Scanning and Enumeration Defence with Port Knocking


Port knocking is a method of externally opening ports. Once a server receives a secret sequence of ‘knocks’ on a closed port or ports, the server will execute a pre-configured set of actions. Actions may vary from opening ports for quick access to a full reboot of the system.

Port knocking should not be taken as an implementation of authentication security, as it is an example of the security through obscurity concept, which is fundamentally flawed.

How it works

On the server side, port knocking is usually implemented by configuring a daemon to watch the firewall log file for connection attempts to certain ports.

The ‘knock’ itself is a secret sequence of packets sent to numbered ports on the destination machine. The complexity of the knock may vary from a single TCP SYN packet to a complex time-dependent, source-IP-based and other-factor-based encrypted hash.

Client-wise, simple TCP knocks could be performed via telnet or netcat, for more advanced knocks see knock, hping, sendip or packit.

Server and client

knockd server

knockd is a port-knock server, which listens at the link-layer, the lowest layer in the Internet protocol suite. That makes possible to catch packets destined for closed ports. When the server detects a specific sequence of port-hits, it runs a command defined in its configuration file.

The setup and configuration of knockd are simple. Lets break down the configuration file, located by default in /etc/knockd.conf:

    logfile = /var/log/knockd.log
    sequence    = 7000,8000,9000
    seq_timeout = 10
    tcpflags    = syn
    command     = /usr/sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
    sequence    = 9000,8000,7000
    seq_timeout = 10
    tcpflags    = syn
    command     = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

Each event begins with a title marker, in the form [name], where name is the name of the event that will appear in the log. A special marker, [options], is used to define global options.

  • Sequence is the order of ports in the knock. Optionally, you can specify protocol for port (TCP by default).
  • Seq_timeout is the timeframe for the execution of the full sequence to trigger the command. If the time elapses before the knock is complete, it is discarded.
  • Tcpflags are the types of packets ports expect to receive. When using TCP flags, knockd will ignore packets that don’t match the flags. (TCP SYN is the default flag, as it is the first packet in a TCP connection request)
  • Command is the command to be executed when a client makes the correct port-knock. All instances of %IP% will be replaced with the knocker’s IP address.

After configuring knockd, specify the interface and run it as a daemon:

knockd -i <interface> -d

To make knockd start on boot, set START_KNOCKD to 1 in the the /etc/default/knockd file and provide additional options, if required.

knock client

Install the knockd package on the client-side machine, as it includes a tool called knock. This tool helps to perform complex secret sequences. To send a knock sequence to the server use knock <host> <sequence>.

  • knock server 7000 8000 9000 – sequence would open the SSH port on the server-side example.
  • knock server 9000 8000 7000 – would close the SSH port from the same example.


  • Defeating port knocking protection requires large-scale brute force attacks in order to discover even simple sequences. An anonymous brute force attack against a three-knock TCP sequence would require an attacker to test every three port combination in the 1 – 65535 range and then scan each port between attacks to uncover any changes in port access on the target system.

  • Even if the attacker were to successfully gain port access, other port security mechanisms are still in place, along with the assigned service authentication mechanisms on the opened ports.


  • The failure of the port knocking daemon will deny port access to all users and from a usability and security perspective, this is an undesirable single point of failure.

  • Port knocking can be problematic on networks exhibiting high latency. Port knocking depends on packets arriving in the correct sequence to access its designed functionality. TCP/IP, on the other hand, is designed to function by assembling out of order packets into a coherent message. In these situations, the only solution is for the client to continue resending the correct sequence of packets on a periodic basis until the sequence is acknowledged by the server.

  • Any attacker who can sniff or otherwise obtain the knock sequence can use it to bypass the port knocking protection on all hosts which are using the same sequence.

  • Unintended publication of the knock sequence implies compromise of all devices supporting the sequence.


Port knocking is a thin layer of the server security against scanning and enumeration, but it cannot be used as the sole authentication mechanism for a server. Port knocking will come in handy to hide your services against strangers, and possibly protect your server against SSH brute-force.

Further Reading

Mykyta Zaitsev