SSH and Port Knocking

It turns out that SSH brute-force attacks, dictionary attacks or combinations of those are daily routines nowadays. Server logs are quickly filled with login attempts, in the hopes that one of them is right. The best prevention against these kind of attacks is to - obviously - have a secure password, or even better to force key-based authentication.

However, this won’t stop automated attacks from trying out dozens of usernames and passwords anyway, which is generally annoying. Thus, the approach to hide the SSH port, which by default is 22. One solution some people do is moving SSH to a non-standard port. Basically, some random number that won’t conflict with anything else.

Another interesting trick is to not immediately expose the SSH port, but only when a client is saying “Open Sesame”. Jokes aside, that’s roughly what port knocking allows us to do. There are many variants on port knocking and many programs that implement it. The following tutorial will use knockd as port-knocking server.

Install Prerequisites

Download and install the knock-server rpm package:

$ wget
$ rpm -ivh knock-server-0.5-7.el6.nux.i686.rpm


The configuration file can be found under /etc/knockd.conf.

logfile = /var/log/knockd.log

sequence = 6000,7000,8000
seq_timeout = 15
command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn

sequence = 8000,7000,6000
seq_timeout = 15
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn

In the above configuration, we’ve stated that any host that sends a TCP SYN message to port 6000, then 7000 and finally to 8000, within 15 seconds, will cause the iptables command to be run. As you can see, the use of iptables is not hard-coded to knockd at all, meaning that any command can be run when the port sequence is triggered, allowing us to do all sorts of fancy stuff. To close it up, we do the same sequence in reverse order (that’s because we have configured it to do so).

GPG Cheatsheet

GnuPG (GNU Privacy Guard) is a tool for encrypting and signing data. It is a completely free implementation of the OpenPGP standard (defined by RFC4880), which is also known as GPG. This post contains a brief overview of the most important commands you probably have to use when working with GnuPG.

Generating GPG Keys

$ gpg --gen-key

You will be asked what kind of key you want, simply proceed with the instructions that are given to you.

Listing GPG Keys

Listing public keys:

$ gpg --list-keys

Listing private keys:

$ gpg --list-secret-keys

Exporting GPG Keys

Using Git to Manage a Live Site

Uploading files to production level after every change in code can be quite a hassle. Most people would use an automated deployment system instead of doing it manually. We can create an automated deployment system ourself by just using a version control like Git, which would also only take a few seconds to set up.

This post outlines the exact steps on how to do that. You should be able to understand basic terminology like pushing or pulling.

Install Prerequisites

Install Git on the server- and client-side.

$ yum install git-core

Head to this page if you still don’t know how to install it.

Server Setup

You’ll want to start by creating a bare repository on your server. A folder without its actual source files. The repository should be set up somewhere outside of your web root. We are going to instruct Git where to put the actual files later. Once you decide on a location for your repository, go ahead and create the bare repository:

mkdir mysite.git
cd mysite.git
git init --bare

Now we need to instruct Git where to put the files after every commit. This can be done via hooks, basically actions defined by triggers.