Skip to main content
Welcome guest. | Register | Login | Post

Port-knocking

Some of you might have heard about port-knocking already, and some of you might even already know what it is.
For those of you who don't know what it is I'd like to answer the obvious question "what is port-knocking" right away.

Port-knocking is a method to communicate through "closed" ports. I say "closed" because the ports are only closed to those who don't know the "magic word", which is a sequence of ports that has to be contacted in the right order so that the desired port (for example SSH) gets opened for the knocking client.

For this it is necessary that the client can keep track about who's knocking on it's door. Previous solutions mostly used logging and a daemon that analyzes the logs for this. Since I have recently been playing around with the IPTables-module Recent I thought it should be possible to use it for port-knocking. A quick test showed I was right about this, and a quick search on Google showed me I wasn't the first to have that idea; which would have been quite surprising anyway.

The advantages of this over the "classic solution" with logging and daemon are these:

  • Since no daemon has to run it should be easier on the system. Every process less is worth gold.
  • Less logging means less use of hard-drive-space. Also it means that your logs won't be spammed with information you don't need.

It is important to take precautions that the knocking-sequence cannot easily be triggered by a simple port-scan, which was the case in my first. If a knock has been done a connection on a port that is not next in the sequence should reset the knocking-sequence.

A disadvantage of this, over the "classic" solution, of course is that the rules of the packet-filter get more complex.
Since this is, as I think, is an interesting topic, I'm thinking about playing some more with it and writing a little HowTo about port-knocking with IPTables and it's module Recent.