Technical Support: 412-349-6678 | Incident Response

What Is Port Knocking, and Why Should You Use It?

Port knocking on a keyboard

Can you make your servers invisible to attackers?

Well, maybe not in the physical, super-hero sense. But digitally, yes, you can.

Port knocking and single-packet authentication (SPA) can hide servers, gateways, and other devices from prying eyes. They help make devices unresponsive to digital probes from the thousands of casual attacks searching for weak spots in your systems. 

But why is it something you should consider? How and when, do you do it? What, exactly, is port knocking? 

Let’s break it down.

Why Hide Servers?

Early in the attack process, those looking for vulnerabilities scan your devices.

These attackers use commands such as “nmap,” or other scanning tools, to produce a list of IP addresses to explore.

Once they’ve located an IP address, attackers try to gather more information about your devices.

They scan for open ports (virtual points where network connections start and end), operating system information, and what device the IP address belongs to.

Whether it’s a server, PC, network equipment, peripheral device (like a printer), wifi-connected camera, or something else, they all tell a story to hackers.

A list of open ports on a firewall indicates what types of attacks they should attempt. For example, if port 23 is open, then a device might be vulnerable to attacks exploiting the Telnet protocol.

But, if you can hide your IP address, attackers might overlook the hidden device. Even if they know the IP address, if you obscure open ports, you can slow down or discourage the attack entirely.

Essentially, criminals have a hard time stealing what they can’t see.

The importance of information governance
How important is information governance? Click the image to find out.

How Does Port Knocking or SPA Hide a Server?

Port knocking and SPA add obfuscation-as-security as a layer of defense against attack.

So how does it work?

Before a server or gateway responds to a packet request (a normal request for information), authorization must first be obtained.

Without this confirmation, the server will ‘default drop’ return packets that normally indicate an active IP address or open port.

Port knocking requires an administrator to establish a daemon (a process that occurs in the background). This process watches for a pre-determined sequence of packets delivered by the appropriate protocol to open the communication port.

It’s like a secret handshake, or secret knock, that needs to be answered the right way. Mess up the secret knock, and servers won’t let you in.

For example, you could set up the sequence as TCP port 343, UDP port 2266, and TCP port 2122 as correct ‘code’, before opening the SSH protocol for communication on port 22. 

The more complex the sequence is, the more secure it becomes. To make it a harder code to break, you can specify exact times between packets, specific IP ranges, etc.

Alternatively, Single-Packet Authorization installs a service (like the open-source fwknop service) on a server or gateway. Its job is to listen for and decrypt the packet for inspection.

The single encrypted packet must contain all the information required by the server before it will respond, such as the protocol and port numbers requested for communication.

Once communication has been established with a specific IP address, only the sender from that specific address is authorized. Requests from other IP address won’t see any open ports.

Security can be enhanced further by adding rules to the server, like requiring specific source ports from the sender.

Implementation Flaws & Use Cases

While port knocking and SPA are powerful techniques, they should only be used as an additional layer to traditional cybersecurity.

In most cases, they require IT experts to set up properly.

Additionally, these technologies use the advantage of obscurity. So, while you can use this technology on many devices, the advantage is lost on commonly used ones. 

For example, if you use port knocking on your VPN server, one bad click can provide the server IP address to an attacker on a silver platter.

The true advantages of port knocking and SPA shines in respect to key resources with limited users, such as:

  • An evidence server on the network for the county’s sheriff department
  • A cloud-based data server storing backups or security log files 
  • A Windows XP device running specialized equipment in the imaging department of a hospital

Putting Theory Into Action

These techniques become even more powerful when combined with other security options.

For example, consider that sheriff department’s evidence server using port knocking to hide it from casual scans. You could combine it with a honeypot (an irresistible trap for hackers) named “Evidence Server.”

Not only would the real server remain hidden, you can monitor and track anyone looking at your “trap” server. 

Speed of response is critical to deterring attackers, and this combination provides early warning.

Any intruders on the network will probably attack the wrong devices. This gains you crucial time to block further activity and keep your business safe.

The Takeaways

Port knocking and single-packet authentication both serve a key purpose in boosting your cybersecurity.

By keeping your devices hidden from the eyes of hackers, it keeps them out of harm’s way. Though they’re definitely more advanced techniques to set up, in the right situation, they’re invaluable.

If you and your team are interested in keeping your servers hidden from attackers, but don’t know where to start, contact Ideal Integrations or Blue Bastion at 412-349-6680, or fill out the form below for a free consultation.

We’ll be happy to discuss any questions you have, and come up with the best solutions for you!

Need a Managed IT Solution For Your Organization? Contact Us!

  • This field is for validation purposes and should be left unchanged.