knock different :)
In 2003 I read something about portknocking(10.05.2006)
for the first time.
But I encountered some problems:
- It' s possible to spy out the knocking sequence by sniffing the network
- It' s necessary to have a special knocking-client
- There is one new service on the server that creates an ongoing systemload
- ... and this has to be trustworthy
Facing these facts I decided not to use portknocking at this time.
However - the concept got me :) and so one year later I had an idea to solve some of those problems.
The basic idea is to use websites instead of ports.
So one requirement is a webserver (apache) running on the server.
A sequence of websites (webknockingsequence) will be requested from the concerning server.
The webserver is configurated to log every pagerequest (default setting on the apache).
The last page of the sequence is fixed. The request of this page starts an analysis of the
Once the knockingsequence is found, a script will be started (to open port 22 for example).
As I said in the introduction it is possible to spy out the sequence by sniffing on the net.
Webknocking cannot prevent this.
To counteract this type of attack you need to use a dynamic knockingsequence.
There are two possible approaches:
The complete sequence is dynamic and changes regulary (maybe after every usage)
(In the best case the last, triggering page is also changed on webknocking)
The sequence consists of two parts: a dynamic and a static one.
A completely dynamic sequence provides the best protection because the sniffer can' t detect any
pattern. However there is a big disadvantage with this approach: the user has to know the current
It' s easier to remember a partly static sequence. But on this approach the attacker can
detect the pattern of the static part and realise that there is a knocker.
The dynamic Part can be implemented by a question-answer-game. Thereby the webserver sends a
question after matching the sequence and waits for the correlating answer. Question and answer
can be connected by an algorithm (e.g. "What is 6 times 7?") or by an individual context
(e.g. "Where are you born?").
There's currently an implementation based on php, that puts the second approach into practice.
After sending the knockingsequence whithin a set time period, the script webknocking.php has to
The script searches now in the apache-logfile for the sequence inner the correlative time period.
If the sequence is found, depending on the configuration the script either executes a shellscript
(wk-s_open.sh) to open port 22 for the knocker, or it sends a question to the user, that has to
be answered by calling "webknocking.php?value=<answer>".
The time between sending the question to awaiting the answer can be set.
It's also possible to let webknocking.php execute another shellscript on a second call
(wk-s_close.sh), e.g. to close the port 22.
All the settings can be done by editing the file wk-config.php.
The webknocking-implementation can be downloaded here
The installation of webknocking is simple. After unpacking the archive, all files should be
copied into one directory into a webpath, the script install.sh should be run and the configuration
can be done.
All the parameters in the wk-config.php-file are documentated by comments. On purpose the
shellscripts (wk-s_close.sh and wk-s_open.sh) can be customised.
At the time I'm working on my diploma thesis
so I don' t have much time left for further development. But from time to time ... :)
The following things are planed:
- completely dynamic webknockingsequenz (no more question-answer-game)
- support for proxies and anonymizing services
- diverse smaller things (clean up the code (again :), send an 404 when the knockingsequence is not found, ...)
- maybe much much later a webinterface for the configuration (I don't think I ever like to do this :-))
Suggestions are welcome.
I stopped the development because I don't have enought time and interest - sorry. Feel free to extend it.