FAQ


Q: Can Port Knock be used to break into a network?
A: Like any tool, this may be used for "unkind" purposes. However, port knockers in general are fairly passive. And is not a hacking/cracking tool.

Q: Isn't "security through obscurity" bad?
A: Obscurity as your only means of security is bad. But it's a useful additional layer to add to improve your security. For example, even though you may have an "unbreakable safe", you may still want to hide it behind a painting rather than put it outside in the parking lot for everyone to see.

Every security system depends on some hidden information to work: the pattern of ridges in a key, the code to a safe, and the password to a computer. In port knocking, the "password" is the sequence of ports used in a knock. However, the as with any good security system, port knocking is an open and publicly reviewed security method.

Port knocking enhances the security already provided by firewalls: firewalls protect a computer by blocking all unnecessary communication, but leave the computer vulnerable to attacks through the open communication channels, or ports. If a new vulnerability is discovered in software on one of these ports, the computer is now open to attack. Further, open ports allow an attacker to scan your computer quickly for possible vulnerabilities. Port knocking allows your firewall to close ALL ports, unless a specific knock sequence, or "password", is sent. Only the sender of the knock sequence is then granted access to ports that are normally blocked by the firewall.

In addition, port knocking does not replace the authentication measures already present in your network applications. For example, by blocking ssh access until a specific knock sequence is generated, the sender of the knock sequence must still pass ssh's encrypted authentication.

This layered approach greatly increases security and reduces vulnerability to attacks and probes.

Knock Servers


If you're in need of a knock server, I personally use Judd Vinet's knock daemon for linux. It's small and easy to use and you can find it here: http://www.zeroflux.org/projects/knock.

Additional Info


You can find of information and a nice list of other knock clients and servers over at http://www.portknocking.org/.
And more detail can always be found at WikiPedia.