Port Knocking

Protect your Network with Port Knocking

The End Is Nigh

The author of knockd has clearly thought further about the most relevant criticism about port knocking, which is the man-in-the-middle attack. If hackers spot any such traffic and pick up which IP address is running port knocking, then they potentially have more information than they should, which can help them further guess about ways to gain access.

The additional feature to knockd, which I have to admit really intrigues me, uses a sophisticated series of one-off, unique sequences. In other words, although your destination IP address might be revealed, even if attackers manage to uncover your port knocking sequence (i.e., secret knock) and repeat that sequence, they will fail because each sequence simply expires after use.

To enable such an excellent feature, all you do is change the sequence config lines with the path to your sequences file (preferably auto-generated by a script):

one_time_sequences = /etc/knockd/one_time_sequences

This file could be brimming with easily remembered one-time sequences, such as obfuscated phone numbers, dates of birth, or other numbers.

Using this method in combination with closing the firewall within 10 seconds (having successfully spawned an SSH session yourself),

cmd_timeout = 10

makes for a truly powerful addition to your security arsenal.


In this article, I've covered a few very relevant but ultimately different events. I started with the problematic scenario of ever-changing remote IP addresses and the lack of control over those IP addresses when working away from the office. I hope I've suitably extolled the virtues of knockd, to the point that you might try to install it yourself.

Finally, with some considered customization, my task would be complete if you felt comfortable enough to conceive of a creative security solution using this package along with PortSentry and deploy it along with other powerful tools to improve your server security and make the Internet a safer place.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • TCP Stealth hides open ports
    Port scans for finding vulnerable services are nothing new, and port knocking as a defense has been around for a while, too. TCP Stealth tries to do something similar, but it takes a more sophisticated approach. We take a closer look.
  • Secure Your Server with TCP Wrappers

    TCP Wrappers are versatile, sophisticated, and surprisingly easy to use, and they can secure your servers from attack with run-time ACL reconfiguration.

  • Sort out your SSH configs
    The scope and functionality of SSH and sFTP provides both secure remote access and secure file transfers.
  • Arp Cache Poisoning and Packet Sniffing

    Intruders rely on arp cache poisoning to conceal their presence on a local network. We'll show you some of the tools an attacker might use to poison the arp cache and gather information on your network.

  • Customizing PortSentry

    Do you have a sentry to keep an eye on your servers? We’ll show you how to customize PortSentry’s response to suspicious activity.

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.