I use port knocking on my most sensitive systems. “Security through obscurity doesn’t work yadda yadda” aside, I think it’s a pretty effective way to hide ports from being open all the time.
Previously, I had written a shell script that invoked [cci]nmap[/cci] to do the job for me, but I wanted to streamline it, make it faster, and more generic. So, I wrote knocker, a configurable port knocking tool.
Basically, you give it the following info (either in a [cci]~/.knocker[/cci] config file or on the command line):
- target host
- target port to open
- command to run after opening
- open knock sequence
- close knock sequence
It then checks to see if the target port is already open. If it isn’t, it knocks the open sequence. It runs whatever command you want and then knocks the close sequence.
There are plenty of ways it can be improved, but it’s working happily for me right now.
I’d like to write a knock server (right now, I use knockd) that uses one-time authentication to cycle through sequences of ports, either as a time-based or counter-based system. Then, replay attacks are next to impossible!