as open other ports to the CLIENT.
4. The client connects to the newly opened port n.

When the SSH Daemon is closed, we can login to the instances using OpenStack API. The default method is used in the dashboard Terminal. Otherwise, you will not be able login yourself during configuration and after it is set. You should ask HP Cloud Help over the Chat if you have issue to login via that dashboard Terminal. We can not openly discuss it for security reasons.

A secure server is means server without an internet connection or a server with our Router! Even, that might not be secure enough. Port numbers begin with the number 1 and ends with the number 65535. Actually the number is double as there are Ingress and Egress. Do not ask why Ingress = Egress. It can happen if security is exploited. We are talking about the number of chances. In essence, the firewall rules will know that a request really originated from a source address towards the destination port, like port 22, upon, receiving the request it will look at the rules defined by YOU to execute an action on the request. So the firewall is important. Special Knockd RPM Packages are available, you can use them, if you want.

Port knocking in Ubuntu : Steps To Hide SSH Daemon on HP Cloud

First install the software :

knockd will be disabled by default.

This will be known as Step 1 for reference.

First we will run this command :

It means, drop all the incoming traffic whatever the protocol is. If we run this command – sudo iptables -L, then we will get this kind of output :

This will be known as Step 2 for reference.

There are two important files :

/etc/knockd.conf [configuration file]

and the working one :

/etc/default/knockd [daemon file]

The second one is what that will work. If you do not the files on the said locations, run locate knockd or whereis knockd command. If you open the file named /etc/knockd.conf (configuration file) with nano, it will look like this :

Under the [options] option, there is a directive -> UseSyslog. This tells knockd that to insert logs into /var/log/messages. I think you would like to specify normal place of error log file, you can do so by using this option instead:

You should configure the file like this :

I am a human, not a man page! You should read the manual to understand what actually the things mean.

Test later changing the sequence. Over 50K people can read this guide and the same sequence. Now, we have to edit the daemon file :

We can restart knockd by running :

From local computer, for this guide, we will do SSH in this way :

Try to run ssh login normally :

You will get :
sh: connect to host server_ip_address port 22: Operation timed out

Right thing happened!
Why you are trying to SSH? No SSH Daemon is running!
You can read on official website too – http://www.zeroflux.org/projects/knock

If my MacBook Pro is stolen, NSA can not login, because the sequence is from my mind and not written on the same MacBook Pro. Passwords and sequences, to some extent, better to forget than to write somewhere EXACTLY like the password is.

This is very basic settings for IPTables for the beginners. I use more difficult way. Do not forget that, we have Ingress, Egress Policies. I do this :

Instead of running :

Which we wrote as – This will be known as Step 1 for reference.
But you will yourself get logged out and login via that HP Cloud Console and run these :

What was written as This will be known as Step 2 for reference, will be the same. Single Packet Authentication can also be done, that will be a separate tutorial.