Port knocking is a way to secure a server by closing firewall ports ̵1; even those you know will be used. Those ports are opened on request – and only if – the connection request provides the secret path.
Port Knocking is a "Secret Knock"
In the 1920s, when the ban was in full swing, if you wanted to get a good look, you had to know the secret course and knock it out properly to enter.
Port knocking is a modern counterpart. If you want people to have access to services on your computer but do not want to open your firewall to the Internet, you can use port switching. It allows you to close the ports on your firewall that allow incoming connections and have them open automatically when a prescribed pattern of connection attempts is made. The sequence of connection attempts acts as the secret knocking. Another secret knock closes the harbor.
Port knocking is something of a novelty, but it is important to know that it is an example of security through ambiguity, and that concept is basically. The secret of how to access a system is secure because only those in a certain group know it. But when that secret is out – either because it has been revealed, observed, guessed or worked out – your security is void. It is better for you to secure your server in other, stronger ways, such as requiring key-based logins for an SSH server.
The most robust approaches to cyber security are multilayered, so maybe gate knocking should be one of those layers. The more layers, the better, right? However, you can argue that door knocking doesn't add much (if anything) to a properly cured, secure system.
Cybersecurity is a big and complicated topic, but you should not use port knobs as your only form of defense.
RELATED: How to create and install SSH keys from Linux Shell
To demonstrate port knocking, we will use it to control port 22, which is SSH port. We will use a tool called knockd. Use
apt-get to install this package on your system if you are using Ubuntu or another Debian-based distribution. On other Linux distributions, use your Linux distribution's package management tool instead.
Type the following:
sudo apt-get install knockd
You probably already have the iptables firewall installed on your system, but you may need to install the
iptables-persistent package . It handles automatic loading of saved
Type the following to install it:
sudo apt-get install iptables-persistent
When the IPV4 configuration screen appears, tap the space bar to accept the "Yes" option.
Touch the spacebar again in the IPv6 configuration screen to accept the "Yes" option and move on.
The following command tells
iptables to allow established and ongoing connections to continue. We will now issue another command to close the SSH port.
If someone is joined by SSH when we issue this command, we do not want them to be shut down by:
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED, RELATED -j ACCEPT
This command adds a rule to the firewall, which says:
- -A : Add the rule to the firewall control table. That is, add the bottom.
- INPUT : This is a rule for incoming connections.
- -m conntrack : Firewall rules act on network traffic (packets) that match criteria in the rule. The parameter
iptablesto use extra packet matching modules – in this case, the one called
conntrackworks with the core network tracing functions.
- –cstate ESTABLISHED, RELATED : This specifies which type of connection the rule will apply to, namely ESTABLISHED and RELATED connections. An established connection is one that is already in progress. A related connection is one that is created because of an action from an established connection. Maybe someone connected wants to download a file; which may happen over a new connection initiated by the host.
- -j ACCEPT : If the traffic matches the rule, jump to the ACCEPT target in the firewall. In other words, traffic is accepted and allowed to pass through the firewall.
Now we can issue the command to close the port:
sudo iptables -A INPUT -p tcp --port 22 -j REJECT 
This command adds a rule to the firewall, which says:
- -A : Add the rule to the firewall rules table, ie add it to the bottom.
- INPUT : This rule is about incoming connections.
- -p tcp : This rule applies to traffic using the Transmission Control Protocol.
- –deport 22 : This rule applies specifically to TCP traffic directed to port 22 (SSH port).
- -j REJECT : If traffic matches the rule, jump to the REJECT target in the firewall. So if the traffic is rejected it is not allowed through the firewall.
We have to start the
netfilter-persistent daemon. We can do this with this command:
sudo systemctl start netfilter-persistent
netfilter-persistent to go through a save and reload the cycle, so it loads and checks the
Type the following commands:
sudo netfilter-persistent save
sudo netfilter-persistent reload
You have now installed the tools and the SSH port is closed (hopefully without ending someone's connection). Now it's time to configure the secret knock.
There are two files you edit to configure
knockd . The first is the following
knockd configuration file:
sudo gedit /etc/knockd.conf Chapter19659097 ???? 1919909031 Chapter19199009006Ditit
We will edit this file according to our needs. The sections we are interested in are “openSSH” and “closeSSH.” The following four entries are in each section:
- Sequence : The sequence of ports that someone must have access to open or close port 22. The default ports are 7000, 8000 and 9000 to open it and 9000, 8000 and 7000 to close it. You can change these or add more ports to the list. For our purposes, we will stick to the default values.
- seq_timeout : The period of time during which someone must access the gates to trigger or close it.
- command : The command sent to the
iptablesfirewall when the open or closed action is triggered. These commands either add a rule to the firewall (to open the port) or remove it (to close the port).
- tcpflags : The type of packet that each port must receive in the secret sequence. A SYN packet (synchronize) is the first in a TCP connection request, called a three-way handshake.
The "openSSH" section can be read as "a TCP connection request must be made to ports 7000, 8000 and 9000 - in that order and within 5 seconds - for the command to open port 22 to be sent to the firewall."
The "closeSSH" section can be read as "a TCP connection request must be made to ports 9000, 8000, and 7000 - in that order and within 5 seconds - for the command to close port 22 to be sent to the firewall."
The firewall rules  The "command" entries in the openSSH and closeSSH sections remain the same except for one parameter. Thus, they consist of:
- -A : Add the rule to the bottom of the list of firewall rules (for the openSSH command).
- -D : Delete the command from the firewall rules list (for the closeSSH command).
- INPUT : This rule is about incoming network traffic.
- -s% IP% : The IP address of the device requesting a connection.  -p : Network Protocol; in this case it is TCP.
- –deport : Port of destination; in our example it is port 22.
- -j ACCEPT : Jump to the acceptance target in the firewall. In other words, let the package pass the rest of the rules without acting on it.
The knockd Configuration File Edits
The edits we make to the file are highlighted in red below:
We extend “seq_timeout” to 15 seconds. This is generous, but if someone manually pushes in connection requests, he may need so much time.
In the section "openSSH" we change the option
-A (attach) in the command to
-I (insert). This command inserts a new firewall rule at the top in the list of firewall rules. If you leave the
-A option, is added to the firewall rules list and adds it to at the bottom .
Incoming traffic is tested against each firewall rule in the list from top to bottom. We already have a rule that closes port 22. So, if incoming traffic is tested against that rule before it sees the rule that allows traffic, the connection is denied; if it sees the new rule first, the connection is allowed.
The closing command removes the rule added by openSSH from the firewall rules. SSH traffic is once again handled by the existing rule "port 22 is closed".
After you make these changes, you save the configuration file.
RELATED: How to edit text files graphically on Linux With gedit
The knockd Control File Edits
knockd control file is completely simpler. However, before we dive in and edit it, we must know the internal name of our network connection; to find it, type this command:
The connection used by the machine to examine this article is called
enp0s3 . Note the name of your connection.
The following command edits the
knockd control file:
sudo gedit / etc / default / knockd
Here is the
knockd file in
The few changes we need to make are marked in red: 
We changed the entry "START_KNOCKD =" from 0 to 1.
We also removed the hash
# from the beginning of the entry "KNOCKD_OPTS =" and replaced "eth1" with the name of our network connection,
enp0s3 . Of course, if your network connection is
eth1 you will not change it.
The Proof Is in the Pudding
It's time to see if this works. We will start
knockd daemon with this command:
sudo systemctrl start knockd
Now we will jump on another machine and try to connect. We also installed the
knockd tool on that computer, not because we want to set up port switching, but because the package
knockd provides another tool called
knock . We will use this machine to shoot in our secret sequence and perform the trajectory for us.
Use the following command to send your secret sequence of connection requests to the ports at the port knocking the host computer with the IP address 192.168.4.24:
knock 192.168.4.24 7000 8000 9000-d 500
knock to target the computer at IP address 192.168.4.24 and fire a connection request to ports 7000, 8000 and 9000, in turn with a
-d (delay) of 500 milliseconds between them .
A user called "dave" then makes an SSH request to 192.168.4.24:ebrit19659015strongssh email@example.com
His connection is accepted, he sets his password and his remote session begins. His command interpreter changed from
dave @ nostromo to
dave @ howtogeek . To log out of the remote computer, he writes:
His command interpreter returns to his local computer. He uses
knock again, and this time it targets the ports in reverse order to close the SSH port on the remote computer.
knock 192.168.4.24 9000 8000 7000 -d 500
It was not a particularly fruitful remote collection, but it shows the opening and closing of the harbor via port knocking and fits in a single screenshot
So, how did this look from the other side? The system administrator on the port knocking host uses the following command to see new entries arriving in the system log:
tail -f / var / log / syslog
- You see three openSSH records. These are raised when each port is directed by the remote knob tool.
- When all three steps in the trigger sequence are fulfilled, an entry saying "OPEN SESAME,"
- logs the command to insert the rule into the
iptablesrule list. It allows SSH access on port 22 from the specific IP address of the computer that gave the right secret knock (192.168.4.23).
- The user "dave" only connects for a few seconds and then disconnects.
- You see three closed SSH records. These are raised when each port is directed by the remote knob tool - it tells that the port knocks values to close port 22.
- When all three steps have been triggered, we get the message "OPEN SESAM" again. The command is sent to the firewall to remove the rule. (Why not "CLOSE SESAME" when it closes the door? Who knows?) So, port 22 is now closed again.
Knock It on the Head
It's the port clock parlor trick. Treat it as a diversion and don't do it in the real world. Or, if you must, don't trust it as your only form of security.