korki’s corner

What is port knocking

Port knocking is a mechanism of opening ports on a firewall. from the outside (the hotzone) by generating a connection attempt on a set of some closed ports. Once the correct sequence of connection attempts is received, the firewall rules are modified to allow the host which sent the connection attempts to connect over specific port.

This sounds cool!

Yes it does. However it has some disadvantages

• First of all it is security through obscurity. It may limit the number of bots trying to connect to the ssh, but after all the same can be achieved by just changing the port from 22 to 5522 or anything like that. Also it cannot prevent a determined attacker from finding the packet sequence since it can be easily eavesdropped, especially if you are connecting from a hostile network
• It is a single point of failure; What happens if the knockd dies? You are left outside your network indefinitely. Of course this can be circumvented by enabling a process monitoring daemon usually shipped together with knockd, which will revive the dead process and thus keep you connected
• DoS attack approaches, can easily lock you out of your box, especially if you are using knockd in conjunction with fail2ban or something similar. Say you have IP[1-3] and BCK1. BCK1 uses port knocking prior allowing IP[1-3] to work.  An attacker can easily send spoofed packets using the ips of IP[1-3] to the box BCK1, to trick him into thinking that these are attack attempts. At best, the connectivity will continue as usual, but the logs will raise suspicions to the system maintainer. The worst case scenario is that you are working to one of the IP[1-3] and you have lost your connectivity with the mother ship. I know shit happens but their effect can be easily magnified according to the Murphy’s Law.
• False negatives. While most knockd servers give you adequate time between two knocks, if those knocks are close (in time, to the 10th of second) it is possible to arrive out of order to the network interface of the knockd system. At that point the client cannot be sure why the port doesn’t open, and why is he still locked outside. This is possible because since one usually sends tcp and udp packets in various ports. UDP packets are known not arriving in time (for the same port), but the same holds for tcp segmens that are meant for independent targets(IP:TCPPORT). So it is possible under some network conditions your port knocking plea to go unanswered, thing which is generally bad.

So why using a system that has important downsides, and no obvious benefits? This is up to you