As I saw some articles which seems rather unexact relating port knocking, I would like to add some parts of my own idea about this.
First, port knocking is not meant to be used alone…
Even if you use your daemon’s default port (let’s say port 22 for sshd), port knocking can protect you more than you can even imagine. Let’s take the following setup:
- SSHd running on port 65122
- Connections to port 65122 are replied with “connection refused” (via an icmp target rule)
- In order to “open” port 65122, connection attempts must be made to ports 22448, 44228 and 22884 in this order. Any other order will blacklist the IP attempting to connect for 1 hour
- More than 5 attempts to connect to port 65122 within 20 minutes will result in 1 hour blacklist
Now, if you’re that smart, just try to find your way in without the “passphrase” (which is 22448-44228-22884-65122). If you do too many attempts, you’ll end blacklisted. Let’s say you found out that port 65122 gets you banned when you connect, and have determined that you can make up to 5 attempts in 20 minutes. Let’s also say you know you have to knock exactly 3 ports to be able to connect.
You then have to test 65536^3 = 281474976710656 combinations, and can only test 5 in 20 minutes, that would require 70368744177660 minutes (133882694 years or so).
I can assume no decent system will be up for 133882694 years without any shift into security settings. You can parallelize that with different source IPs, but it will still last too long against people shifting every 3~6 months.
