Port knocking: A security idea whose time has come

Requiring a "combination" before connecting clients to network services is a good idea -- it can't hurt, and it just might help

Many, many innovations come from the Linux and Unix world. Few are more intriguing to me than port knocking. As a global security plug-in to protect services, it has a lot going for it and few downsides. However, for one reason or another, it suffers from lack of use and understanding. A lot of administrators may have heard of it, but few know how to implement it. Even fewer have used it.

Port knocking works on the concept that users wishing to attach to a network service must initiate a predetermined sequence of port connections or send a unique string of bytes before the remote client can connect to the eventual service. In its most basic form, the remote user’s client software must first connect to one or more ports before connecting to the final destination port.

For example, suppose the remote client wants to connect to an SSH server. The administrator configures the port-knocking requirements ahead of time, requiring that connecting remote clients first connect to ports 3400, 4000, and 9887 before connecting to the final destination port, 22. The administrator tells all legitimate clients the correct “combination” to connect; malicious hackers wishing to connect to the SSH service will be denied access without the combination. Port knocking will foil even port-scanning and banner-grabbing enthusiasts.

Because any combination of ports and transport protocols can be used, the number of possible sequences that an attacker would have to guess is high. Even if the hacker knew only three port knocks were involved, as in the very simple example above, with 64,000 possible TCP, UDP, and ICMP (Internet Control Message Protocol) ports to choose from, the resulting set of possible combinations for the hacker to try runs into the millions. Port scanners will be frustrated because port knocking uses closed ports to do the listening (more on this below).

The biggest advantage of all is that port knocking is platform-, service-, and application-independent: Any OS with the correct client and server software can take advantage of its protection. Although port knocking is mainly a Linux/Unix implementation, there are Windows tools that can do the same thing. And similar to IPSec and other protective mechanisms, none of the involved services or applications has to be port-knocking-aware.

Port-knocking server software works by monitoring the firewall log and looking for connections to closed ports, or by monitoring the IP stack. The former method requires that all denied connection attempts be written quickly to a firewall log, and the port-knocking service (daemon) monitors and correlates legitimate port-knocking combinations. For authenticated knocking combinations, the port-knocking server service then tells the firewall to open the final requested port for just the legitimate port-knocking client -- usually tracked by IP address.

More advanced implementations of port knocking work at the IP stack and either listen and record to connections to closed ports, or use a more sophisticated mechanism. Some implementations look for a specific series of bytes within the first connection attempt. These bytes can even be “hidden” within a simple ICMP echo request ping. Even stronger port-knocking negotiation methods involve encryption or asymmetric authentication.

Port knocking can also serve as an extra layer of security to protect high-risk remote management services, such as SSH and RDP (Remote Desktop Protocol). Unfortunately, port knocking has been used by more than a few rootkit Trojans as their hacker creators attempt to keep control of their own malicious creations.

Critics often point to the fact that eavesdropping hackers might be able to capture and replay the successful port-knocking sequence or series of bytes. Although this might be true with the basic implementations, attacks such as these would be squashed by using more sophisticated authentication methods or minimized by using secondary hard-coded allowed IP addresses such as TCP wrappers.

If a hacker does manage to glean your combination, the worst-case scenario is that the intruder bypasses the port-knocking protection and now has to face your normal service security measures -- log-on password prompting, and so on. As far as I can tell, the use of port knocking can only strengthen any defense-in-depth strategy and does nothing to hurt it.

I wish Windows had port-knocking mechanisms built in by default. It would be a nice complement to Microsoft’s marketplace-tested IPSec and Kerberos implementations. The Linux/Unix world has a plethora of port knocking implementations to choose from, none of which requires incredible expertise to configure or use.

For more information on port knocking, visit www.portknocking.org or en.wikipedia.org/wiki/Port_knocking. For configuration detail from one implementation example, check out gentoo-wiki.com/HOWTO_Port_Knocking.

An excellent collection of port-knocking software and utilities can be found at www.portknocking.org/view/implementations, and another Windows-based port-knocking server and client can be found at www.security.org.sg/code/portknock1.html.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies