Monday, November 7, 2011

ssh - Knockin' on Heaven's Door

Using both: port knocking technology and trusted networks for secure ssh access:

The key feature of this method is using ssh daemon listening on 2 diff ports:

# What ports, IPs and protocols we listen for
Port 22
Port 3054

and iptables.

1. "Normal" ssh port (22) will be available only from trusted subnets
2.  "New"ssh port (3054) will be available on demand (well known port knocking technology )


1. Create new chain:

iptables -N SSH

2.  add it as action to our 2 ssh ports and 1 knocking port

iptables -A INPUT -p tcp -m tcp --dport 22 --syn  -j SSH
iptables -A INPUT -p tcp -m tcp --dport 3054 --syn  -j SSH
iptables -A INPUT -p tcp -m tcp --dport 3055 --syn  -j SSH

3. add rules to our SSH chain
--- add rule for trusted subnet:
iptables -A SSH  -s -p tcp -m tcp --dport 22 -j ACCEPT -m comment --comment "Trusted subnet"

---add rule for knock port using recent iptables module:  add packet source to "recent" :
iptables -A SSH -p tcp -m tcp --dport 3055 --syn -m recent --set     --name ssh --rsource -j REJECT --reject-with tcp-reset

--- allow to connect to "new" ssh port within 30 second interval from the IP used to knock
iptables -A SSH -p tcp -m tcp --dport 3054 --syn -m recent --rcheck --seconds 30 --name ssh --rsource -j ACCEPT

That's it. To knock knock simple use: telnet "IP" 3055 and after that you have 30 second to connect.

It will allow you to use ssh and ssh-based tools as usual from trusted location, always be able to connect to server from any location around the world and reduce amount of alerts getting form your HIDS.

PS. Not forget about turning on SSH public key based authentication  and switching PasswordAuthentication to "no".

inspired by


  1. никогда не задумывался, а ведь простое и изящное решение, зачёт!

  2. :-)) На самом деле я перестраховался в этом решении,использовав 2-й порт ssh для дополнительной подстраховки от случайного открытия порта чужым порт сканером. Все можно сделать еще проще, открывая по стуку не дополнительный порт, а обычный порт 22

  3. Great Article
    Cyber Security Projects

    projects for cse

    Networking Security Projects

    JavaScript Training in Chennai

    JavaScript Training in Chennai

    The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

  4. Good. I am really impressed with your writing talents and also with the layout on your weblog. Appreciate, Is this a paid subject matter or did you customize it yourself? Either way keep up the nice quality writing, it is rare to peer a nice weblog like this one nowadays. Thank you, check also virtual edge and How to Improve Your Events with Event Sponsorship