Port Knocking

Protect your Network with Port Knocking

Knocking at Heaven's Door

At this stage, you can test your installation. Yet again, I ask you to please make sure that you're not going to lock yourself out of your remote server. With regard to creating a knocking sequence from the client side, in addition to a tiny binary called knock, I've also seen a handy, lightweight Android app that conveniently sends the knocking sequence from your smartphone.

Other than adjusting the secret knock sequences, one final piece of config needs to change, which means going back to the higher level file /etc/default/knockd to set the daemon live. To begin, change the interface setting to the correct network card on which you want knockd to listen:

KNOCKD_OPTS="-i eth0"

To set the service live, enable the daemon:


This next part is optional; but, before restarting your daemon, I suggest adding the -D to the init.d startup script and watching your logfile closely. If you get stuck, it's probably thanks to a superfluous character in your /etc/knockd.conf. If push comes to shove, you can packet sniff your connection to make sure your knocking is getting through.

To add debugging information to your logfile, use -D on the OPTIONS line in /etc/init.d/knockd, paying careful attention to the spacing inside the double quotation marks on that line (be sure to make a copy before editing):

OPTIONS=" -d -D"

After a daemon config refresh, then,

service knockd restart

you're ready to go.

Come On In

To see if you can get access, run through the following tests:

1. Check that you have don't have access to the SSH server first (i.e., the IP address from which you'll be connecting to the server isn't already in the /etc/hosts.allow file in one incarnation or another, such as a wide IP range or DNS name).

2. Send your knocking sequence to append your IP address to the end of /etc/hosts.allow and check your /var/log/knockd.log file for an OPEN SESAME command to denote success. You can use this to watch that file in real time (or at least updates every second) in another terminal with:

watch -n1 cat /etc/hosts.allow

3. Assuming you have access, try closing access with the other knocking sequence, such as in this example of the tiny knock client program running on ports 1022, 3022, and 3204:

knock -v 1022 3022 3024

To knock solely on one of the 65,535 UDP ports, rather than TCP, you can universally switch to UDP with the -u parameter:

knock -vu 2022 3022 3022

However, as one of the examples in the knockd documentation shows, it's also perfectly possible to mix up both TCP and UDP ports at the client side,

knock myserver.example.com 123:tcp 456:udp 789:tcp

thus making the sequence safer, akin to using upper- and lowercase letters in your passwords.

If all is going well, you have now seen a line appended to your /etc/hosts.allow file and then seen that exact same line deleted after locking up access again with your second knocking sequence.

More, More, More

Critics of port knocking claim that it's nothing more than security through obscurity , a term used to describe the act of disguising any valuable resources that might be there for the taking, as opposed to actually securing them with locks and keys and suchlike.

Indeed, they have a point, but alongside your other security measures, port knocking is a helpful extra layer of protection for an attacker to penetrate. You have to admit that using iptables and so forth to hide your precious ports from the world at large is a really nice, if not somewhat clandestine, touch.

Although TCP Wrappers won't be for everyone, I wanted to demonstrate the customizable knockd. For those who want to use firewalling instead of tcpd, here are two examples of start and stop commands for the uncomplicated firewall (UFW; Listing 5) and for iptables (Listing 6). Your mileage may vary.

Listing 6

Iptables Start and Stop Commands

start_command  = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
stop_command  = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

Listing 5

UFW Start and Stop Commands

start_command = ufw allow from %IP% to any port 22
stop_command = ufw delete allow from %IP% to any port 22

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • TCP Stealth hides open ports
    Port scans for finding vulnerable services are nothing new, and port knocking as a defense has been around for a while, too. TCP Stealth tries to do something similar, but it takes a more sophisticated approach. We take a closer look.
  • Secure Your Server with TCP Wrappers

    TCP Wrappers are versatile, sophisticated, and surprisingly easy to use, and they can secure your servers from attack with run-time ACL reconfiguration.

  • Sort out your SSH configs
    The scope and functionality of SSH and sFTP provides both secure remote access and secure file transfers.
  • Arp Cache Poisoning and Packet Sniffing

    Intruders rely on arp cache poisoning to conceal their presence on a local network. We'll show you some of the tools an attacker might use to poison the arp cache and gather information on your network.

  • Customizing PortSentry

    Do you have a sentry to keep an eye on your servers? We’ll show you how to customize PortSentry’s response to suspicious activity.

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.