{"id":379,"date":"2015-05-07T20:50:18","date_gmt":"2015-05-07T18:50:18","guid":{"rendered":"http:\/\/joost.vunderink.net\/blog\/?p=379"},"modified":"2015-05-10T19:27:39","modified_gmt":"2015-05-10T17:27:39","slug":"hiding-your-sshd-with-ufw-and-knockd-on-ubuntu","status":"publish","type":"post","link":"https:\/\/joost.vunderink.net\/blog\/2015\/05\/07\/hiding-your-sshd-with-ufw-and-knockd-on-ubuntu\/","title":{"rendered":"Hiding your sshd with ufw and knockd on Ubuntu"},"content":{"rendered":"<p>I don&#8217;t like it if malicious programs or people try to hack my server.<\/p>\n<p>I do, however, like to have access to my server, via ssh of course. Not just from home, but from wherever I happen to be.<\/p>\n<p>Fortunately, it&#8217;s possible to have the best of both worlds on my Ubuntu server, using a simple piece of software called <span class=\"lang:default decode:true  crayon-inline \">knockd<\/span>\u00a0.<\/p>\n<p>When using <span class=\"lang:default decode:true  crayon-inline \">knockd<\/span>\u00a0, your <span class=\"lang:default decode:true  crayon-inline \">sshd<\/span>\u00a0\u00a0can be\u00a0firewalled by default. You can open up a temporary hole in the firewall by sequentially connecting to a few ports, as defined by you in <span class=\"lang:default decode:true  crayon-inline\">knockd<\/span>\u00a0&#8216;s config file. Then you can\u00a0<span class=\"lang:default decode:true crayon-inline\">ssh<\/span>\u00a0to your server.<\/p>\n<p>To set this up with <span class=\"lang:default decode:true  crayon-inline \">ufw<\/span>\u00a0, I started\u00a0by closing port 22 to the world:<\/p>\n<pre class=\"toolbar:2 nums:false lang:default decode:true\">sudo ufw insert 1 deny from any to any port 22<\/pre>\n<p>This is my <span class=\"lang:default decode:true  crayon-inline \">\/etc\/knockd.conf<\/span>\u00a0:<\/p>\n<pre class=\"lang:sh decode:true \" title=\"\/etc\/knockd.conf\">[options]\r\n        UseSyslog\r\n\r\n[SSH]\r\n      sequence      = 17613,27791,20882,51313\r\n      seq_timeout   = 5\r\n      start_command = ufw insert 1 allow from %IP% to any port 22\r\n      tcpflags      = syn\r\n      cmd_timeout   = 10\r\n      stop_command  = ufw delete allow from %IP% to any port 22<\/pre>\n<p>This configures <span class=\"lang:default decode:true  crayon-inline \">knockd<\/span>\u00a0\u00a0to listen for connections on the 4 specified ports, within 5 seconds after each other. Once the sequence is completed, a hole is opened for 10 seconds using the given ufw commands. This process can be easily followed in\u00a0<span class=\"lang:default decode:true  crayon-inline \">\/var\/log\/syslog<\/span>\u00a0, which helped me to get this to work.<\/p>\n<p>On my laptop, I made a small script, using the client side of <span class=\"lang:default decode:true  crayon-inline \">knockd<\/span>\u00a0:<\/p>\n<pre class=\"lang:sh decode:true \" title=\"~\/bin\/kssh-example\">knock -d 300 server.example.com\u00a017613 27791 20882 51313\r\nssh\u00a0server.example.com<\/pre>\n<p>After these easy steps,\u00a0I can connect to my server anytime, anywhere. Now all I need to do, is remember the port sequence!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I don&#8217;t like it if malicious programs or people try to hack my server. I do, however, like to have access to my server, via ssh of course. Not just from home, but from wherever I happen to be. Fortunately, &hellip; <a href=\"https:\/\/joost.vunderink.net\/blog\/2015\/05\/07\/hiding-your-sshd-with-ufw-and-knockd-on-ubuntu\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[200,209,210,203,204,214,212,213,205,211,207,206,201,202,165,208],"class_list":["post-379","post","type-post","status-publish","format-standard","hentry","category-linux","tag-firewall","tag-hide-ssh","tag-hide-sshd","tag-knock","tag-knockd","tag-linux","tag-port-22","tag-port-knocking","tag-portscan","tag-protect-ssh","tag-protect-sshd","tag-protect-your-server","tag-ssh","tag-sshd","tag-ubuntu","tag-ufw"],"_links":{"self":[{"href":"https:\/\/joost.vunderink.net\/blog\/wp-json\/wp\/v2\/posts\/379"}],"collection":[{"href":"https:\/\/joost.vunderink.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/joost.vunderink.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/joost.vunderink.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/joost.vunderink.net\/blog\/wp-json\/wp\/v2\/comments?post=379"}],"version-history":[{"count":2,"href":"https:\/\/joost.vunderink.net\/blog\/wp-json\/wp\/v2\/posts\/379\/revisions"}],"predecessor-version":[{"id":381,"href":"https:\/\/joost.vunderink.net\/blog\/wp-json\/wp\/v2\/posts\/379\/revisions\/381"}],"wp:attachment":[{"href":"https:\/\/joost.vunderink.net\/blog\/wp-json\/wp\/v2\/media?parent=379"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/joost.vunderink.net\/blog\/wp-json\/wp\/v2\/categories?post=379"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/joost.vunderink.net\/blog\/wp-json\/wp\/v2\/tags?post=379"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}