Skip to main content

Port Knocking

Hide services behind port knock sequences for enhanced security.

Pro Feature

Port Knocking requires a Pro license.

What is Port Knocking?

Port knocking is a stealth security method where ports remain closed until a specific sequence of connection attempts (knocks) is received. Only then does the firewall open the protected port.

Normal state:
┌─────────────────────────────────┐
│    Firewall (all ports closed)  │
└─────────────────────────────────┘

After correct knock sequence:
┌─────────────────────────────────┐
│    Port 22 OPEN for your IP     │
│    (closes after timeout)       │
└─────────────────────────────────┘

Benefits

  • Hide services - Ports appear closed to scanners
  • Reduce attack surface - No exposed ports to brute-force
  • Defense in depth - Additional security layer
  • Audit trail - Know who accessed what

How It Works

  1. User sends TCP/UDP packets to specific ports in sequence
  2. Agent monitors for knock patterns
  3. On valid sequence, firewall rule added for user's IP
  4. User can now connect to protected service
  5. After timeout, port closes again

Setup

Enable Port Knocking

  1. Go to SettingsPort Knocking
  2. Enable the feature
  3. Configure sequences

Or via environment:

PORT_KNOCK_ENABLED=true

Configure Knock Sequence

In dashboard:

  1. Go to Port Knocking page
  2. Click Add Sequence
  3. Configure:
    • Name: Descriptive name
    • Protected Port: Port to protect (e.g., 22)
    • Knock Sequence: Ports to knock (e.g., 7000,8000,9000)
    • Protocol: TCP or UDP
    • Timeout: How long port stays open
    • Servers: Which servers to apply

Agent Configuration

In agent.yaml:

modules:
  portknock:
    enabled: true
    interface: eth0
    sequences:
      - name: ssh-access
        protected_port: 22
        knock_ports: [7000, 8000, 9000]
        protocol: tcp
        timeout: 30
        max_attempts: 3

Knock Sequences

Example Sequences

Use CaseKnock PortsProtected Port
SSH Access7000, 8000, 900022
Admin Panel1234, 5678, 9012443
Database2222, 3333, 44443306

Sequence Best Practices

  • Use 3-5 knock ports
  • Choose random, high ports (above 1024)
  • Avoid common ports (80, 443, etc.)
  • Mix TCP and UDP if possible

Performing a Knock

Using nmap

# Knock sequence: 7000, 8000, 9000
for port in 7000 8000 9000; do
  nmap -Pn --host-timeout 100 --max-retries 0 -p $port server.example.com
done

# Now connect to SSH
ssh user@server.example.com

Using knock Client

# Install knock
apt install knockd

# Perform knock
knock server.example.com 7000 8000 9000

# Connect
ssh user@server.example.com

Using netcat

# TCP knocks
for port in 7000 8000 9000; do
  nc -z -w 1 server.example.com $port
done

Using Bloqd Mobile App

  1. Open Bloqd app
  2. Select server
  3. Tap Knock
  4. Port opens automatically

Dashboard Features

Knock History

View all knock attempts:

  1. Go to Port KnockingHistory
  2. See successful and failed attempts
  3. Filter by server, sequence, or IP

Active Openings

See currently open ports:

  1. Go to Port KnockingActive
  2. View which IPs have access
  3. Manually revoke if needed

Quick Knock

Perform knock from dashboard:

  1. Go to Port Knocking
  2. Select sequence
  3. Click Knock button
  4. Your IP is added automatically

Security Considerations

Sequence Security

  • Keep sequences secret
  • Don't reuse across environments
  • Rotate sequences periodically
  • Use random ports

Timing

Configure timing to prevent:

  • Replay attacks (short timeout)
  • Brute force (rate limiting)
portknock:
  sequences:
    - name: ssh
      timeout: 30           # Port open for 30 seconds
      knock_timeout: 5      # Max 5 seconds between knocks
      max_attempts: 3       # Block after 3 failed attempts
      block_duration: 300   # Block for 5 minutes

Network Considerations

  • Port knocking may not work through NAT
  • Some firewalls may interfere
  • VPNs may complicate source IP detection

API Usage

Trigger Knock

curl -X POST "https://bloqd.example.com/api/v1/portknock/knock" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "serverId": "server-uuid",
    "sequenceName": "ssh-access"
  }'

List Sequences

curl "https://bloqd.example.com/api/v1/portknock/sequences" \
  -H "Authorization: Bearer YOUR_API_KEY"

Create Sequence

curl -X POST "https://bloqd.example.com/api/v1/portknock/sequences" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "admin-access",
    "protectedPort": 8443,
    "knockPorts": [1111, 2222, 3333],
    "protocol": "tcp",
    "timeout": 60,
    "serverIds": ["server-uuid"]
  }'

View History

curl "https://bloqd.example.com/api/v1/portknock/history?serverId=server-uuid" \
  -H "Authorization: Bearer YOUR_API_KEY"

Troubleshooting

Knock Not Working

  1. Verify sequence is correct
  2. Check ports in correct order
  3. Ensure no firewall blocking knock ports
  4. Check timing (too slow between knocks)

Port Doesn't Open

  1. Check agent logs for knock detection
  2. Verify iptables/firewall permissions
  3. Ensure interface is correct in config

Unexpected Blocks

  1. Check max_attempts setting
  2. Review knock history for failed attempts
  3. Clear block manually if needed

Integration with fail2ban

Port knocking works alongside fail2ban:

  1. Port knocking controls initial access
  2. fail2ban monitors for abuse once connected
  3. Banned IPs can still attempt knocks (configurable)

Configure interaction:

portknock:
  respect_fail2ban_bans: true  # Don't open for banned IPs

Best Practices

  1. Use for sensitive services - SSH, admin panels
  2. Document sequences securely - Password manager
  3. Monitor knock attempts - Watch for probing
  4. Short timeouts - 30-60 seconds is sufficient
  5. Combine with other auth - MFA, strong passwords
  6. Test regularly - Ensure you can access servers