Mighty Securing Your Server with Port Knocking

Mighty Securing Your Server with Port Knocking 1


First, you need to clarify the definition of Port Knocking. This term in computer networks means a method of externally opening ports in a firewall by generating a connection attempt on a large number of other prematurely closed ports. Once the correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host that sent the connection to try to connect through the specific port (s). The name “Port Knocking” already very clearly describes the main work and functionality of this technology. In simple terms, we are offered to make a kind of cache from the desired TCP/UDP port (or ports), which opens if we know where to “knock”. This kind of “knock” can be:

  1. Arbitrary packages. They are sent in advance as specific TCP / UDP ports
  2. ICMP requests of a certain length
  3. Packages that contain some very important information

The Principle of Operation

This technology (Port Knocking) has a very important and interesting feature. This feature is to apply multiple attempts to connect to closed ports. You can imagine a large company, for example, 10 floors. First, you need to get to the admissions office, after which you are invited to visit the HR department, then to the marketing department, after the development department, and ultimately, to the manager’s office. Port Knocking technology is performed through a sequence of attempts to connect to closed ports. If the ports are closed, you can track all connection attempts in the firewall log files. Usually the server does not respond to such connections, but it reads and processes them.

The description of port knocking is very detailed and clearly described as follows: it is a network protection mechanism, the action of which is based on the following principle: a network port is closed by default, but until a predetermined sequence of data packets arrives at it, which “forces »Port to open.

Server Configuration Using Port Knocking

Mighty Securing Your Server with Port Knocking 2

One of the commonly used tools for organizing Port Knocking is knockd. This type of connection organization listens on the network interface; it does this by waiting for a specific cycle of a sequence of connection requests. How can this work? For example, you have an SSH connection tool running that works on incoming traffic on port 22.

However, by default, the iptables rules do not allow incoming connections to this port. Knockd, which is listening on eth0, is waiting for a sequence of TCP SYN packets on ports 9000, 6501 and 1234. After this sequence of connections is found, knockd will change the network filter rule to allow the connection by invoking iptables from outside to TCP port 22, on which the SSH daemon is already waiting. You can build knockd from the sources from the site. After installing knockd, its configuration file can be found in the following directory:


At the beginning of the configuration file is the [options] section, which contains the global settings for the daemon. For example, with the line:

Interface = eth1

You can define which interface to listen on if it is not the only one on your system. After the [options] section, there are sequence descriptions. By default, there are two of them:

Mighty Securing Your Server with Port Knocking 3
sequence    = 9000,8000,7000
seq_timeout = 5
command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags    = syn

The value of the parameter defines the sequence. The numbers are TCP port numbers. Also, you can explicitly specify which TCP or UDP port to use by using the: tcp and: udp suffixes. For example:

Mighty Securing Your Server with Port Knocking 4
  • The value of the seq_timeout parameter takes on the maximum value of the time, in seconds, that a client has to make a sequence of connections. If the client does not meet this time, the connection will be rejected.
  • The value of the command parameter specifies the path and parameters of the called program if a valid sequence is found.
  • With the tcpflags parameter, you define yourself which flags the packets participating in the sequence should have. Multiple flags must be comma separated
Mighty Securing Your Server with Port Knocking 5

And to explicitly exclude hotel flags, you need to use an exclamation mark:

Mighty Securing Your Server with Port Knocking 6

Another interesting knockd configuration option is to use parameters start_command, cmd_timeout and stop_command:

one_time_sequences = /etc/knockd/smtp_sequences
seq_timeout        = 15
tcpflags           = fin,!ack
start_command      = /usr/sbin/iptables -A INPUT -s %IP% -p tcp --dport 25 -j ACCEPT
cmd_timeout        = 5
stop_command       = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 25 -j ACCEPT

The start_command parameter is identical in meaning to the command parameter. The value of the cmd_timeout parameter defines the time interval in seconds after which the command will be launched, which is determined by the value of the stop_command parameter. Thus, you can only open a specific port for a certain period of time.

As a rule, for the knockd daemon to start automatically at system startup, it is enough to set in the /etc/default/knockd file:

Mighty Securing Your Server with Port Knocking 7

Client Setting

After that, you will have the opportunity to test the connection to your server using a regular telnet client by sequentially connecting to the specified ports.

In day-to-day use, it is naturally not very convenient to run a series of serial telnet connections before you need to connect to your SSH server. The knock daemon comes with the knock utility, which is designed to make the necessary series of connections. For example

knock 3333:tcp 9999:udp 1010:udp 8675:tcp

Please pay your attention to how the port type goes and the description of the numbers. It is the same as in /etc/knockd.conf. If you use port knocking all over the place, then you probably need knock clients for mobile platforms.

Port Knocking on PuTTY SSH Connection

Mighty Securing Your Server with Port Knocking 8

Then you can login

Mighty Securing Your Server with Port Knocking 9

The Practical Aspect of Using Port Knocking

Port knocking has its drawbacks (according to the experience of some users): there is always the possibility that your traffic will be intercepted and be able to isolate a sequence from it, and the more often you use port knocking, the higher this probability. Therefore, a more complex method of protecting against eavesdropping port knocking is to use one-time secret sequences. To do this, in knockd.conf, you need to use the one_time_sequences parameter, the value of which must be the path to the file with the definition of sequences, one per line. After each sequence has been used, knockd comments the line with the used sequence and switches to the next one.

This includes some of the disadvantages of using knockd. First, if the knockd process suddenly crashes, you won’t be able to remotely access the cloaked service. Secondly, remember that IP packets can be delivered to your server in different ways and come not at all in the sequence in which they were sent. That is why you should not use too small a value for the seq_timeout parameter.

It goes without saying that knockd can be used for more than just managing network filter rules by running iptables. You can run whatever you want, from starting the backup process to deleting important data from the server to sending a letter of resignation to your boss.


In addition to preventing brute-force attacks and the inevitable increase in the number of logs associated with the process daemon, port blocking also protects against exploits of protocol vulnerabilities. If an exploit has been found that could compromise a daemon in its default configuration, using port blocking on the listening port reduces the chances of a compromise until the software or process is updated. Authorized users will continue to be served as soon as they provide the correct knock sequence, while random access attempts will be ignored.