LinuxCommandLibrary

knockd

Open ports based on a secret knock

TLDR

Start knockd system daemon

$ knockd [[-d|--daemon]]
copy

Use specified configuration file for knockd
$ knockd [[-c|--config]] [path/to/file].configuration
copy

SYNOPSIS

knockd [options]

PARAMETERS

-c, --configfile=<filename>
    Specify configuration file (default: /etc/knockd.conf)

-d, --daemon
    Daemonize and run in background

-v, --verbose
    Increase verbosity (repeatable for more detail)

-V, --version
    Display version information

-h, --help
    Show help summary

-i, --interface=<name>
    Listen only on specified network interface

-l, --loglevel=<#>
    Set logging level (0-4, default: 1)

-L, --logfile=<filename>
    Log to specified file instead of syslog

-n, --no-syslog
    Disable syslog logging

-s, --stdout
    Log to stdout (useful with -D)

-D, --debug
    Debug mode: no daemonize, log to stderr

DESCRIPTION

knockd is a Linux daemon implementing port knocking, a security technique where closed ports respond to specific sequences of connection attempts (TCP or UDP). When knockd detects the correct sequence, it executes a command, typically to open a firewall port via iptables or ip6tables.

Port knocking adds an extra layer of security to services by keeping ports closed until 'knocked' with the secret sequence. For example, a sequence knocking on ports 7000, 8000, 9000 might trigger opening SSH on port 22 for 5 minutes.

Configuration is done via /etc/knockd.conf, defining interfaces, sequences, and actions (e.g., iptables commands). knockd runs as root, listening on raw sockets for efficiency. It's lightweight, logging to syslog or a file, with tunable verbosity.

Common use: Protect SSH from brute-force attacks. Clients use the knock command to send sequences. Limitations include vulnerability to spoofing without encryption and issues with NAT/stateful firewalls, but it's effective for paranoid setups.

CAVEATS

Requires root privileges; vulnerable to port scan detection or spoofing; config errors can lock out access; test thoroughly before production.

CONFIG EXAMPLE

[openSSH] sequence = 7000,8000,9000 seq_timeout = 5 command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn

SECURITY NOTE

Use with fwknop for single-packet knocking to avoid sequence timing issues.

HISTORY

Developed by Robin Davies in 2003 as open-source port knocking implementation. Maintained sporadically; latest stable release around 0.7.x (2012). Widely used in security hardening guides.

SEE ALSO

knock(1), iptables(8), ip6tables(8), syslogd(8)

Copied to clipboard