Port knocking is an authentication technique used to open closed ports which are behind a firewall. The process is carried out by configuring a daemon (a computer program which runs as a background process).
The daemon is programmed to keep an eye on the firewall log continually checking for any connection attempts by other computers on specified ports.
Once an authenticated connection attempt is detected, the firewall is modified so that the host can connect to the requested port.
Port knocking is mainly used to prevent hackers from doing a port scan and is one of the security measures a network administrator takes to secure the network.
Just like keys used in public key cryptography, a “secret knock” is used to gain access to the network using a specified port, which is opened for predefined IP addresses.
What makes it different from other security protocols?
Port knocking is a platform, service, and application independent mechanism, which gives it a significant edge over other authentication protocols.
That being said, it is mostly used on Linux or Unix based web servers with tools for Windows developed in recent years. Similar to other protective mechanisms like IPSec, the services or applications need not be port-knocking aware.
There are different ways in which port knocking can be implemented, the most popular using iptables.
How does port knocking work?
Port knocking is generally implemented by using a daemon (as discussed above), which continually checking for machines on the network who want to gain access to particular resources or other devices on the network.
It can be implemented either on the kernel level (using a kernel-level filter like iptables) or at the user level (using pcap), which makes use of the already open TCP ports on a machine.
It is a handshake protocol, which sends any number of packets using TCP, ICMP or even UDP to some numbered ports on the server.
When these ports receive the packets sent by the computer requesting access to the server, it then modifies the firewall to open the required ports.
Let’s take an example
Many system admins are known to leave the ssh port 22 open to allow remote access to the system, which can be used by attackers to gain unauthorized access.
Port knocking can help deal with these issues by merely hiding the ssh port and securing it with a combination of knocks.
Suppose a user wants to get some services from the server using the ssh port 22. Initially, the port is closed and is behind a firewall which will deny any connection attempt made.
Now, port knocking is set up, and it requires that the requesting machine knocks three ports, name 500, 501 and 502 (in order) to open the port. Keep in mind that these ports are also closed.
The port knock daemon, which lies on the server, listens to any knocks, using either packet capture or the firewall log.
If the knock is as expected, i.e., the knock sequence is precisely the same, the requested machine gets access to the service. Even if one port in the knock sequence is wrong, the server denies access.
Role of IPtables in port knocking
“iptables” is generally used as a way to hide the required ports. It is a daemon which allows admins to configure the tables maintained by the Linux Kernel Firewall.
nftables is an upgraded version of the current iptables used in port knocking and is likely to replace the same shortly.
A module in the iptables called “recent” is used to dynamically maintain a list of all the IP addresses. It keeps a record of all the successful and unsuccessful connection attempts made earlier.
How can it help increase security?
A port knocking sequence as simple as “1000, 2000, 6000” cannot be easily guessed by an attacker. Even brute force attacks would need to try a combination of ports ranging from 1 to 65,535.
Since the knock needs to be received by the server in a predefined order, a simple three-port knock would require over 9.2 quintillion data packets to gain access, which is, apparently, a very time-consuming process.
This is just the primary form of port knocking. Security can be strengthened furthermore by using cryptographic hashes (one time keys) or using complex port knocking sequences such as time-dependent or source-IP-based.
Static IP addresses can also be used. Static IPs allow only certain machines on the network to get access to the server, thereby reducing the chances of attacks by unknown systems on the network.
Even if the hackers guess the first part of the sequence correctly, there is this second part, which, if guessed incorrectly, denies access giving no clue whatsoever on where they went wrong or what part of the sequence failed.
The result is that the expected port isn’t opened and no packet transmission occurs.
It can be implemented on the server using a simple shell script or a Windows batch file, which introduces little to no overhead and increase in CPU and memory consumption.
Port knocking can also help defend attacks vulnerabilities in security protocols such as TCP and UDP since the attacker would still require the correct sequence to establish any kind of connection, ignoring any random malicious requests.
The downside of using Port Knocking
DDoS attacks (Denial of Service), can use port knocking to potentially blacklist legitimate IP addresses by spoofing them and sending connection requests to the server using random ports.
This poses a challenge to static port knocking, where the IP addresses of the machines can be easily determined.
Since TCP/IP receives packets in a random manner, port knocking might be challenging to implement on a network with high latency since the sequence may not be received in the intended order.
The only solution to this is that the user needs to resend these packets until they are received in the correct order by the daemon.
If any client unintentionally reveals the sequence, it poses a security threat to every device on the network. This makes the protocol vulnerable to Man-in-the-middle or replay attacks.
A network trace of enough length can also help attackers guess the correct sequence if done correctly, rendering it completely ineffective.
In a nutshell
Port Knocking is completely dependent on the performance of the daemon monitoring the ports. If the daemon stops working due to any reason, every user on the network will be denied access to the service. In other words, the daemon acts as a single point of failure, just like a centralized server.
However, new age port knocking implementations solve this issue by merely restarting the daemon responsible for overlooking the authentication process.
This protocol relies on security through obscurity. In no way, it offers complete protection against attackers.
Port knocking should, therefore, be used in conjunction with other security mechanisms.
In its early days, many network admins completely ignored port knocking due to various security lapses.
However, the general perception seems to have changed with the advancement and improvement in the technology, resulting in almost everyone using it as an additional layer of security.