Knock

Gnu04-mascot-logo 050ppi.png

Knock which is referred to as TCP Stealth is a proposed modification of the Transmission Control Protocol (TCP) to hide open ports of some TCP services from the public, in order to impede port scans. It is somewhat similar to the port knocking technique.[1] [2]

It modifies the TCP three-way handshake by only accepting connections from clients that transmit a proof of knowledge of a shared secret. If the connection attempt does not use TCP Stealth, or if authentication fails, the server acts as if no service was listening on the port number. [3]

Kernels with Knock support

Parabola contains a lot of kernels with Knock support:

Note: These kernels packages are available in the kernels repo, except linux-libre-pck that is available in the libre repo.

Activation of kernels repo

You can add the following lines to your /etc/pacman.conf:

/etc/pacman.conf
[kernels]
SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist

Applications with Knock support

OpenSSH-Knock

The patch introduced on openssh-knock enables OpenSSH to use the authentication mechanism of Knock. To specify a secret on both sides use the newly introduced SSH configuration option called TCPStealthSecret or (not recommended) the -z command line argument. It also extends the man pages of ssh, ssh_config, sshd and sshd_config which give more information.

Note: Due to the limitations of the SSH protocol TCP Stealth can not offer integrity protection of for example the exchanged key material used by OpenSSH. As only authentication is used it is especially critical that TCP timestamps are activated to provide effective protection against port scanners.

Systemd-Knock

systemd-knock enables Knock's authentication and integrity protection for applications using systemd for their socket I/O. Several steps need to be taken to customize systemd (assuming the running kernel already was patched with the Knock patches).

In order to enable the functionality at runtime, the new configuration options TCPStealthSecret and TCPStealthIntegrityLen are available for use in .socket unit files. TCPStealthSecret specifies the TCP Stealth secret whereas TCPStealthIntegrityLen is an unsigned integer indicating the number of bytes that should be integrity protected (0 means disabled).

Note: openssh-knock and systemd-knock are available in the pcr repo.

External links

See also