Day 32 of the series:

Port knocking is really something I expected to take off like wild fire, but it never did. Hard to believe for such a cool idea.

@mike I think it didn’t take off because it’s security through obscurity and so you can’t rely on it as your only authentication. You still need a password/key and if you want to increase security it’s easier to make the password longer then to implement port knocking. Also if you do control the firewall, in most cases it’s easier and safer just to whitelist IPs.

@ElectronStudio It was never intended to be used as a singular means of authentication, and usernames and passwords were still required. Increasing the length of the password is completely separate and could still be done with a port knocking solution in place. For that matter, port knocking could still be used with a username and password and most of the modern day 2FA solutions in place. It's entirely distinct from all of them.

@mike Maybe because it is susceptible to the same weakness as knocking with a pattern on an actual door. Nearby "listeners"! 👂

Sure it is an extra measure against certain categories of attacks but not a generic one.

@ckoul A simple rotation of ports similar to what we see in a modern 2FA solution would solve that problem. Even if the "code" was in the clear, security wouldn't be worse than it is now. That's the part I don't understand about this. Every weakness that can be pointed out about port knocking doesn't make security worse than the current configuration, just the same.

@mike Then we 're adding a little bit of complexity (communicate the pattern). Security is not worse in any case, as you point out, but the main threats that port knocking is good at (brute force attacks and denial of services) are also easily handled by other means (fail2ban, LIMIT firewall rule).

Is there another strong point in favor of port knocking I am missing?

@ckoul @mike The complexity point is valid. On a LAN I just want to run `ssh servername` and do my work with the usual security mechanisms. If the connection fails for some reason, I could see it being more difficult to troubleshoot with port knocking enabled.

On the Internet, you're often dealing with dedicated firewall devices. I could see port knocking being more useful there, but you'd have to convince firewall vendors to support it.

An alternative intriguing idea: Tor hidden services.

@pcrock The complexity is a fair point, but it's also fairly easy to work around since port knocking is so easy to automate. Earlier I saw a one line script that automated a port knocked SSH connection. Can't seem to find it now, because now would be the best time to have that reference, but such has been my day.


@ckoul Sorry about the slow response. Not feeling great right now and I'm falling behind.

Strong point? Strong is subjective, but I would say that using a port knocking solution shields your systems from much of the "recon" that hackers do that wouldn't be caught by things like fail2ban. You can't tell is the OpenSSH service on the system is the one with the 0 day vulnerability because it's hidden from anybody that doesn't have the sequence.

@mike I wish you'll feel great again after a good night sleep! :)

You're right that 0-day vulnerabilities is +1 in favor of a port knocking implementation.

I am trying to think of a relatively simple/robust way for my port-knocking service to communicate the periodically or rule-based changing pattern to several potential consumers (human operators, automated services, scripts etc) and can't come up with one; not implying there isn't. @pcrock

@ckoul I'd assume the technology and methods currently being used for many 2FA solutions would work quite nicely. Given a wide enough range of ports for the knocking solution, you could even grant access on a user by user basis, assuming you have a small enough user base. Obviously that would get less and less viable as the user base increased in size. Also, I'm still working on my first cup of coffee. That might not make sense at all later.


@mike wow! I hvae never heard of this. I wish it had taken off.

@mike I'm a noob when it comes to Linux, but I do run a Team Speak server and would love to somehow figure out how to port knock the ports in my router with the Team Speak App and on the Windows computer.

Sign in to participate in the conversation

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.