FreeBSD Port-Knocking

freebsd port-knocking nmap netcat

Changing the port numbers is not a proper security policy. Changing the port numbers and services is a common mistake. Hackers going to find out what you hiding by just a simple port scanner and it takes about 2 minutes, nothing more. Nmap will take care of this process and it’s over.

Install Port-Knocking Client/Server

There is a flexible port-knocking server and client. You can easily install it by the port tree or pkg:
# cd /usr/ports/security/knock
# make install clean rehash
Tip: issue above commands on both client and server.

knock consists of two apps:

  1. knockd
    port-knocking server
  2. knock
    port-knocking client

Configure Port-Knocking Server

To configure knockd service you have to edit knockd.conf. So first create a conf file from the sample and then add configurations:
# cp /usr/local/etc/knockd.conf.sample /usr/local/etc/knockd.conf
# ee /usr/local/etc/knockd.conf
contents of knockd.conf:

	logfile = /var/log/knockd.log  
	interface = re0  
	sequence    = 7000,8000,9000  
	seq_timeout = 5  
	command     = /sbin/ipfw -q add 00100 pass proto tcp src-ip %IP% dst-port 22  
	tcpflags    = syn  
	sequence    = 9000,8000,7000  
	seq_timeout = 5  
	command     = /sbin/ipfw -q delete 00100 pass proto tcp src-ip %IP% dst-port 22  
	tcpflags    = syn  

as you can see there is 3 sections and many directives. Option section that is dedicated to interface name and log file. Other 2 sections are for executing command by custom sequence of ports within 5 seconds that has syn flag.
The first command adds a rule number 00100 to ipfw that allows connection to ssh port by IP address of who knocked successfully.
The second command deletes previous rule. But you can execute any command.
One of the most important directives is One_Time_Sequences. You can add this directive by:
One_Time_Sequences = /path/to/one_time_sequences_file
The file containing the one-time sequences to be used. Instead of using a fixed sequence, knockd will read the sequence to be used from that file. After each successful knock attempt, this sequence will be disabled by writing a ‘#’ character at the first position of the line containing the used sequence. That used sequence will then be replaced by the next valid sequence from the file.
Also TCPFlags directive can be these values:
TCPFlags = fin|syn|rst|psh|ack|urg
When using TCP flags, knockd will IGNORE TCP packets that don’t match the flags. This is different than the normal behavior, where an incorrect packet would invalidate the entire knock, forcing the client to start over. Using “TCPFlags = syn” is useful if you are testing over an SSH connection, as the ssh traffic will usually interfere with (and thus invalidate) the knock. Separate multiple flags with commas (eg, TCPFlags = syn,ack,urg). Flags can be explicitly excluded by a “!” (eg,TCPFlags = syn,!ack).
On your server issue this to run port-knocking server:
# knockd
On your client issue this:
# knock “server IP” 7000 8000 9000
Replace “server IP” with your servers IP.

There are other ways to do port-knocking:

  1. Nmap
    The nmap is a Network exploration tool and security/port scanner but you issue this command to port-knocking:
    # for x in 7000 8000 9000; do nmap -Pn –host_timeout 201 –max-retries 0 -p $x “server IP”; done

  2. Netcat
    The NC (or netcat) utility is used for just about anything under the sun involving TCP, UDP, or UNIX domain sockets. It can open TCP connections, send UDP packets, listen on arbitrary TCP and UDP ports, do port scanning, and deal with both IPv4 and IPv6.

And can do the same thing with:

# nc -z “server IP” 1000 2000 3000

You can get full edition at:

enter image description here