Does port knocking increase security behind a router?
Port knocking is an additional layer of security that can be added to an already existing security concept for a server. The web server runs the SSH service behind a port, e.g. the default port 22, but this port is only opened after a certain sequence of ports is tried (knocked) before, for example 1022, 2022, 3022.
The situation is now the following: the server is running behind a consumer product router which forwards port 22. To enable port knocking, the router also has to forward ports 1022, 2022, 3022. The other ports in the router and server are closed.
Can a random attacker detect that certain ports are open in the router and thus guess at least the ports used for the knocking sequence such that it is basically useless?
I think of something like this “Oh, ports 22, 1022, 2022, 3022 look different, probably I can try a random sequence of these ports?”
Is it in fact true that from outside it can be detected whether the router is forwarding and the port is blocked on the server or the router blocks ports?
Are there any other reasons that would render port knocking less useful in such a scenario?
Regarding the answer from schroeder♦: are there consumer product router that support this if it has to run on the router?
Continue reading Does port knocking increase security behind a router?