This take is bordering on not even wrong territory. The point of port knocking isn't to increase entropy of your password or authentication keys per se, it is to control who can send packets to your SSH daemon, either to limit the noise in your logs or to mitigate an RCE in the SSH daemon. The vast majority of potential attackers in the real world are off-path and aren't going to be in a position to observe someone's port-knocking sequence.

Is VPN a better solution? Maybe, but VPNs, especially commercial VPNs have their own set of challenges with regard to auditability and attack surface.

In short, port knocking is a very, very short/weak password. And is a very weak authentication measure.

This is absolutely true and nobody could argue that.

So if you only did port knocking, or if you depended on port knocking, you're making a bad decision.

I believe in defense in depth, and therefore I think that port knocking on top of everything else you already do has good value - especially considering how simple and lightweight knockd is and my experience of it running stably for years at a time.

I don't know how much it adds, but it is non-zero.

The knockd daemon is rock solid[1] and your ssh port traffic goes down to zero (other than your own use).

Port knocking has no place in security by itself but I think it's a wonderful addition to a layered defense - my favorite one, in fact.

The article didn't really mention that angle.

I have been in this business for a long time and I still look very fondly at port-knocking as a thing that genuinely makes things better.

Almost zero complexity added, super stable knockd daemon, and does a single, simple thing very, very well.

I love port knocking, I love using it, I love the idea of it, and I wouldn't build a server without hiding sshd (and others) behind a knock.

All criticism of port knocking (weirdly) assumes that you also disable all other forms of security and that you rely solely on port knocking, which of course is false.

It is true that port knocking adds just a marginal additional amount of security, but it's still additive and it's still a high return on the (very low) complexity and maintenance.

There are two broad classes of attackers: targeted attackers, who specifically want to get into your system, and script kiddies who are scanning broad swaths of the Internet looking for an easy target. Most of these countermeasures, like port knocking and moving sshd to a different port, do very little to dissuade the first group. But they make you much less of a target for the second group.

These discussions (and so many security discussions on the internet) make the argument that unless something is effective against targeted attackers, it's not worth doing. That's ridiculous. In the 20+ years I've been running computers on the internet, targeted attackers are outnumbered by random scans thousands to one. Of course, you'll say, any countermeasure that's good enough to stop targeted attackers is good enough to stop these guys as well. And that's true, but for two things:

1. I like my logging and alerting to intentionally be loud when a targeted attacker is messing with my system. By raising the bar enough so that only targeted attackers get through, I'm able to do that.

2. There have been zero-day vulnerabilities in probably most of the daemons I've run over the years. And when those zero-days come, I inevitably get hit with random scans looking for vulnerable versions. Those are almost always stopped cold by things as simple as running on a different port. I'd like to think I'm pretty good at keeping up with vulnerability alerts and updating my software when something like that happens, but simple changes that buy me a little time aren't a bad thing.

There are benefits beyond security: for example, less strange login attempts mean less clutter in your logs. If you're actually trying to investigate login attempts (don't!), it means less time wasted.

The "security by obscurity" screaming people are usually thinking too narrowly, in my opinion.

When the next 0day hits… will it be enough to protect them, yes. After all, they’re not a target and the automated attacks won’t affect them.

I do agree, nobody should be going to sleep at night, relying solely on obscurity as their source of protection. But these commenters are offering it as an additional layer of indirection. They're not touting it as _the_ solution, full stop.

At the most basic level, would you refute the claim that port knocking or alternate ports are adding additional friction for an attacker, or no?

Myself, I would prefer to run a simple, (hopefully) set-and-forget daemon on my server if it really did add an extra layer of obscurity to my secured SSH service.

I guess I just fail to see why it's one against the other.

Wrong, it solves tons of them.

>adds complexity and cost

Almost zero complexity and cost. Maybe if you're a bad at sysadmin work it adds cost and complexity.

>defense without corresponding increases to attacker costs.

It adds a _huge_, almost incalculable cost increase to attackers.

>If you believe there are unknown OpenSSH attacks, you can't coherently believe that port knocking is a real defense, since port knocking doesn't do anything to protect the SSH channel that attacks will be carried out in.

Looks like you don't understand the concept of 0-days. Several CVEs we're listed elsewhere. I suggest researching 0-day exploits so you understand how port knocking mitigates them.

Port knocking mitigates 0-days.

>Instead, if you're actually worried about OpenSSH vulnerabilities, you shouldn't be exposing SSH to the public Internet at all.

I don't disagree here, VPN is a great solution. Nonetheless, for some shops simple port-knocking on a bastion host solves, a lot of these issues, and removed the complexity that VPNs add.

>I'm not super worried about OpenSSH server vulnerabilities, but I would never recommend that teams leave SSH exposed; they should just hide that stuff behind WireGuard.

No one is super worried about things like shellshock, heart bleed, etc. until they happen.

Port knocking solved a lot of problems, protects you from zero-days, and makes SSH noise a non-issue (huge signal-to-noise gains).

Used in production for years. It's fantastic.

I did read your full post. Your claim that port knocking adds no security benefit is just simply incorrect. Even if you take for granted the scenario of an attacker who can recover the port knock sequence, there is still the benefit of shielding the SSH daemon from other attackers who cannot do so. Which is…a “security benefit.”

> Yes a vpn that has no known reliably attack vector is definitely better than a protocol with a known working attack vector

You talk about recovering someone’s port knocking sequence as if that is trivial to do or in any way reliable. It is, in fact, neither of those things. An attacker would have to either:

1) sniff network traffic in front of the server

2) sniff network traffic in front of the client

3) compromise the server

4) compromise the client

5) brute force the port knocking sequence without getting locked out.

Most attackers are going to be in a position to try brute forcing — that’s it.

Meanwhile, you may not have noticed, but commercial VPNs have suffered a steady stream of high-impact CVEs for the last few years.