Skip to main content

SSH

SSH can be protected by Knocknoc in a number of ways:

  • Local Linux firewall orchestration on the host (eg: using IPSets)
  • In-line firewall/control device orchestration (Fortigate, AWS, etc), via an adjacent Knocknoc Agent deployment
  • HAproxy can sit in front of the SSH service using the TCP feature

This allows Knocknoc to effectively add SSO (and MFA) atop SSH, working together to add heightened security for bastion hosts fast.

A broad on-host firewall orchestration approach is great for bastion hosts - or remove all SSH exposure from your external or internal environments.

ssh-example-host-firewallssh-example-host-firewall

When using the HAProxy approach, you may want to rebind your SSH server to different port in sshd_config, and then configure HAproxy to listen on port 22, and only proxy connections to the new port once the ACL condition from Knocknoc is met. This avoids any client-configuration changes and allows a fast, drop-in security uplift.

Or you may want to have an external HAproxy server with knocknoc-agent, proxy to internal SSH bastions in another DMZ or Internet-accessible host.