1

Port knocking is an additional layer of security that can be added to an already existing security concept for a server. The web server runs the SSH service behind a port, e.g. the default port 22, but this port is only opened after a certain sequence of ports is tried (knocked) before, for example 1022, 2022, 3022.

The situation is now the following: the server is running behind a consumer product router which forwards port 22. To enable port knocking, the router also has to forward ports 1022, 2022, 3022. The other ports in the router and server are closed.

Can a random attacker detect that certain ports are open in the router and thus guess at least the ports used for the knocking sequence such that it is basically useless?

I think of something like this "Oh, ports 22, 1022, 2022, 3022 look different, probably I can try a random sequence of these ports?"

Is it in fact true that from outside it can be detected whether the router is forwarding and the port is blocked on the server or the router blocks ports?

Are there any other reasons that would render port knocking less useful in such a scenario?

Regarding the answer from schroeder♦: are there consumer product router that support this if it has to run on the router?

kap
  • 139
  • 5

1 Answers1

3

Portknocking is done with closed ports.

https://wiki.archlinux.org/index.php/Port_knocking

This means that no one can witness the sequence of ports opening up.

The port that gets opened is opened for the IP that knocked correctly.

Yes, this increases security because you limit the threat surface for scans and probes. The technique to open the port is weak in terms of security, but a closed port is a lowered threat, in general.

As for products that do this, because this is a really niche request, I doubt commercial products will offer port knocking, but custom firmware exists that will enable a router to do port knocking.

schroeder
  • 125,553
  • 55
  • 289
  • 326
  • Thanks for that. More specifically the question is for the scenario with a customer product router, as I have to open the ports in two devices. Does diminish the (already weak) improvement in terms of security? – kap Apr 24 '17 at 07:47
  • I'm confused about your scenario. Where is the port knocking done? On the router? What *exactly* do you want to secure? The SSH port? – schroeder Apr 24 '17 at 08:35
  • I have a server, with SSH and public key login. I was thinking to also enable port knocking just to block simple scanning scripts. The server is behind a router that currently forwards the SSH port. I have to forward also the ports used for the knock to enable this. – kap Apr 24 '17 at 08:52
  • Ok, you might want to update your question with these details. Port knocking would be best on the router, else you would have to open those ports on the router, which would indicate that there is *something* there, which will invite further exploration from outside parties. – schroeder Apr 24 '17 at 09:00
  • Great, that was exactly the answer for my question. I will try to modify. – kap Apr 24 '17 at 09:10
  • right now I am experimenting with RouterOS and it is possible to organize port knocking there – alexsuslin Mar 11 '18 at 21:41
  • Mikrotik routers can be configured for port knocking https://wiki.mikrotik.com/wiki/Port_Knocking – 79E09796 Nov 08 '18 at 09:25