How to Use Port Knocking on Linux (and Why You Shouldn’t)

Hitting by hand on a closed

The striking port is a way to secure a server by closing firewall ports – even the ones you know will be used. These ports are open on demand if – and only if – the connection request provides the secret hit.

The striking port is a "secret blow"

In the 1920s, when prohibition was booming, if you wanted to get into a speakeasy, you had to know the secret move and hit it correctly to enter.

The striking port is a modern equivalent. If you want people to access the services on your computer but you do not want to open your firewall to the Internet, you can use port filtering. It allows you to close the ports on your firewall that allow incoming connections and open them automatically when a predefined connection attempt pattern is created. The sequence of connection attempts acts as the secret move. Another secret blow closes the port.

The port at the pier is new, but it's important to know that this is an example of security through the darkness, and this concept is fundamentally flawed. The secret of access to a system is safe because only members of a specific group know it. But once this secret is revealed – either because it is revealed, observed, guessed or resolved – your security is canceled. You'd better secure your server more strongly, for example key-based connections for an SSH server.

The most robust approaches to cybersecurity are multilayered, so the striking port should be one of these layers. The more layers there are, the better, is not it? However, you can say that porting does not add much (if any) to a properly secured and secure system.

Cybersecurity is a vast and complex subject, but you should not use striking port as your only form of defense.

RELATED, RELATED, RELATED: How to create and install SSH keys from the Linux shell

Installation of knockd

To demonstrate port knock, we will use it to control port 22, which is the SSH port. We are going to use a tool called knockd. Use apt-get to install this package on your system if you are using Ubuntu or another Debian-based distribution. On other Linux distributions, use the package management tool of your Linux distribution instead.

Type the following:

sudo apt-get install knockd

You probably already have the iptables firewall installed on your system, but you may need to install the iptables-persistent package. It manages the automatic loading of saved iptables rules.

Type the following to install it:

sudo apt-get install iptables-persistent

When the IPV4 setup screen appears, press the spacebar to accept the "Yes" option.

Press the spacebar again in the IPv6 configuration screen to accept the "Yes" option and move on.

The following command tells iptables to allow the established and current connections to continue. We will now issue another command to close the SSH port.

If a person is connected by SSH when we issue this command, we do not want it to be cut off:

sudo iptables -A INPUT -m conntrack -ctstate ESTABLISHED, RELATED -j ACCEPT

This command adds a rule to the firewall, which says:

-A: Add the rule to the firewall rules table. That's, add it to the bottom.
CONTRIBUTION: This is a rule on incoming connections.
-m conntrack: Firewall rules act on network traffic (packets) that matches the criteria of the rule. The -m parameter causes iptables to use additional packet matching modules – in this case, the one called conntrack works with the kernel's network connection tracking features.
-State Established, Bound: This specifies the connection type to which the rule will apply, namely ESTABLISHED and RELATED connections. An established connection is a connection already in progress. An associated connection is an established connection due to an action of an established connection. Maybe someone who is connected wants to download a file; this could happen via a new connection initiated by the host.
-j ACCEPTIf the traffic matches the rule, switch to the ACCEPT target in the firewall. In other words, the traffic is accepted and allowed to cross the firewall.

We can now issue the command to close the port:

sudo iptables -A INPUT -p tcp -dport 22 -j REJECT

This command adds a rule to the firewall, which says:

-A: Add the rule to the firewall rules table, that is, add it to the bottom.
CONTRIBUTION: This rule is for incoming connections.
-p tcpNote: This rule applies to traffic using the transmission control protocol.
-Porte 22Note: This rule applies specifically to TCP traffic that targets port 22 (the SSH port).
-j REJECTIf the traffic matches the rule, go to the REJECT target of the firewall. Thus, if the traffic is rejected, it is not allowed to pass through the firewall.

We need to start the persistent netfilter daemon. We can do it with this command:

sudo systemctl start netfilter-persistent

We want netfilter-persist to go through a backup and reload cycle, so it loads and controls the iptables rules.

Type the following commands:

sudo netfilter-persistent backup

sudo netfilter-persistent reload

You have now installed the utilities and the SSH port is closed (hopefully, without terminating anyone's connection). Now it's time to set up the secret move.

Configuration of knockd

There are two files you edit to configure knockd. The first is the following knockd configuration file:

sudo gedit /etc/knockd.conf

The gedit editor opens with the loaded knockd configuration file.

The configuration file knockd in the editor gedit.

We will edit this file to meet our needs. The sections we are interested in are "openSSH" and "closeSSH". The following four entries appear in each section:

sequence: The port sequence that a person must access to open or close port 22. The default ports are 7000, 8000, and 9000 to open it, and 9000, 8000, and 7000 to close it. You can edit them or add more ports to the list. For our purposes, we will stick to the default values.
seq_timeout: The time in which a person must access ports to open or close.
order: The command sent to the iptables firewall when the open or close action is triggered. These commands add a rule to the firewall (to open the port) or delete it (to close the port).
tcpflags: The type of packet that each port must receive in the secret sequence. A SYN packet (sync) is the first in a TCP connection request, called a handshake with three.

The "openSSH" section may be read as "a TCP connection request shall be addressed to ports 7000, 8000 and 9000, in that order and within 5 seconds, for port 22 to open." sent to the firewall.

The "closeSSH" section can be read as "a TCP connection request must be addressed to ports 9000, 8000 and 7000, in this order and within 5 seconds, for the port 22 close command to be sent to the firewall . "

The rules of the firewall

The "command" entries in the openSSH and closeSSH sections remain the same, except for one parameter. Here is how they are understood:

-A: Add the rule to the bottom of the list of firewall rules (for the openSSH command).
-RE: Remove the command from the list of firewall rules (for the closeSSH command).
CONTRIBUTION: This rule is for incoming network traffic.
-sip%: The IP address of the device requesting a connection.
-p: Network protocol; in this case, it is TCP.
-Harbor: The port of destination; in our example, it is port 22.
-j ACCEPT: Allows access to the acceptance target in the firewall. In other words, let the package pass through the rest of the rules without acting on it.

Changes to the knockd configuration file

The changes made to the file are highlighted in red below:

The knockd configuration file in the editor gedit with the changes highlighted.

We extend the "seq_timeout" to 15 seconds. It's generous, but if someone manually launches connection requests, it may need a lot of time.

In the "openSSH" section, we change the -A (add) option of the -I (insert) command. This command inserts a new firewall rule at the top of the firewall rules list. If you exit the -A option, it adds the list of firewall rules and places it at the bottom.

Incoming traffic is tested against each firewall rule in the list. We already have a rule that closes port 22. So, if the incoming traffic is tested against this rule before seeing the rule that allows the traffic, the connection is denied; If he sees this new rule first, the connection is allowed.

The close command removes the rule added by openSSH from firewall rules. The SSH traffic is again managed by the pre-existing rule "port 22 is closed".

After making these changes, save the configuration file.

RELATED, RELATED, RELATED: How to graphically edit text files in Linux with gedit

The edits of the control file knockd

The knockd control file is quite simpler. Before dipping and editing this, however, we must know the internal name of our network connection; to find it, type this command:

IP adress

The "ip addr" command in a terminal window.

The connection used by this machine to find this article is called enp0s3. Write down the name of your connection.

The following command edits the knockd control file:

sudo gedit / etc / default / knockd

Here is the knockd file in gedit.

The control file knockd in gedit.

The few changes to make are highlighted in red:

The control file knockd in gedit with the changes highlighted.

We changed the entry "START_KNOCKD =" from 0 to 1.

We have also removed the hash # from the beginning of the input "KNOCKD_OPTS =" and replaced "eth1" with the name of our network connection, enp0s3. Of course, if your network connection is eth1, you will not change it.

The proof is in the pudding

It's time to see if it works. We will start the knockd daemon with this command:

sudo systemctrl start knockd

Now, let's jump on another machine and try to connect. We have also installed the knockd tool on this computer, not because we want to configure the port attack, but because the knockd package provides another tool called knock. We will use this machine to shoot in our secret sequence and hit for us.

Use the following command to send your secret sequence of connection requests to the ports of the host computer transmitting the port with the IP address

hit 7000 8000 9000 -d 500

This tells knock to target the computer to the IP address and send a connection request to ports 7000, 8000, and 9000, with an interval -d (timeout) of 500 milliseconds .

A user called "dave" then makes an SSH request at

ssh dave@

His connection is accepted, he enters his password and his remote session begins. His command prompt changes from dave @ nostromo to dave @ howtogeek. To disconnect from the remote computer, he types:


His command prompt returns to his local computer. It uses knock again, and this time, it targets the ports in the reverse order to close the SSH port of the remote computer.

hit 9000 8000 7000 -d 500

Port detection and SSH connection session in a terminal window.

While this remote session was not particularly successful, it shows the opening and closing of the port via a port at the door and fits in a single screenshot.

So what did it look like on the other side? The port coupling host system administrator uses the following command to view the new entries that arrive in the system log:

tail -f / var / log / syslog

A syslog showing port hijacking events in a terminal window.

You see three openSSH entries. These are thrown as each port is targeted by the remote typing utility.
When the three steps of the trigger sequence are satisfied, an entry indicating "OPEN SESAME,"Is connected
The command to insert the rule into the iptables rule list is sent. It allows access via SSH on port 22 from the specific IP address of the PC that gave the correct secret shock (
The user "dave" connects for a few seconds only, then disconnects.
You see three closeSSH entries. These are thrown whenever each port is targeted by the remote keystroke utility – it tells the port hit host to close port 22.
Once all three steps have been triggered, we receive the message "OPEN SESAME" again. The command is sent to the firewall to delete the rule. (Why not "CLOSE SESAME" when he closes the port? Who knows?)

Now, the only rule in the list of iptables rules for port 22 is the one we typed at the beginning to close this port. Port 22 is closed again.

Striking on the head

It is the turn of the port that strikes. Treat it as a diversion and do not do it in the real world. Or, if you must, do not consider it as your only form of security.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.