Port Knocking FAQ

What is Port Knocking?

Port Knocking is a technique that allows a client to remotely open a port on a distant machine. This can be achieved in many ways but in general a client sends a specific sequence of connection attempts to a listening server. The server detects this sequence and opens one of its ports so the client machine can connect to it. This prevents attackers from scanning your network for open ports or attacking network services with 0-day exploits because the protected ports will appear to be closed.

The following diagrams show the basics of Port Knocking.

Port Knocking: Step 1

Port Knocking: Step 2

Port Knocking: Step 3

Port Knocking: Step 4

Why Port Knocking?

Because most software has vulnerabilities and now system administrators can not rely on the security provided by software manufacturers. Thousands of bugs that could be exploited by malicious attackers have been found in all kinds of network services. Those bugs are often fixed weeks, months or even years after they were made public so the window of exposure for some vulnerabilities can be very high. Critical systems need additional layers of security to prevent zero-day exploit attacks against running services and this is when port knocking comes in handy.

Who can benefit from Port Knocking?

System administrators that want to protect network services that are intended to be used by just a few authorized users. For example administration consoles, web-based administration interfaces, ssh, databases, etc.

System administrators that want to protect legacy services that are known to have serious vulnerabilities but that for some reason cannot be disabled.

Anybody that wants to add another layer of security to critical services like SSH.

When should Port Knocking NOT be used?

Port knocking is not recommended for public servers or services that will be used by the general public. E.g: is not a very good idea to protect a Web server with a Port Knocking daemon because every user that wanted to access a web page would have to use a port knocking client before establishing any connection to the web server.

Is it safe? Isn't it just security through obscurity?

Yes and No. Some implementations are just a 'proof of concept' or just provide additional layers of obscurity. Modern Port Knocking implementations like Fwknop or Aldaba provide encryption-based knocking mechanisms that make Port Knocking much more than “security through obscurity”

What else can be Port Knocking used for?

Backdoors. Usually network administrators run port scans on their networks to detect unauthorized listening services. Port Knocking-based backdoors are much more difficult to detect remotely.

Are there many implementations of Port Knocking?
Yes. Although Port Knocking is a relatively new technique there are already many working implementations. However, most of them are just proofs of concept or too simple to be used in real situations.