LinuxCommandLibrary

knock

Port knocking: open ports with secret sequence

TLDR

Knock on ports using different protocols

$ knock [hostname] [portnumber]:[protocol]
copy

Knock on port using UDP
$ knock [[-u|--udp]] [hostname] [portnumber]
copy

Force usage of IPv4/IPv6
$ knock [-4|-6] [hostname] [portnumber]
copy

Display errors and details of connection
$ knock [[-v|--verbose]] [hostname] [portnumber]
copy

SYNOPSIS

knock [options] host port1 port2 ...

PARAMETERS

-v, --verbose
    Enable verbose output for debugging knocks.


-D, --dump
    Dump the knock sequence to stdout instead of sending it.


-C, --close
    Send a close sequence to lock the port (default is open sequence).


-s IP, --source-ip=IP
    Specify source IP address for the packets.


-h, --help
    Display help summary and exit.


-V, --version
    Show version information and exit.


DESCRIPTION

The knock command is a lightweight client utility for performing port knocking, a security technique where a specific sequence of TCP or UDP packets is sent to closed ports on a target host. The server-side daemon, typically knockd, monitors these knocks and temporarily opens a service port (e.g., SSH) upon matching the sequence.

Port knocking enhances security by hiding services from port scanners until the correct knock pattern is received. knock supports both open and close sequences, verbose logging, and custom source IPs. It is invoked by specifying the target hostname/IP followed by the port sequence, e.g., knock host 3000 tcp 4000.

Originally designed for stealthy access control, it is protocol-agnostic within TCP/UDP but requires precise timing on the server. While effective against casual scans, it is vulnerable to network sniffing without encryption. Widely used in firewalls and embedded systems for its simplicity and low overhead.

CAVEATS

Port knocking sequences can be intercepted via packet sniffing; use with VPN/IPsec for security. Server-side knockd must be configured and running. Not suitable for high-traffic environments due to timing sensitivity.

EXAMPLE USAGE

Open sequence: knock example.com 7000 8000 9000
Close sequence: knock -C example.com 9000 8000 7000
Verbose with source IP: knock -v -s 192.168.1.100 target 3000 tcp

PROTOCOL SUPPORT

Ports can be suffixed with tcp or udp (default TCP), e.g., knock host 22 tcp 80 udp.

HISTORY

Developed by Majed Itani around 2002 as a proof-of-concept for port knocking. Maintained by Robin Owens (Jared Stafford) in the knock package, with versions up to 0.7. Last significant updates in early 2010s; remains stable for Linux distributions.

SEE ALSO

knockd(8), nmap(1), hping3(8)

Copied to clipboard