#Setting Up Port Knocking

When running an Mainsail node, especially a Validator Node, you should consider your server’s security as your main priority.

#Port Knocking

#What Is Port Knocking?

Port knocking is a technique used which obscures the port you’re connecting on to prevent port scanning by opening and closing it when you need it. We will use a series of ports to essentially “knock” and your server will open your configured port for you to connect on by listening for connection attempts on those ports in a specific order.

#Disable UFW

By default, UFW comes enabled since Ubuntu 16.04. If you get ufw command not found then run.

1sudo apt-get install ufw
2sudo ufw disable

You can verify that UFW is disabled by running sudo ufw status and get a response of inactive.

#Disable All Incoming Connections

1sudo ufw default deny incoming

#Enable Node Port

Depending which network this node is for will determine what port you open here. For mainnet use 4001, devnet use 4002, and testnet use 4000 and public API which is by default located on port 4003.

We don’t want to open any more ports than required to operate securely so we will open P2P port depending on the network (in our example for mainnet) and public API port.

1sudo ufw allow 4001/tcp
2sudo ufw allow 4003/tcp

#Install Knockd on Server

1sudo apt-get install knockd -y

#Start Knockd Server on Boot

1sudo nano /etc/default/knockd

We need to change START_KNOCKD=0 to START_KNOCKD=1

File: /etc/default/knockd

 1################################################
 2#
 3# knockd's default file, for generic sys config
 4#
 5################################################
 6 
 7# Control if We Start Knockd at Init or Not
 8# 1 = start
 9# anything else = don't start
10#
11# PLEASE EDIT /etc/knockd.conf BEFORE ENABLING
12START_KNOCKD=0
13 
14# Command Line Options
15#KNOCKD_OPTS="-i eth1"

File: /etc/default/knockd

1...
2START_KNOCKD=1
3...

Then press CTRL+S, then answer Y and finally press ENTER to return to the command line.

#Edit Config

1sudo nano /etc/knockd.conf

#Knock Ports

Here we’re going to pick our opening and closing knock sequence. Choose three ports between 7000 and 40000 for each opening and closing. Write these ports down. The sequences need to be different.

Modify your config file to match the one below with your own ports. We do not recommend just copying and pasting this config. Replace 7000, 8000, 9000 with your own choices.

Also, don’t forget to replace 55555 with the port you chose for SSH.

File: /etc/knockd.conf

 1[options]
 2        UseSyslog
 3 
 4[openSSH]
 5        sequence    = 7000,8000,9000
 6        seq_timeout = 5
 7        command     = ufw allow 55555/tcp
 8        tcpflags    = syn
 9 
10[closeSSH]
11        sequence    = 9000,8000,7000
12        seq_timeout = 5
13        command     = ufw delete allow 55555/tcp
14        tcpflags    = syn

#Enable Our Firewall and Start Knockd

1sudo service knockd start
2sudo ufw enable

#Checking Knockd and Ufw Status

1sudo service knockd status
2sudo ufw status

#Install Knockd Client

Install a client for your operating system to make knocking easier. There are even a couple of mobile apps you can use for quickly knocking on your server to open your ssh port.

After knocking your port will remain open until you send the closing knock sequence.

#Ubuntu 16.04

1sudo apt-get install knockd

#Alternate Clients

• Win32 Client
• MacOS Client
• Debian Package
• RPM Package
• Android Client
• iPhone Client

#Troubleshooting and Testing

Logs for knockd appear in syslog and will be crucial if you need to troubleshoot.

Run the following command on your Mainsail node server.

1tail -f /var/log/syslog

Let us test our knocking! We set our SSH port, and we’ve enabled knocking. Now we need to check to make sure that when we send the correct knock that we open and close the port correctly.

#Open SSH Port

From your personal computer or mobile phone use the client you installed above or if you are running Linux install knockd by running sudo apt-get install knockd and use the following command to knock.

1knock -v nodeip 7000 8000 9000

You should see the following logs appear in your syslog

1Apr 17 04:02:18 node1 knockd: nodeip: openSSH: Stage 1
2Apr 17 04:02:18 node1 knockd: nodeip: openSSH: Stage 2
3Apr 17 04:02:18 node1 knockd: nodeip: openSSH: Stage 3
4Apr 17 04:02:18 node1 knockd: nodeip: openSSH: OPEN SESAME
5Apr 17 04:02:18 node1 knockd: openSSH: running command: ufw allow 55555/tcp

Running sudo ufw status should list your SSH port as enabled.

 1mainsail@node1:~$ sudo ufw status
 2Status: active
 3 
 4To                         Action      From
 5--                         ------      ----
 62086/tcp                   ALLOW       Anywhere
 74002/tcp                   ALLOW       Anywhere
 855555/tcp                  ALLOW       Anywhere
 92086/tcp (v6)              ALLOW       Anywhere (v6)
104002/tcp (v6)              ALLOW       Anywhere (v6)
1155555/tcp (v6)             ALLOW       Anywhere (v6)

#Close SSH Port

1knock -v nodeip 9000 8000 7000

1Apr 17 04:23:37 node1 knockd: nodeip: closeSSH: Stage 1
2Apr 17 04:23:37 node1 knockd: nodeip: closeSSH: Stage 2
3Apr 17 04:23:37 node1 knockd: nodeip: closeSSH: Stage 3
4Apr 17 04:23:37 node1 knockd: nodeip: closeSSH: OPEN SESAME
5Apr 17 04:23:37 node1 knockd: closeSSH: running command: ufw delete allow 55555/tcp

#SSH Connection Using Your KeyPair

If you are not comfortable managing SSH keys, you can continue logging in via a password, but it is less secure.

SSH keys should be generated on the computer you wish to log in from. Just press enter and accept all the defaults.

#MacOS / Linux

1ssh-keygen -t rsa

Browse to your ~/.ssh directory and check to make sure it worked. You should see the following files.

1cd ~/.ssh
2ls -l
3 
4-rw------- 1 travism travism 1675 Mar 28 12:13 id_rsa
5-rw-r--r-- 1 travism travism  401 Mar 28 12:13 id_rsa.pub
6-rw-r--r-- 1 travism travism 3764 Apr 16 23:15 known_hosts

Copy your key to your server

1# Open SSH Port It Not Already Open
2knock -v nodeip 7000 8000 9000
3 
4# Copy Key
5ssh-copy-id -p 55555 user@nodeip

#Windows

Windows users can generate their ssh key using PuTTY Key Generator .

Copy your PUBLIC KEY to your Server

Copy the contents of your id_rsa.pub file on your local machine to your ~/.ssh/authorized_keys on your Mainsail node server.

#Disable Password Authentication

1sudo nano /etc/ssh/sshd_config

This file should look familiar to you as we edited it earlier in this process. This time we’re going to disable password authentication. Set PasswordAuthentication to no and make sure that PubkeyAuthentication is set to yes and ChallengeResponseAuthentication is set to no.

file: /etc/ssh/sshd_config

1PasswordAuthentication no
2PubkeyAuthentication yes
3ChallengeResponseAuthentication no

Save your changes by pressing CTRL+X, then respond with Y, and finally press ENTER to write to file.

#Restart SSH

1sudo service ssh restart

The next time you log in you should log right in without a password prompt.