Port knocking implementation in eBPF
- Protects TCP ports using port knocking, dropping packets until the correct sequence of UDP packets is received
- A sequence of up to 10 UDP packets can be used to protect a port
- Configurable sequence timeout resets the sequence after a period of time
- Configurable session timeout resets the session (blocks packets again) after a period of time
- Kernel-space BPF program (
knock.bpf.cet al) - User-space BPF program loader & configurator CLI tool (
main.cppet al) - Acceptance tests (
test_knock.pyet al)
Use the Dev Container as the main development environment.
- Initialize submodules:
git submodule update --init --recursive - Build the program:
make buildmake testRun as root:
build/knock <interface> <target_port> <sequence> <options>
interface: Network interface to attach to (e.g.,eth0,lo)target_port: Port to protectsequence: Knock sequence ports (space-separated)options: Optional arguments:-t,--timeout: Sequence timeout in milliseconds-s,--session-timeout: Session timeout in milliseconds
Use --help to see all options.
- Attach to interface
eth0 - Protect port 8080 with a sequence of 123, 456, 789
- Sequence timeout is 5 seconds (default)
- Session timeout is 60 seconds (default)
build/knock eth0 8080 123 456 789- Attach to interface
eth0 - Protect port 8080 with a sequence of 1111, 2222, 3333, 4444
- Sequence timeout is 5 seconds
- Session timeout is 1 hour
build/knock eth0 8080 1111 2222 3333 4444 -t 5000 -s 3600000Program logs various events to the kernel trace buffer. To view the trace, run (as root):
cat /sys/kernel/debug/tracing/trace_pipe