What is port knocking?

Posted on April 5, 2010 by lpilinuxblog

Port knocking is a method of establishing a connection to a networked computer that has no open ports look up port on webopedia.com look up port on FOLDOC . Before a connection is established, ports are opened using a port knock sequence, which is a series of connection attempts to closed ports. A remote host generates and sends an authentic knock sequence in order to manipulate the server’s firewall look up firewall on webopedia.com look up firewall on FOLDOC rules to open one or more specific ports. These manipulations are mediated by a port knock daemon, running on the server, which monitors the firewall log file for connection attempts which can be translated into authentic knock sequences. Once the desired ports are opened, the remote host can establish a connection and begin a session. Another knock sequence may used to trigger the closing of the port.
Applicability

Port knocking is a suitable form of hardening hosts that house users who require continual access to services and data from any location and that are not running public services, such as SMTP look up SMTP on webopedia.com look up SMTP on FOLDOC or HTTP look up HTTP on webopedia.com look up HTTP on FOLDOC . Port knocking is used to keep all ports closed to public traffic while flexibly opening and closing ports to traffic from users who have authenticated themselves with a knock sequence. This on-demand IP-based filtering which is triggered by a remote user can offers the advantages of IP-based filtering without the limitation usually associated with maintaining IP rules. Port knocking cannot be used to protect public services – such protection cannot be effective if the knock sequence, or a method to generate it, is made public.

Port knocking can be used whenever there is a need to transfer information across closed ports. The port knock daemon can be implemented to repond in any suitable way to an authentic port knock. The knock may be used to communicate the knock information silently and/or to trigger an action. This is a form of IP over closed ports.

The simplest implementation of port knocking uses a log file to interface with the firewall software. This simple approach makes port knocking highly accessible for home users who would like to harden their *NIX systems. One of the strong advantages of port knocking is that the protected services do not require any modification. Port knocking is easy to set up and presents no performance issues when dealing with a modest number of incoming connections.
Limitations

Port knocking as desribed here is one implementation of a more general idea. It is not necessary for the firewall log file to be involved in the process. A robust implementation interfaces with the server’s IP stack more closely. Nor is it strictly necessary for the knocks to come as a series of connection attempts. For example, the knock may be encapsulated in the data payload of a single packet that is sent to a closed port.

There will be situations in which port knocking is ideally suitable, such as remote administration provided by a latent, on-demand SSH service. In other cases port knocking is not the right answer.

Share
This entry was posted in Linux Networking. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>