قالب وردپرس درنا توس
Home / Tips and Tricks / How to Use Port Knocking on Linux (and Why You Should not)

How to Use Port Knocking on Linux (and Why You Should not)

  Tap a closed door with your hand.

Port-tapping is a way to secure a server by closing firewall ports ̵

1; even those that you know are being used. These ports will be opened on demand if – and only if – the connection request provides secret tapping.

The knocking of ports is a "secret knock".

In the 1920s, when the ban was in full swing, if you wanted it In a Speakeasy, you had to know the secret knocking and really knock it out to get in.

Port palpation is a modern equivalent. If you want users to have access to services on your computer but can not open their firewall for the Internet, you can use port-knocking. Lets you close the ports in your firewall that allow inbound connections and have them open automatically when a predetermined pattern of connection attempts is made. The order of the connection attempts works like the secret knock. Another secret knock closes the harbor.

The knocking of the port is a novelty, but it is important to know that it is an example of security through unfamiliarity, and this concept is fundamentally flawed. The secret of how to access a system is certain, as it only knows the members of a particular group. But once this mystery is revealed – either because it's revealed, observed, guessed or clarified – your security is void. You should better secure your server in other, stronger ways, such as: For example, by using key-based sign-in for an SSH server.

The most robust approaches to cyber security are multi-layered. Therefore, port knocking may be one of these levels. The more layers, the better, right? However, you could argue that port knocking does not contribute much (if any) to a properly hardened, secure system.

Cybersecurity is a large and complicated issue, but you should not use port-knocking as your only form of defense.

RELATED: Creating and installing SSH keys through the Linux shell

Installing knockd

To demonstrate the knocking of ports, port 22 is controlled by the SSH port. We will use a tool called knockd. Use apt-get to install this package on your system if you are using Ubuntu or any other Debian-based distribution. Instead, use the package management tool of your Linux distribution on other Linux distributions.


  sudo apt-get install knockd 

The iptables firewall is probably already installed on your computer, but you may need to unpack the package install. It covers automatic loading of saved iptable rules.

Enter the following to install it:

  sudo apt-get install iptables-persistent 

During IPV4 Configuration When the screen is displayed, press the spacebar to to accept the option "yes".

 Press Space to select option

Press the space bar in the IPv6 configuration screen again to accept the "Yes" option and continue.

 Press the spacebar to accept the

. The following command instructs iptables to allow the continuation of existing and running connections. We now issue another command to close the SSH port.

If this command is linked to someone via SSH, this command should not be truncated:

  sudo iptables -A INPUT -m conntrack -ctstate ESTABLISHED, RELATED -j ACCEPT 

This command adds a rule to the firewall that reads:

  • -A Attach the rule to the firewall rules table. In other words, add it below.
  • INPUT : This is a rule for inbound connections.
  • -m conntrack : Firewall rules affect network traffic (packets), which generally meets the criteria. The parameter -m causes iptables to use additional packet comparison modules. In this case, the one referred to as conntrack works with the kernel's network connection tracking functions.
  • -cstate ESTABLISHED, RELATED : Specifies the connection type to which the rule applies, namely ESTABLISHED and RELATED connections. An existing connection is already in progress. A related connection is a connection that was created by an action from an established connection. Maybe someone who is connected wants to download a file. This can be done over a new connection initiated by the host.
  • -j ACCEPT : If the traffic is the rule, jump to the ACCEPT target in the firewall. In other words, the traffic is accepted and allowed to pass through the firewall.

Now we can issue the command to close the port:

  sudo iptables -A INPUT -p tcp --dport 22 -j REJECT 


This command adds a rule to the firewall , which states:

  • -A : Append the rule to the firewall rules table, ie add them below.
  • INPUT : This rule is an inbound connection.
  • -p tcp : This rule applies to traffic using the Transmission Control Protocol.
  • -dport 22 : This rule applies specifically to TCP traffic, the destination port 22 (the SSH port).
  • -j REJECT : If the traffic matches the rule, jump to the REJECT target in the firewall. If the traffic is denied, it is not allowed through the firewall.

We need to start the netfilter-persistent daemon. We can do this with the following command:

  sudo systemctl start netfilter-persistent 

We want netfilter-persistent to cycle through a memory and a load cycle ] iptable rules.

Enter the following commands:

  sudo netfilter-persistent save 

  sudo netfilter-persistent reload 

You now have the utilities installed and the SSH port is closed (hopefully without the connection to end). Now it's time to configure the secret knock.

Configuring Tapping

You can edit two files to configure Tapping . The first is the following knockd configuration file:

  sudo gedit /etc/knockd.conf[19659097[19459031[19659006[The gedit  editor opens with the  knockd  Configuration file loaded. 

 The knockd configuration file in the Gedit editor.

This file will be edited as needed. The sections we are interested in are "openSSH" and "closeSSH". The following four entries are in each section:

  • sequence : The order of the ports someone must access to open or close port 22 There are 7000, 8000, and 9000 to open it, and 9000, 8000, and 7000 to close it. You can change these or add more ports to the list. For our purposes we stick to the default values.
  • seq_timeout : The amount of time someone must access the ports to initiate the opening or closing. [1969090] Command : The sent command to the firewall of iptables when the open or close action fires. These commands either add a rule to the firewall (to open the port) or remove it (to close the port).
  • tcpflags : The type of packet each port must receive in secret order. A SYN packet (synchronization packet) is the first in a TCP connection request called a three-way handshake.

The "openSSH" section can be read because a TCP connection request must be made to ports 7000, 8000, and 9000 - in that order and within 5 seconds - to allow the command to open port 22 to the firewall is sent.

The section "closeSSH" can be read as "TCP connection request to ports 9000, 8000". and 7000, in that order and within 5 seconds, to send the port 22 close command to the firewall. "

The Firewall Rules

The" Command "entries in the openSSH and closeSSH sections remain unchanged. with the exception of one parameter. How to Assemble:

  • -A Attach the rule to the end of the firewall rules list (for the openSSH command).
  • -D : Delete the command from the firewall rules list (for the closeSSH command).
  • INPUT : This rule applies to incoming network traffic.
  • -s% IP% : The IP address of the device requesting a connection.
  • -p : network protocol; In this case it is TCP.
  • -dport : The destination port. In our example, it is port 22.
  • -j ACCEPT : Jump to the accepted destination in the firewall. In other words, let the package go through the rest of the rules without affecting it.

The changes in the configuration file

The changes we make to the file are highlighted in red below:

 The knockd configuration file in the gedit editor with the highlighted changes.

We extend the "seq_timeout" to 15 seconds. This is generous, but if someone manually initiates connection requests, they may need so much time.

In the section "openSSH" we change the option -A (Append) in the command in -I (insert). This command inserts a new firewall rule at the top of the firewall rule list. If you leave the option -A the firewall rule list is appended to and dropped at end .

Inbound traffic is tested from top to bottom by any firewall rule. We already have a rule that closes Port 22. If inbound traffic is tested against this rule before the rule that allows traffic is displayed, the connection is rejected. If this new rule appears first, the connection is allowed.

The close command removes the rule added by openSSH from the firewall rules. The SSH traffic is again handled by the existing rule "Port 22 is closed".

Save the configuration file after these changes.

RELATED: How to Edit Text Files Graphically on Linux with gedit

The Tapped Control File Works

The tapped control file is altogether simpler. However, before we can handle this, we need to know the internal name for our network connection. Type the following command to find it:

  ip addr 

  The ip addr command in a terminal window.

The link this computer is looking for under this article is called enp0s3 . Write down the name of your connection.

The following command handles the control file knockd :

  sudo gedit / etc / default / knockd 

knockd file in gedit .

 The knocking control file in gedit.

The few changes we need to make are highlighted in red: [19659006]   The tapped control file in gedit with the highlighted changes.

We changed the entry "START_KNOCKD =" from 0 to 1.

We also removed the hash. # from the beginning of the entry "KNOCKD_OPTS =" and replaced "eth1" with the name of our network connection, enp0s3 . Of course, if your network connection is eth1 you will not change it.

The proof is in the pudding

It is time to see if this works. We start the daemon knockd with the following command:

  sudo systemctrl start knockd 

Now we jump on another computer and try to establish a connection. We also installed the tool knockd on this computer, not because we want to set up port-knocking, but because the package knockd provides another tool called knock . We will use this system to trigger our secret sequence and do the knocking for us.

Use the following command to send your secret sequence of connection requests to the ports of the host computer with the IP address

  taps 7000 8000 9000 -d 500 

This will cause taps to direct the computer to IP address and initiate a connection request to ports 7000, 8000, and 9000. again with a -d (delay) of 500 milliseconds in between.

A user named "dave" then sends an SSH request[19659015lightboxsshdave@192168424

Your connection is accepted, he enters his password and his remote session begins. His command prompt changes from dave @ nostromo to dave @ howtogeek . To log out of the remote computer, enter:


The command prompt returns to its local computer. It uses again knock and this time the ports are driven in reverse order to close the SSH port on the remote computer.

  knock 9000 8000 7000 -d 500 

 Port palpation and SSH connection session in a terminal window.

While this was not a particularly fruitful remote session, it does show opening and closing the port via port palpation and fits into a single screenshot.

How did that look from the other side? The system administrator on the host on which the port is being tapped uses the following command to display new entries in the system log:

  tail -f / var / log / syslog 

 A syslog containing the events for the port are knocked terminal windows.

  • You see three openSSH entries. These are triggered when each port is addressed by the Remote Knock utility.
  • If all three stages of the trigger sequence are met, the entry "OPEN SESAME" is logged.
  • The command to insert the rule in the iptables rule list is sent. It allows access via SSH on port 22 from the specific IP address of the PC that caused the proper secret knock (
  • The dave user connects for only a few seconds and then disconnects.
  • You will see three closeSSH entries. These are triggered when each port is targeted by the Remote Knock utility. It tells the host to close port 22.
  • After all three levels have been triggered, the message "OPEN SESAME" is displayed again. The command is sent to the firewall to remove the rule. (Why not "close SESAME" when the port is closed, who knows?)

The only rule in the iptables rule list for port 22 is the one we typed in at the beginning Close port. So Port 22 is now closed again.

Blow on the head

This is the salon trick where the port knocks. Treat it as a distraction and do not do it in the real world. Or, if you must, do not rely on it as your only form of security.

Source link