Port Knocking

Why Port Knocking?
Port knocking is a great method to allow remote access without the security risks associated with keeping ports constantly open on the internet side of your networked host. This was intended to be used as an extra line of defense and is not an excuse for weak passwords.

With port knocking, the firewalled server machine runs the knock-daemon. This daemon listens for a specific sequence of tcp or udp "knocks" and associates them with an action. The knock daemon listens at a very low level in the TCP/IP stack and does not require any open ports to operate. The program is also completely stealth from outside the system. This stealth also adds a layer of security because attackers can not see any signs of the knock-daemon running, nor will they be likely to attempt random knocks to try to gain access.

On the client side, we have a program called knock which then issues these "knocks" to the host machine in order to perform a desired action, usually to open a port for remote access. This usually restricts the port to only the IP that issues the knock which also increases security over a simple open port.

Knock Daemon Installation
Two tools are necessary for port knocking - iptables and the Knock Daemon. You're also going to be needing a root login.

Before we install these programs, we must make sure that the kernel has compiled-in iptables support (otherwise nothing will work). To install iptables you must enable the option "Network packet filtering (replaces ipchains)" (A.K.A. NETFILTER). You can find this option under:

Now recompile the kernel, reboot the system and run:

Next, we write our Knock Daemon config file. Here's an example securing port 22 (SSHD):

You may write your own (new) entries using this format or use this file as a template and modify it to your needs (like changing ports or sequences).

If there's already an option before this that's preventing access, the rule becomes ineffectual. A rule using -I instead of -A might look something like this:

A rule closing the port can co-exist with our method in this way.

You can also dictate the type of each knock by appending the numbers with : TCP or : UDP, as in the following example: 9000: tcp, 8000: UDP, 7000: tcp. If no type is specified, knockd defaults to TCP.

This approach is all very well, but we can save time by having the port close itself again automatically. This is achieved thus:

Or, while you're at it:

You can also ensure that you'll not be locked outside using -m state NEW, which applies only to new connection attempts:

Remember to save above rule if you plan to start using it:

In this example, you got ten seconds to establish the connection (you may increase this time if you want), after that no new connections will be accepted. Established ones won't be terminated either. That way, you don't need to worry about somebody else being able to connect during the time of your session. You just installed an automatic-door-closer.

Sequences may be changed freely. You should NEVER use the sequences taken for this HowTo but make up your own.

You should modify cmd_timeout because 10 seconds aren't much actually. 25 seconds do fit better.

To secure another service, you may use this as a template and modify sequence and port-number accordingly.

Starting the Knock Server Automatically
If you want to run the Knock Daemon on an interface other than your default, you need to add the option -i to :

Use of the Knock Clients
OK, so now we've set up our Knock Daemon. However, a daemon's pretty pointless without a client, so we have knock. This is part of the package that you emerged to get knockd, so (as long as you've been following this guide) you already have it installed.

You can get a client for Windows machines too - it's available at http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki.

If you want to knock from Linux box that doesn't already have the client installed, you could simply stick /usr/bin/knock onto a disk along with a basic BASH script like this:

You can use this syntax for specifying TCP and UDP packets:

Repeated Knocking
Some users may experience problems with the first knock and require repeated knocking before getting the port to open. If this is the case, a script can be used to make the task easier. The following script is a good example by user chiefbag from gentoo forums. It will continue to knock until a connection is established, and requires telnet and nmap to be installed.


 * 1) !/bin/bash

port1="123" port2="456" port3="789" hostname="1.2.3.4" username="user1" result=0
 * 1) Change the below ports, hostname and user as required.

clear while [ $result -lt 1 ]; do echo "Knocking on $hostname" echo "" telnet $hostname $port1 > /dev/null 2>&1 telnet $hostname $port2 > /dev/null 2>&1 telnet $hostname $port3 > /dev/null 2>&1 sleep 2 echo "Checking if port 22 on $hostname is open" echo "" result=$( nmap $hostname -p 22 | tail -3 | head -1 | awk -F ' ' '{print$2}' | grep open | wc -l ) done echo "Port 22 has been opened on $hostname" echo "" echo "Attempting to ssh to $hostname" echo "" ssh $username@$hostname echo "" echo "You are now disconnected from $hostname" echo ""
 * 1) echo "RESULT = $result"

Additional Measures
Make sure all ports you do not want to be exposed are protected by Portknocking. To find exposed ports (i.e. running services) you may emerge nmap

then run nmap &lt;your public ip-address&gt; (the german one says nmap localhost at this point which is somehow useless as services running on the loopback don't necessarily also run on "public" interfaces and vice versa depending on the service configuration. Best is to use another machine to try "real" external connects, see comment below) to do a portscan. If you ignore tools like this, then using techniques such as portknocking becomes pretty much pointless.

With any luck, all ports protected by knockd will be either “closed” (REJECT target in iptables) or “stealth” (DROP target), until the sequence is sent (and in our example they'd go back that way after 10 seconds).

Fortunately, a fellow named Steve Gibson runs a portscanning service called "Shields Up!" - it'll check your machine (and only yours) in a variety of handy ways. Go here: https://www.grc.com/x/ne.dll?bh0bkyd2 and click "Proceed".

Links
Portknocking.org.