Going Stealth with Port Knocking

Another powerful technique is port knocking. Instead of keeping port 22 open at all times, port knocking keeps it closed until the server detects a specific pattern of connection attempts, a secret "knock." This way, even the SSH port itself is hidden from scanners and bots. Only someone who knows the knock sequence can access the server.

Port knocking works by listening for connection attempts on a series of ports. These ports don't actually host services; they just detect the attempt. When the correct sequence is detected, a daemon like knockd [5] temporarily opens the SSH port for the connecting IP.

Imagine a sequence like: 7000, 8000, 9000. If someone connects to those ports in that exact order, the server opens SSH for 30 seconds, just enough to let in the trusted client.

To get started, install knockd with

sudo apt install knockd

Then, edit the main configuration file as follows:

sudo nano /etc/knockd.conf

You can add a custom knock sequence like the one shown in Listing 3, which tells knockd to listen for the sequence 7000,8000,9000. When knockd sees the sequence from a specific IP, it adds a firewall rule allowing SSH from that IP. The reverse sequence closes it again.

01 [openSSH]
02   sequence = 7000,8000,9000
03   seq_timeout = 5
04   command = /usr/sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
05   tcpflags = syn
06
07 [closeSSH]
08   sequence = 9000,8000,7000
09   seq_timeout = 5
10   command = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
11   tcpflags = syn

Enable and start knockd with

sudo systemctl enable knockd
sudo systemctl start knockd

By default, knockd won't run unless you enable it in /etc/default/knockd. Set START_KNOCKD=1 and restart the service.

To initiate the knock from your laptop or remote system, use the knock client tool:

sudo apt install knockd
knock your.server.ip 7000 8000 9000

Once the sequence completes, SSH access will be temporarily allowed. You'll need to act quickly, because the rule may expire after 30 seconds.

To close the port manually, reverse the sequence with

knock your.server.ip 9000 8000 7000

Port knocking adds a layer of "security through obscurity." While not a replacement for robust authentication, it effectively hides SSH from most scans. This alone can reduce drive-by brute-force attacks.

However, it's important to use a secure knock sequence that isn't easily guessable, avoid using real services on knock ports, and combine port knocking with strong SSH credentials.

Watch and Learn

After you harden SSH with strong authentication and access controls, it's equally important to monitor it. Logs give you insight into who's trying to connect, where they're coming from, and whether you need to take further action.

By default, most Linux systems log SSH activity to /var/log/auth.log or /var/log/secure, depending on your distro. You can use simple command-line tools to filter and interpret this data, such as

sudo grep "sshd" /var/log/auth.log

You'll see lines like

Jul 3 14:22:01 server sshd[2194]: Failed password for root from 185.205.10.14 port 56322 ssh2

Look for repeated failed attempts, unusual usernames, and IPs from unexpected countries.

Logwatch [6] is a powerful log analysis tool that summarizes SSH activity and other services in a daily email. You can install Logwatch on Debian/Ubuntu with

sudo apt install logwatch

Then run it like this:

sudo logwatch --detail High --service sshd --range today --mailto you@example.com --format html

This sends a structured report of all SSH login attempts, grouped by success/failure, IP, and user. You can configure a daily cron job to run this automatically:

sudo crontab -e
0 6 * * * /usr/sbin/logwatch --detail High --service sshd --range yesterday --mailto you@example.com --format html

You'll now receive daily summaries of login activity in your inbox.

Real-Time Alerting Tools

While Logwatch is great for reports, real-time alerting tools like Logcheck [7] or swatchdog [8] notify you immediately when suspicious activity is detected.

To install Logcheck, use

sudo apt install logcheck

Once configured, Logcheck scans logfiles for unusual activity and sends alerts. You can customize the patterns it watches using regular expressions.

For real-time alerts via email or Slack, swatchdog (swatch) is another popular choice. You can install swatch as follows:

sudo apt install swatch

Listing 4 shows how to write a simple config file to alert on login failures or brute-force attempts. Swatchdog watches the logs in real-time and triggers alerts as soon as matches are found.

01 watchfor /Failed password/
02   mail=admin@example.com