I don’t like it if malicious programs or people try to hack my server.
I do, however, like to have access to my server, via ssh of course. Not just from home, but from wherever I happen to be.
Fortunately, it’s possible to have the best of both worlds on my Ubuntu server, using a simple piece of software called knockd .
When using knockd , your sshd can be firewalled by default. You can open up a temporary hole in the firewall by sequentially connecting to a few ports, as defined by you in knockd ‘s config file. Then you can ssh to your server.
To set this up with ufw , I started by closing port 22 to the world:
sudo ufw insert 1 deny from any to any port 22
This is my /etc/knockd.conf :
[options]
UseSyslog
[SSH]
sequence = 17613,27791,20882,51313
seq_timeout = 5
start_command = ufw insert 1 allow from %IP% to any port 22
tcpflags = syn
cmd_timeout = 10
stop_command = ufw delete allow from %IP% to any port 22
This configures knockd to listen for connections on the 4 specified ports, within 5 seconds after each other. Once the sequence is completed, a hole is opened for 10 seconds using the given ufw commands. This process can be easily followed in /var/log/syslog , which helped me to get this to work.
On my laptop, I made a small script, using the client side of knockd :
knock -d 300 server.example.com 17613 27791 20882 51313 ssh server.example.com
After these easy steps, I can connect to my server anytime, anywhere. Now all I need to do, is remember the port sequence!