Skip to main content

SSH

SSH can be protected by Knocknoc in a number of ways:

  • Local Linux firewall orchestration on the host (eg: using IPSets)
  • In-line firewall/control device orchestration (Fortigate, AWS, etc), via an adjacent Knocknoc Agent deployment
  • HAproxy can sit in front of the SSH service using the TCP feature

This allows Knocknoc to effectively add SSO (and MFA) atop SSH, working together to add heightened security for bastion hosts fast.

A broadAn on-host firewall orchestration approach is great for bastion hosts - or remove all SSH exposure from your external or internal environments.

Shown below, the user first logs in to Knocknoc (auth tied to their IdP), the Knocknoc agent then receives instruction to open the firewall to port 22/tcp from the users IP address and the user then connects. No proxy/broker, no additional routing nor client,client installation is required, simple but very effective firewall orchestration.

This essentially removes attack surface of your SSH hosts until users centrally log in. 

ssh-example-host-firewall data-flow-diagrams-20241210 copy-Detailed.drawio (3).png

When using the HAProxy approach, you may want to rebind your SSH server to different port in sshd_config, and then configure HAproxy to listen on port 22, and only proxy connections to the new port once the ACL condition from Knocknoc is met. This avoids any client-configuration changes and allows a fast, drop-in security uplift.

Or you may want to have an external HAproxy server with knocknoc-agent, proxy to internal SSH bastions in another DMZ or Internet-accessible host.