The term port knocking refers to a type of host-to-host communication where the information flows across closed ports. The primary purpose of port knocking is to keep attackers from successfully conducting a port scan since the server will require the correct port knocking protocol or sequence before the port is opened. There are a few types of port knocking methods, including encoding information in a packet-payload or a port sequence. When the port knocking method is used, the data is sent to a closed port and a daemon that is monitoring the port receives the information without sending a subsequent receipt to the sending computer.

How does Port Knocking Work?

Port knocking is similar to the physical action of knocking on a house door in a predefined sequence. The requesting computer (or client) transmits an encoded and sometimes encrypted message to the server, which is decoded into a sequence of port numbers and is referred to as the “Knock” on the server. These packets of information are referred to as “SYN” data packets and receive no response from the server during this phase of communication. Once the knock is translated as a valid action, a server-side process is then triggered to open the port and resulting communication protocol for the requesting client computer.

What are the Port Knocking Steps?

The following are the high-level steps for the port knocking sequence between a client and server computer:

Step 1 – If a client computer fails to connect to an application on a given port on the desired server, it proceeds with the port knocking sequence.

Step 2 – The client computer then sends a pre-defined sequence of connection requests to ports on the server in a sequence that has an encrypted message via sending SYN packets. The client computer has to have knowledge about the port knocking daemon as well as the configuration of the required sequences to connect to the server. At no point in this part of the sequence will the server send a confirmation to the client computer.

Step 3 – The port knocking daemon intercepts the communication attempts and determines if it is an authentic port knocking attempt. If it is a valid knock and the content is proper, it will open the port that the client computer requested.

Step 4 – The client computer connects to the desired port and further authenticates itself to the server’s program via the required means.

How is Port Knocking Used?

Port knocking is a common technique used to harden a web host that has users who need access to public services such as HTTP and SMTP throughout the day. It keeps public traffic from connecting to the server computer while allowing authenticated clients to connect and receive the desired services. The port knock daemon can be configured to respond in a tailored fashion to authenticated port knocks in order to trigger the desired action. Port knocking is not the most suitable solution for all cases of web server hardening. Using this option depends on the network’s specific security needs.