knockd

Start knockd system daemon

$ knockd [[-d|--daemon]]

$ knockd [[-c|--config]] [path/to/file].configuration

knockd [options]

-d
    Daemonize. Runs knockd in the background as a daemon.


-i <interface>
    Interface. Specifies the network interface to listen on (e.g., eth0).


-c <config_file>
    Config file. Specifies an alternative configuration file path instead of the default (/etc/knockd.conf).


-v
    Verbose. Enables verbose logging, printing more information to syslog.


-V
    Version. Displays the version information of knockd.


-h
    Help. Displays a brief help message and exits.


-l <log_level>
    Log Level. Sets the syslog logging level (e.g., debug, info, notice, warning, err, crit, alert, emerg).


-p <pid_file>
    PID File. Specifies an alternative PID file path.

knockd is a specialized daemon designed to implement a security technique known as port knocking. Instead of leaving sensitive service ports open and visible, knockd keeps them closed by default.

It then monitors a series of "knocks" – connection attempts on specific, otherwise closed, ports. If a client sends connection attempts in a pre-defined sequence to these ports, knockd executes a command. This command is typically used to dynamically modify firewall rules (e.g., using iptables) to temporarily open the desired service port for the client's IP address. This effectively makes services invisible to port scanners and reduces the attack surface, as attackers cannot easily detect the presence of services like SSH or VPN.

Once the service is accessed or a timeout occurs, knockd can be configured to close the port again. It's a layer of obscurity, not encryption, and should be combined with strong authentication.

knockd provides a layer of security through obscurity, making services harder to find, but it is not a substitute for strong authentication and encryption.

Potential limitations include:
Replay Attacks: Without mechanisms like one-time passwords or sequence randomization, a recorded knock sequence can be replayed.
DDoS Amplification: If not carefully configured, especially with UDP knocks, it could potentially be abused for reflection/amplification attacks if knockd is reachable from the internet on UDP ports and configured to send responses based on knocks.
Reliability: UDP knocks are connectionless and less reliable than TCP knocks, which can lead to missed knocks.
Configuration Complexity: Proper configuration of knockd and associated firewall rules requires careful attention to detail.
Stateful Firewalls: Port knocking works by reacting to connection attempts. If the firewall is overly restrictive and drops even attempts to closed ports without logging, knockd won't "see" the knocks.

The primary configuration for knockd is typically located at /etc/knockd.conf.
This file defines the sequences of ports to listen for, the commands to execute upon successful knocking (e.g., iptables commands to open a port), and commands to execute after a timeout (e.g., to close the port again). Each sequence is defined within an [openSSH] or similar section, specifying sequence, seq_timeout, command, and optionally tcpflags and start_command/stop_command.

A common setup involves hiding the SSH port (22). A knockd.conf entry might look like this:
[openSSH]
sequence = 7000,8000,9000
seq_timeout = 10
command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

This configuration would open port 22 for the knocking IP after a SYN connection attempt to ports 7000, 8000, and 9000 within 10 seconds. knockd then typically runs stop_command after a set period or upon client disconnect, removing the rule.

knockd was initially developed by Judd Vinet and released under the GPL. It emerged as a practical open-source implementation of the port knocking concept, which gained popularity as a simple yet effective method to enhance the security posture of network services by hiding them from casual port scans. Its development has focused on providing a robust and flexible daemon for managing dynamic firewall rules based on knock sequences, becoming a widely adopted tool in scenarios where hiding services is beneficial.

iptables(8): Linux firewall administration tool, commonly used by knockd to open/close ports., firewalld(1): Daemon that provides a dynamically managed firewall with support for network zones., ss(8): Utility to investigate sockets, useful for checking network connections., netstat(8): (Deprecated in favor of ss) Another tool for network statistics., nmap(1): Network scanner, often used by attackers (and defenders) to find open ports., ssh(1): Secure Shell client, a common target for port knocking protection., tcpdump(1): Packet analyzer, useful for debugging knock sequences.