Port knocking
Port knocking is a method of obscuring the services that you have running on your machine. It allows your firewall to protect your services until you ask for a port to be opened through a specific sequence of network traffic. A more secure and modern approach is to use SPA (Single Packet Authorization) but SPA is not covered in this post.
Port knocking is a way to hide certain ports, e.g. you access your server through SSH, but you do not want bruteforce attempts all day long, so in this case you have you have SSH port closed, but when you knock on certain ports in a specific order the ssh-port opens up, maybe only for a few minutes.
Below is three ways in how to knock on ports:
knock
1 2 3 |
apt install knockd knock 10.1.1.2 3000 4000 5000 |
Then if you scan the IP you can verify port 22 e.g. is available.
nmap
nmap based script that knocks on 3 ports and initates a SSH connection.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
#!/bin/bash ports="3456 8234 62431" host="10.10.xx.xx" for x in $ports do nmap -Pn --host-timeout 201 --max-retries 0 -p $x $host sleep 1 done ssh user@${host} |
Simply hit on ports with this command:
1 2 |
for x in 5372 5381 6458; do nmap -Pn --host-timeout 201 --max-retries 0 -p $x 10.xx.xx.10 && sleep 1; done |
Hping
Using hping to knock on ports:
1 2 |
hping3 -S 172.xx.xx.123 -p 680 -c 1; hping3 -S 172.xx.xx.123 -p 39372 -c 1; hping3 -S 172.xx.xx.123 -p 46484 -c 1 |