Helping you keep sensitive data accessible and protected.
Port knocking: a stealthy system for network authentication across closed ports
Port Knocking has not been seen on TV
port knocking > about > summary

Port Knocking

Perl prototype: v0.30

  • pcaplib support added; daemon no longer requires firewall log file

2004-Nov-14 18:59 | ...more

new Net::Pcap support added to sniff packets directly ...more

Learn about firewalls and discover port knocking. Find out how to use port knocking to secure your servers with a Perl prototype or other implementations. Play with knocks in the knock lab. Contribute to the port knocking project. See what others are saying. Is port knocking a form of security through obscurity? The author doesn't think so and also has some other opinions.

implementations

Catalogue has 45 implementations of port knocking (and related methods) as of 2014-Apr-15 12:58. [download xml]


publications

When citing port knocking, please use

Christan Borss (2001) Listserv post to Braunschweiger Linux User Group (lug-bs@lk.etc.tu-bs.de) (read).

Barham P et al (2002) Techniques for Lightweight Concealment and Authentication in IP Networks. Intel Research Berkeley (IRB-TR-02-009).

Krzywinski, M (2003) Port Knocking: Network Authentication Across Closed Ports. SysAdmin Magazine 12: 12-17.

...more references

Proposal to implement port knocking using OpenBSD's pf. The writer states, "The idea is to use the pf's passive OS fingerprinter to authenticate initial SYN packets. With a tool (or kernel patch) able to rewrite packets header is possible to use a specific sequence of header fields as a key to validate packets."

My article "Portknocking from the inside out" (PDF) appears in the Polish-based security magazine hakin9 (5/2005), which is also available in English. The article shows how to implement port knocking with only sendIP and tcpdump and describes the features, installation and advanced use of Bruce Ward's Doorman.

Dr. Dobb's Journal carries an article Practical Port Knocking by John Graham-Cumming. John discusses his implementation of tumbler.

NewsForge carries a Critique of Port Knocking. I have posted a rebuttal.

Article by Christopher Kunz in the German computing magazine c't (issue 14/2004). Great artwork.

Port knocking discussed in Bruce Schneider's Crypto-Gram Newsletter (March 15, 2004).

Port knocking was featured on episode 32 of Binary Revolutions internet radio. If you want to skip ahead, the port knocking discussion starts at 34:45 into the broadcast.

Port knocking was the subject of long Slashdot debate. Various implementations have also been discussed on Slashdot. Recently, the use of port knocking and OS fingerprinting (fwknop) was presented at DEF CON 12 and discussed on Slashdot.

I presented the port knocking method a the West Coast Security Forum (PDF, PowerPoint).

An article describing this method appears in the June 2003 Information Security issue of SysAdmin Magazine SysAdmin Magazine - June 2003

Port Knocking -
Network Authentication Across Closed Ports

Martin Krzywinski
Krzywinski describes the use of port knocking, a stealthy network authentication system that uses closed ports to carry out identification of trusted users ...more

A HOWTO article about port knocking appears on the Linux Journal web page and port knocking appears in Linuxsecurity.com.

definition

Broadly, port knocking (PK on wikipedia) is a form of host-to-host communication in which information flows across closed ports. There are various variants of the port knocking method - information may be encoded into a port sequence or a packet-payload. In general, data are transmitted to closed ports and received by a monitoring daemon which intercepts the information without sending a receipt to the sender.

Recently a physical knock detecting device that does to the door what port knock does to your server has been reported. This knock detector is mounted on the inside of a door and listens to ... you guessed it, secret knocks. Once a knock is detected, the device unlocks the door.

In one instance, port knocking refers to a method of communication between two computers (arbitrarily named here client and server) in which information is encoded, and possibly encrypted, into a sequence of port numbers. This sequence is termed the knock. Initially, the server presents no open ports to the public and is monitoring all connection attempts. The client initiates connection attempts to the server by sending SYN packets to the ports specified in the knock. This process of knocking is what gives port knocking its name. The server offers no response to the client during the knocking phase, as it "silently" processes the port sequence. When the server decodes a valid knock it triggers a server-side process.

port knocking in 4 easy steps

port knocking explained - step 1

step 1 (A) client cannot connect to application listening on port n; (B) client cannot establish connection to any port

port knocking explained - step 2

step 2 | (1,2,3,4) client connects to a well-defined set of ports in a sequence that contains an encrypted message by sending SYN packets; client has a priori knowledge of the port knocking daemon and its configuration, but receives no acknowledgement during this phase because firewall rules preclude any response

port knocking explained - step 3

step 3 | (A) server process (a port knocking daemon) intercepts connection attempts and interprets (decrypts and decodes) them as comprising an authentic "port knock"; server carries out specific task based on content of port knock, such as opening port n to client

port knocking explained - step 4

step 4 | (A) client connects to port n and authenticates using application’s regular mechanism

The definition of a valid knock is arbitrary, and up to the implementer. The server-side process is also arbitrary, and up to the implementer. The trigger may result in dynamic modification of firewall rules or other administrative system events. Encoding and encrypting information into a series of ports and sending information using SYN packets is one of the simplest forms of port knocking. A variety of implementations extend this scheme.

Brief

Port knocking is a method of establishing a connection to a networked computer that has no open ports look up port on webopedia.com look up port on FOLDOC . Before a connection is established, ports are opened using a port knock sequence, which is a series of connection attempts to closed ports. A remote host generates and sends an authentic knock sequence in order to manipulate the server's firewall look up firewall on webopedia.com look up firewall on FOLDOC rules to open one or more specific ports. These manipulations are mediated by a port knock daemon, running on the server, which monitors the firewall log file for connection attempts which can be translated into authentic knock sequences. Once the desired ports are opened, the remote host can establish a connection and begin a session. Another knock sequence may used to trigger the closing of the port.

Applicability

Port knocking is a suitable form of hardening hosts that house users who require continual access to services and data from any location and that are not running public services, such as SMTP look up SMTP on webopedia.com look up SMTP on FOLDOC or HTTP look up HTTP on webopedia.com look up HTTP on FOLDOC . Port knocking is used to keep all ports closed to public traffic while flexibly opening and closing ports to traffic from users who have authenticated themselves with a knock sequence. This on-demand IP-based filtering which is triggered by a remote user can offers the advantages of IP-based filtering without the limitation usually associated with maintaining IP rules. Port knocking cannot be used to protect public services - such protection cannot be effective if the knock sequence, or a method to generate it, is made public.

Port knocking can be used whenever there is a need to transfer information across closed ports. The port knock daemon can be implemented to repond in any suitable way to an authentic port knock. The knock may be used to communicate the knock information silently and/or to trigger an action. This is a form of IP over closed ports.

The simplest implementation of port knocking uses a log file to interface with the firewall software. This simple approach makes port knocking highly accessible for home users who would like to harden their *NIX systems. One of the strong advantages of port knocking is that the protected services do not require any modification. Port knocking is easy to set up and presents no performance issues when dealing with a modest number of incoming connections.

Limitations

Port knocking as desribed here is one implementation of a more general idea. It is not necessary for the firewall log file to be involved in the process. A robust implementation interfaces with the server's IP stack more closely. Nor is it strictly necessary for the knocks to come as a series of connection attempts. For example, the knock may be encapsulated in the data payload of a single packet that is sent to a closed port.

There will be situations in which port knocking is ideally suitable, such as remote administration provided by a latent, on-demand SSH service. In other cases port knocking is not the right answer.

Efforts by Others

I'm not the first one with the idea of using closed ports to enhance security. I list other prior-art projects, such as cd00r and SAdoor, and current implementations of port knocking (Implementations).

6 Jun 2013 — I just came across this blog posting on ChipLog by someone who had the port knocking idea before me.

Citing

When citing port knocking, please use

  • Krzywinski, M. 2003. Port Knocking: Network Authentication Across Closed Ports. SysAdmin Magazine 12: 12-17.

I try to maintain a list of port knocking articles and presentations.

last updated 2013-Jun-06 14:22
Port Knocking (c) 2002-2014 Martin Krzywinski