Port Knocking
What is Port Knocking?
Port KnockingA technique that keeps service ports closed by default and opens them only after a client sends a predefined sequence of connection attempts.
In port knocking the server runs a daemon that watches firewall logs for a secret sequence of connection attempts — for example TCP SYNs to ports 7000, 8000, 9000 in order. When the sequence is detected from a given source IP, the daemon dynamically opens the target service port for that address. The protected service therefore appears completely closed to scanners and unauthorized clients, reducing the attack surface for SSH, RDP, and management interfaces. Port knocking is security through obscurity and should complement, not replace, strong authentication, MFA, and VPN access. Variants such as Single Packet Authorization use authenticated, encrypted single-packet triggers to avoid replay and brute-force weaknesses.
● Examples
- 01
An administrator pings TCP ports 1234, 4321, 8080 in order before the firewall briefly opens SSH (22) for their IP.
- 02
A bastion host uses SPA so the management port is invisible until a signed UDP packet authorizes the source.
● Frequently asked questions
What is Port Knocking?
A technique that keeps service ports closed by default and opens them only after a client sends a predefined sequence of connection attempts. It belongs to the Network Security category of cybersecurity.
What does Port Knocking mean?
A technique that keeps service ports closed by default and opens them only after a client sends a predefined sequence of connection attempts.
How do you defend against Port Knocking?
Defences for Port Knocking typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Port Knocking?
Common alternative names include: SPA, Single Packet Authorization.