knock
Port knocking: open ports with secret sequence
TLDR
Knock on ports using different protocols
Knock on port using UDP
Force usage of IPv4/IPv6
Display errors and details of connection
SYNOPSIS
knock [-u] [-t timeout] [-d delay] [-s srcip] [-v] [-h] host port1 [port2 ...]
PARAMETERS
host
The IP address or hostname of the target machine to send the knock sequence to.
port1 [port2 ...]
One or more port numbers representing the knock sequence. These are the ports to which knock will send packets in the specified order.
-u
Use UDP packets instead of the default TCP SYN packets for the knock sequence. This is essential if the server's knockd daemon is configured for UDP knocks.
-t timeout
Set the TCP connect timeout in milliseconds for each knock. The default value is 1000ms (1 second).
-d delay
Set the delay in milliseconds between sending each packet in the knock sequence. The default delay is 1000ms (1 second).
-s srcip
Specify the source IP address to use for the outgoing knock packets. This is useful for systems with multiple network interfaces or specific routing requirements.
-v
Enable verbose output, which provides more detailed information about the knocking process, including the sequence of ports being attempted.
-h
Display a brief help message with command usage and available options, then exit.
DESCRIPTION
knock is a client-side utility used for port knocking, a network security technique for externally opening ports on a firewall. Instead of leaving ports constantly open and visible, port knocking allows services to remain hidden behind a firewall until a specific, pre-determined sequence of connection attempts (knocks) is performed on a series of closed ports on the target host.
The knock command sends a sequence of TCP SYN packets (by default) or UDP packets to the specified ports on the target machine. When a corresponding knockd daemon running on the server detects the correct sequence, it can dynamically modify firewall rules (e.g., using iptables or nftables) to temporarily open a specific port for the knocking client's IP address. This method helps reduce the attack surface by making services invisible to unauthorized scans and probes, thereby enhancing system security through obscurity.
CAVEATS
Port knocking, while useful for obscurity and reducing the attack surface, is not a strong authentication mechanism on its own. The knock sequence can be vulnerable to packet sniffing (if not combined with encrypted tunnels), replay attacks, and brute-force attempts if proper additional security measures (like strong firewalls, rate limiting, and robust authentication on the server side) are not in place. It relies on the assumption that an attacker does not know or cannot guess the sequence. It is often used as a first layer of defense and should be combined with more robust authentication for sensitive services like SSH.
BASIC USAGE EXAMPLE
To send a knock sequence of ports 7000, 8000, and 9000 to a host named 'myhost.example.com' with a 500ms delay between each knock, which might then open port 22 (SSH) for your IP:
knock -d 500 myhost.example.com 7000 8000 9000
Alternatively, for a UDP knock sequence:
knock -u myhost.example.com 12345 23456 34567
SERVER-SIDE REQUIREMENT
It is crucial to understand that the knock command is solely the client-side tool. For port knocking to function correctly, a corresponding daemon (typically knockd) must be actively running on the target server. This daemon is responsible for listening for the specific knock sequences and, upon successful detection, executing pre-configured actions, such as modifying firewall rules to open or close ports.
HISTORY
The concept of port knocking emerged as a technique to enhance network security by making services less discoverable to unauthorized scans and probes, promoting a 'security through obscurity' approach. The knock and its server-side counterpart, knockd, developed by Martin Herold, became a prominent open-source implementation of this technique. They gained traction as a simple yet effective way to dynamically manage firewall rules, offering a stealthy alternative to permanently open ports. Its development reflects an ongoing effort in network security to adapt and find innovative ways to protect exposed services without relying solely on static firewall configurations.