Protect your Network with Port Knocking

The End Is Nigh

The author of knockd has clearly thought further about the most relevant criticism about port knocking, which is the man-in-the-middle attack. If hackers spot any such traffic and pick up which IP address is running port knocking, then they potentially have more information than they should, which can help them further guess about ways to gain access.

The additional feature to knockd, which I have to admit really intrigues me, uses a sophisticated series of one-off, unique sequences. In other words, although your destination IP address might be revealed, even if attackers manage to uncover your port knocking sequence (i.e., secret knock) and repeat that sequence, they will fail because each sequence simply expires after use.

To enable such an excellent feature, all you do is change the sequence config lines with the path to your sequences file (preferably auto-generated by a script):

one_time_sequences = /etc/knockd/one_time_sequences

This file could be brimming with easily remembered one-time sequences, such as obfuscated phone numbers, dates of birth, or other numbers.

Using this method in combination with closing the firewall within 10 seconds (having successfully spawned an SSH session yourself),

cmd_timeout = 10

makes for a truly powerful addition to your security arsenal.

Conclusion

In this article, I've covered a few very relevant but ultimately different events. I started with the problematic scenario of ever-changing remote IP addresses and the lack of control over those IP addresses when working away from the office. I hope I've suitably extolled the virtues of knockd, to the point that you might try to install it yourself.

Finally, with some considered customization, my task would be complete if you felt comfortable enough to conceive of a creative security solution using this package along with PortSentry and deploy it along with other powerful tools to improve your server security and make the Internet a safer place.