Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Port knocking
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Overview == Port knocking is usually implemented by configuring a [[daemon (computer software)|daemon]] to watch the firewall log file for connection attempts to certain points, and then to modify the firewall configuration accordingly.<ref>{{Cite web |title=PortKnocking - Community Help Wiki |url=https://help.ubuntu.com/community/PortKnocking |access-date=2023-07-08 |website=help.ubuntu.com}}</ref> It can also be performed on the kernel level (using a kernel-level packet filter such as [[iptables]]<ref>{{cite web | url = https://www.digitalocean.com/community/tutorials/how-to-configure-port-knocking-using-only-iptables-on-an-ubuntu-vps | title = How To Configure Port Knocking Using Only Iptables on an Ubuntu VPS | date = 2014-01-17 | accessdate = 2016-04-24 | author = Justin Ellingwood | website = digitalocean.com }}</ref>) or by a userspace process examining [[Packet (information technology)|packets]] at a higher level (using packet capture interfaces such as [[pcap]]), allowing the use of already "open" TCP ports to be used within the knock sequence. The port "knock" itself is similar to a secret handshake and can consist of any number of [[Transmission Control Protocol|TCP]], [[User Datagram Protocol|UDP]] or even sometimes [[Internet Control Message Protocol|ICMP]] and other protocol packets to numbered ports on the destination machine. The complexity of the knock can be anything from a simple ordered list (e.g. TCP port 1000, TCP port 2000, UDP port 3000) to a complex time-dependent, source-IP-based and other-factor-based encrypted hash. A portknock daemon on the firewall machine listens for packets on certain ports (either via the firewall log or by packet capture). The client user would carry an extra utility, which could be as simple as [[netcat]] or a modified ping program or as complicated as a full hash-generator, and use that before they attempted to connect to the machine in the usual way. Most portknocks are stateful systems in that if the first part of the "knock" has been received successfully, an incorrect second part would not allow the remote user to continue and, indeed, would give the remote user no clue as to how far through the sequence they failed. Usually the only indication of failure is that, at the end of the knock sequence, the port expected to be open is not opened. No packets are sent to the remote user at any time. While this technique for securing access to remote network daemons has not been widely adopted by the security community, it has been actively used in many [[rootkit]]s even before year 2000.{{Citation needed|date=January 2023}}
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)