Setting Up Port Knocking
When running an ARK node, especially a Delegate Node, you should consider your server’s security as your main priority.
Warning
During this guide, we will configure network and SSH parameters, which if improperly performed might permanently lock you out of your server. Ensure you fully understand each step before proceeding.
Port Knocking
What Is Port Knocking?
Port knocking is a technique used which obscures the port you’re connecting on to prevent port scanning by opening and closing it when you need it. We will use a series of ports to essentially “knock” and your server will open your configured port for you to connect on by listening for connection attempts on those ports in a specific order.
Disable UFW
By default, UFW comes enabled since Ubuntu 16.04. If you get ufw command not found
then run.
1sudo apt-get install ufw2sudo ufw disable
You can verify that UFW is disabled by running sudo ufw status
and get a response of inactive
.
Disable All Incoming Connections
1sudo ufw default deny incoming
Enable Node Port
Depending which network this node is for will determine what port you open here. For mainnet use 4001
, devnet use 4002
, and testnet use 4000
and public API which is by default located on port 4003
.
We don’t want to open any more ports than required to operate securely so we will open P2P port depending on the network (in our example for mainnet) and public API port.
1sudo ufw allow 4001/tcp2sudo ufw allow 4003/tcp
Install Knockd on Server
1sudo apt-get install knockd -y
Start Knockd Server on Boot
1sudo nano /etc/default/knockd
We need to change START_KNOCKD=0
to START_KNOCKD=1
File: /etc/default/knockd
1################################################ 2# 3# knockd's default file, for generic sys config 4# 5################################################ 6 7# Control if We Start Knockd at Init or Not 8# 1 = start 9# anything else = don't start10#11# PLEASE EDIT /etc/knockd.conf BEFORE ENABLING12START_KNOCKD=013 14# Command Line Options15#KNOCKD_OPTS="-i eth1"
File: /etc/default/knockd
1...2START_KNOCKD=13...
Then press CTRL+S
, then answer Y
and finally press ENTER
to return to the command line.
Edit Config
1sudo nano /etc/knockd.conf
Knock Ports
Here we’re going to pick our opening and closing knock sequence. Choose three ports between 7000
and 40000
for each opening and closing. Write these ports down. The sequences need to be different.
Modify your config file to match the one below with your own ports. We do not recommend just copying and pasting this config. Replace 7000
, 8000
, 9000
with your own choices.
Also, don’t forget to replace 55555
with the port you chose for SSH
.
File: /etc/knockd.conf
1[options] 2 UseSyslog 3 4[openSSH] 5 sequence = 7000,8000,9000 6 seq_timeout = 5 7 command = ufw allow 55555/tcp 8 tcpflags = syn 9 10[closeSSH]11 sequence = 9000,8000,700012 seq_timeout = 513 command = ufw delete allow 55555/tcp14 tcpflags = syn
Enable Our Firewall and Start Knockd
1sudo service knockd start2sudo ufw enable
Checking Knockd and Ufw Status
1sudo service knockd status2sudo ufw status
Install Knockd Client
Install a client for your operating system to make knocking easier. There are even a couple of mobile apps you can use for quickly knocking on your server to open your ssh port.
After knocking your port will remain open until you send the closing knock sequence.
Ubuntu 16.04
1sudo apt-get install knockd
Alternate Clients
Troubleshooting and Testing
Logs for knockd appear in syslog
and will be crucial if you need to troubleshoot.
Run the following command on your ARK node server.
1tail -f /var/log/syslog
Let us test our knocking! We set our SSH port, and we’ve enabled knocking. Now we need to check to make sure that when we send the correct knock that we open and close the port correctly.
Open SSH Port
From your personal computer or mobile phone use the client you installed above or if you are running Linux install knockd
by running sudo apt-get install knockd
and use the following command to knock.
1knock -v nodeip 7000 8000 9000
You should see the following logs appear in your syslog
1Apr 17 04:02:18 node1 knockd: nodeip: openSSH: Stage 12Apr 17 04:02:18 node1 knockd: nodeip: openSSH: Stage 23Apr 17 04:02:18 node1 knockd: nodeip: openSSH: Stage 34Apr 17 04:02:18 node1 knockd: nodeip: openSSH: OPEN SESAME5Apr 17 04:02:18 node1 knockd: openSSH: running command: ufw allow 55555/tcp
Running sudo ufw status
should list your SSH port as enabled.
1arkoar@node1:~$ sudo ufw status 2Status: active 3 4To Action From 5-- ------ ---- 62086/tcp ALLOW Anywhere 74002/tcp ALLOW Anywhere 855555/tcp ALLOW Anywhere 92086/tcp (v6) ALLOW Anywhere (v6)104002/tcp (v6) ALLOW Anywhere (v6)1155555/tcp (v6) ALLOW Anywhere (v6)
Close SSH Port
1knock -v nodeip 9000 8000 7000
1Apr 17 04:23:37 node1 knockd: nodeip: closeSSH: Stage 12Apr 17 04:23:37 node1 knockd: nodeip: closeSSH: Stage 23Apr 17 04:23:37 node1 knockd: nodeip: closeSSH: Stage 34Apr 17 04:23:37 node1 knockd: nodeip: closeSSH: OPEN SESAME5Apr 17 04:23:37 node1 knockd: closeSSH: running command: ufw delete allow 55555/tcp
SSH Connection Using Your KeyPair
Warning
If you do not copy the correct key to your server, in the right location, you will be unable to authenticate.
If you are not comfortable managing SSH keys, you can continue logging in via a password, but it is less secure.
SSH keys should be generated on the computer you wish to log in from. Just press enter and accept all the defaults.
MacOS / Linux
1ssh-keygen -t rsa
Browse to your ~/.ssh
directory and check to make sure it worked. You should see the following files.
1cd ~/.ssh2ls -l3 4-rw------- 1 travism travism 1675 Mar 28 12:13 id_rsa5-rw-r--r-- 1 travism travism 401 Mar 28 12:13 id_rsa.pub6-rw-r--r-- 1 travism travism 3764 Apr 16 23:15 known_hosts
Copy your key to your server
1# Open SSH Port It Not Already Open2knock -v nodeip 7000 8000 90003 4# Copy Key5ssh-copy-id -p 55555 user@nodeip
Windows
Windows users can generate their ssh key using PuTTY Key Generator .
Copy your PUBLIC KEY to your Server
Copy the contents of your id_rsa.pub
file on your local machine to your ~/.ssh/authorized_keys
on your ARK node server.
Disable Password Authentication
1sudo nano /etc/ssh/sshd_config
This file should look familiar to you as we edited it earlier in this process. This time we’re going to disable password authentication. Set PasswordAuthentication
to no
and make sure that PubkeyAuthentication
is set to yes
and ChallengeResponseAuthentication
is set to no
.
file: /etc/ssh/sshd_config
1PasswordAuthentication no2PubkeyAuthentication yes3ChallengeResponseAuthentication no
Save your changes by pressing CTRL+X
, then respond with Y
, and finally press ENTER
to write to file.
Restart SSH
1sudo service ssh restart
The next time you log in you should log right in without a password prompt.