Port knocking: A security idea whose time has come

Many, many innovations come from the Linux and Unix world. Few are more intriguing to me than port knocking. As a global security plug-in to protect services, it has a lot going for it and few downsides. However, for one reason or another, it suffers from lack of use and understanding. A lot of administrators may have heard of it, but few know how to implement it. Even fewer have used it.

Port knocking works on the concept that users wishing to attach to a network service must initiate a predetermined sequence of port connections or send a unique string of bytes before the remote client can connect to the eventual service. In its most basic form, the remote user’s client software must first connect to one or more ports before connecting to the final destination port.

For example, suppose the remote client wants to connect to an SSH server. The administrator configures the port-knocking requirements ahead of time, requiring that connecting remote clients first connect to ports 3400, 4000, and 9887 before connecting to the final destination port, 22. The administrator tells all legitimate clients the correct “combination” to connect; malicious hackers wishing to connect to the SSH service will be denied access without the combination. Port knocking will foil even port-scanning and banner-grabbing enthusiasts.

Because any combination of ports and transport protocols can be used, the number of possible sequences that an attacker would have to guess is high. Even if the hacker knew only three port knocks were involved, as in the very simple example above, with 64,000 possible TCP, UDP, and ICMP (Internet Control Message Protocol) ports to choose from, the resulting set of possible combinations for the hacker to try runs into the millions. Port scanners will be frustrated because port knocking uses closed ports to do the listening (more on this below).

The biggest advantage of all is that port knocking is platform-, service-, and application-independent: Any OS with the correct client and server software can take advantage of its protection. Although port knocking is mainly a Linux/Unix implementation, there are Windows tools that can do the same thing. And similar to IPSec and other protective mechanisms, none of the involved services or applications has to be port-knocking-aware.

Port-knocking server software works by monitoring the firewall log and looking for connections to closed ports, or by monitoring the IP stack. The former method requires that all denied connection attempts be written quickly to a firewall log, and the port-knocking service (daemon) monitors and correlates legitimate port-knocking combinations. For authenticated knocking combinations, the port-knocking server service then tells the firewall to open the final requested port for just the legitimate port-knocking client -- usually tracked by IP address.

More advanced implementations of port knocking work at the IP stack and either listen and record to connections to closed ports, or use a more sophisticated mechanism. Some implementations look for a specific series of bytes within the first connection attempt. These bytes can even be “hidden” within a simple ICMP echo request ping. Even stronger port-knocking negotiation methods involve encryption or asymmetric authentication.

Port knocking can also serve as an extra layer of security to protect high-risk remote management services, such as SSH and RDP (Remote Desktop Protocol). Unfortunately, port knocking has been used by more than a few rootkit Trojans as their hacker creators attempt to keep control of their own malicious creations.