SSH
SSH can be protected by Knocknoc in a number of ways:
- Local Linux firewall orchestration on the host (eg: using IPSets)
- In-line firewall/control device orchestration (Fortigate, AWS, etc), via an adjacent Knocknoc Agent deployment
- HAproxy can sit in front of
anthe SSHserver andservice using the TCPfeature,feature
This allows Knocknoc canto workeffectively add SSO (and MFA) atop SSH, working together to allowadd accessheightened tosecurity afor bastion hosthosts easily.fast.
YouWhen using the HAProxy approach, you may want to rebind your SSH server to different port in sshd_config, and then configure HAproxy to listen on port 22, and only proxy connections to the new port once the ACL condition from Knocknoc is met. This avoids any client-configuration changes and allows a fast, drop-in security uplift.
Or you may want to have an external HAproxy server with knocknoc-agent, proxy to internal SSH bastions in another DMZ.DMZ or Internet-accessible host.