From ParabolaWiki
Jump to: navigation, search
Gnu04-mascot-logo 050ppi.png

Knock which is referred to as TCP Stealth is a proposed modification of the Transmission Control Protocol (TCP) to hide open ports of some TCP services from the public, in order to impede port scans. It is somewhat similar to the port knocking technique.[1] [2]

It modifies the TCP three-way handshake by only accepting connections from clients that transmit a proof of knowledge of a shared secret. If the connection attempt does not use TCP Stealth, or if authentication fails, the server acts as if no service was listening on the port number. [3]

1 Kernels with Knock support

Parabola contains, for now, one kernel with Knock support:

Note: This kernel package is available in the kernels repository.

2 Applications with Knock support

2.1 OpenSSH-Knock

The patch introduced on openssh-knock enables OpenSSH to use the authentication mechanism of Knock. To specify a secret on both sides use the newly introduced SSH configuration option called TCPStealthSecret or (not recommended) the -z command line argument. It also extends the man pages of ssh, ssh_config, sshd and sshd_config which give more information.

Note: Due to the limitations of the SSH protocol TCP Stealth can not offer integrity protection of for example the exchanged key material used by OpenSSH. As only authentication is used it is especially critical that TCP timestamps are activated to provide effective protection against port scanners.

3 See also