This content originally appeared on DEV Community and was authored by Richard Chamberlain
Introduction
Now that you have Port Knocking configured, let’s take it a step further! Instead of using a static knocking sequence, we will automatically rotate knock ports daily using a systemd timer and service.
This enhances security by making it nearly impossible for attackers to guess the correct knock sequence.
Table of Contents
- Introduction
- Creating the Port Rotation Script
-
Setting Up a Systemd Timer
- Create the Service File
- Create the Timer File
- Enabling the Timer
- Client-Side Implementation
- Enhancing Security with Additional Measures
- Conclusion
📌 Read Part 1: Setting Up Port Knocking for Secure SSH Access
Part of the Ethical Hacking Robot Project
1. Creating the Port Rotation Script
Create /usr/local/bin/update_knockd_ports.sh and add the following:
#!/bin/bash
# Define paths
KNOCKD_MAIN_CONF="/etc/knockd.conf"
PORT_FILE="/etc/knockd_ports"
# Generate 3 unique random ports (2000-65000)
NEW_PORTS=$(shuf -i 2000-65000 -n 3 | tr '\n' ',' | sed 's/,$//')
# Store new ports
echo "$NEW_PORTS" > "$PORT_FILE"
# Update knockd configuration
cat <<EOF > "$KNOCKD_MAIN_CONF"
[options]
UseSyslog
[openSSH]
sequence = $NEW_PORTS
seq_timeout = 5
command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = $(echo $NEW_PORTS | awk '{print $3","$2","$1}')
seq_timeout = 5
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
EOF
# Restart knockd to apply changes
systemctl restart knockd
# Secure files
chmod 600 "$PORT_FILE" "$KNOCKD_MAIN_CONF"
scp "$PORT_FILE" user@client-ip:~/.
echo "Knockd ports updated: $NEW_PORTS"
2. Setting Up a Systemd Timer
Create the Service File
/etc/systemd/system/knockd-rotate.service
[Unit]
Description=Rotate Knockd Ports
After=network.target
[Service]
ExecStart=/usr/local/bin/update_knockd_ports.sh
Create the Timer File
/etc/systemd/system/knockd-rotate.timer
[Unit]
Description=Schedule Knockd Port Rotation
[Timer]
OnCalendar=*-*-* 00:00:00
Persistent=true
[Install]
WantedBy=timers.target
3. Enabling the Timer
sudo systemctl daemon-reload
sudo systemctl enable --now knockd-rotate.timer
Check if the timer is running:
systemctl list-timers --all
4. Client-Side Implementation
To automate knocking from the client side, we can create a script, /usr/local/bin/knock_server.sh, that takes either lock or unlock as an argument to control SSH access.
Client Script: /usr/local/bin/knock_server.sh
#!/bin/bash
KNOCK_FILE="$HOME/knockd_ports"
KNOCK_SERVER="192.168.178.18" # Change to your server's hostname or IP
SSH_PORT=22 # SSH port to check
# Read and convert the knock sequence (replace commas with spaces)
KNOCK_SEQUENCE=$(cat "$KNOCK_FILE" | tr ',' ' ')
# Determine the action
case "$1" in
unlock)
if is_ssh_open; then
echo "SSH is already unlocked on $KNOCK_SERVER. No need to knock."
else
echo "Knocking to unlock on $KNOCK_SERVER with sequence: $KNOCK_SEQUENCE"
knock -v "$KNOCK_SERVER" $KNOCK_SEQUENCE
fi
;;
lock)
REVERSED_SEQUENCE=$(echo "$KNOCK_SEQUENCE" | awk '{for(i=NF; i>0; i--) printf $i" "; print ""}')
echo "Knocking to lock on $KNOCK_SERVER with sequence: $REVERSED_SEQUENCE"
knock -v "$KNOCK_SERVER" $REVERSED_SEQUENCE
;;
*)
echo "Error: Invalid state. Use 'unlock' or 'lock'."
exit 1
;;
esac
This script:
✅ Reads the latest knock sequence from ~/knockd_ports (which the server updates)
✅ Unlocks SSH access with the correct port knock sequence
✅ Locks SSH access with the reverse sequence
Usage:
./knock_server.sh unlock # Open SSH access
./knock_server.sh lock # Close SSH access
5. Enhancing Security with Additional Measures
While Port Knocking is a powerful security feature, it should be combined with other security measures for a truly hardened SSH setup:
- SSH Key Authentication – Disable password-based logins and use SSH keys.
- Fail2Ban – Prevent brute-force attacks by banning repeated failed login attempts.
- Multi-Factor Authentication (MFA) – Add an extra layer of security for SSH logins.
Code and config files available here
Conclusion
By automating Port Knocking, you’ve created an ultra-secure SSH access system that dynamically changes its lock combination daily!
🚀 Next Steps: Experiment with different automation intervals and explore additional SSH hardening techniques!
This content originally appeared on DEV Community and was authored by Richard Chamberlain
Richard Chamberlain | Sciencx (2025-02-09T01:23:05+00:00) Automate Port Knocking with Dynamic Port Rotation for Secure SSH Access. Retrieved from https://www.scien.cx/2025/02/09/automate-port-knocking-with-dynamic-port-rotation-for-secure-ssh-access/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.