# port knocking needs many knocks to open

## njcwotx

I implemented port knocking on an external interface on a gentoo box recently and I have it working.  But, I noticed that I often have to resend the knock sequence 3-5 times before the port opens.

when this first started, I used tcpdump to confirm the packets are reaching the host.  I always see every knock packet appear in the dump.

What I have determined by looking at the knockd.log is this:

----------first attempt:

# knock myip port:proto port:proto port:proto port:proto

# cat knockd.log

openSSH: Stage 1

----------second attempt:

# knock myip port:proto port:proto port:proto port:proto

# knock myip port:proto port:proto port:proto port:proto

# cat knockd.log

openSSH: Stage 1

openSSH: Stage 1

-----------third attempt:

# knock myip port:proto port:proto port:proto port:proto

# knock myip port:proto port:proto port:proto port:proto

# knock myip port:proto port:proto port:proto port:proto

# knock myip port:proto port:proto port:proto port:proto

# cat knockd.log

openSSH: Stage 1

openSSH: Stage 1

openSSH: Stage 2

openSSH: Stage 3

-----------fourth attempt:

# knock myip port:proto port:proto port:proto port:proto

# knock myip port:proto port:proto port:proto port:proto

# knock myip port:proto port:proto port:proto port:proto

# knock myip port:proto port:proto port:proto port:proto

# knock myip port:proto port:proto port:proto port:proto

# knock myip port:proto port:proto port:proto port:proto

# cat knockd.log

openSSH: Stage 1

openSSH: Stage 1

openSSH: Stage 1

openSSH: Stage 2

openSSH: Stage 1

openSSH: Stage 1

openSSH: Stage 2

openSSH: Stage 3

openSSH: Stage 4

openSSH: OPEN SESAME

openSSH: running command: iptables ssh open to that ip

(i am able to login)

openSSH: command timeout

openSSH: running command iptables ssh close to that ip

From what I can see, the daemon is only registering the first stage or 2 and stops seeing the packets but the log does not enter the sequence timeout log entry either.  The remote client is generating no other traffic to the host nor is there any other ssh session running. At the moment, I can get in if I run the knock command like 5 times before attempting to login.  Typically this leaves 1 or 2 firewall entries in iptables for the duration of the window I have set.

All in all, its not a problem as the usage of this will be only for my use, but I really dont want to have to spam several knocks before a login.  Im also just curious as to being able to tune this out.  I considered increasing the seq_timeout value, but I am confident that the number of seconds is plenty based on the fact I have seen the packets in tcpdump come in quickly and in the correct order.

----------

## mv

I also had such a problem with knock. My solution was to use iptable's recent module instead. See e.g. this firewall script

----------

## chiefbag

I've seen this issue before. Are you using the knock client to knock or using something like netcat?

My resolution to this was to create a knock script that will knock and the check if port 22 is open. The script will loop around until it confirms that port 22 is open then it will attempt the ssh to the box. 

I can post an example if you like

----------

