Single Packet Authorization
PortGuard

PortGuard offers robust single packet authorization technology to safeguard your network against unauthorized access, including port scanning threats.

Download Now, Multi-Platform GUI

Download for Windows

fwknopc_2_6_11_x64-setup.exe

Download for IOS/Macos from App Store

fwknopc_2_6_11_x64.pkg

Download for Android

fwknopc_2_6_11_x64.apk

Fwknop Server for CentOS7

File Name Last Modified MD5
fwknop-server-2.6.11-1.el7.x86_64.rpm 2025-07-29 1a375f89c2aa16935ddce164ad16adad
libfko-3.0.0-1.x86_64.rpm 2025-07-29 7f720f1f444f1634bab7cadbbfec40b2
Note: Quick Installation in CentOS 7

1. Why Did I Develop PortGuard?

I first learned about the concept of Single Packet Authorization (SPA) during a casual conversation with colleagues at work. Prior to that, I had no knowledge of port knocking or SPA. It so happened that our company needed a port-knocking solution, and after researching and exploring relevant materials, I discovered fwknop. The concept of fwknop was truly impressive—for services that need to be accessible to only a select few, fwknop is an excellent solution. We considered developing our own tool, but fwknop was far more mature. However, fwknop has its drawbacks: it is complex, with a steep learning curve for installation and use, and it lacks a dedicated client application.This led to the creation of PortGuard. The goal of PortGuard is to support mainstream port-knocking protocols like fwknop and, in the future, tnok, while providing a cross-platform client. Built as an extension of fwknop and tnok, PortGuard aims to make SPA technology more user-friendly and accessible.

2. PortGuard Client Supported Platforms

Currently, PortGuard supports the following platforms:

  • iOS
  • Android
  • Windows
  • macOS

3. PortGuard Use Cases

PortGuard's core functionality is to enhance network security by hiding service ports (default closed), and it is suitable for the following scenarios:

3.1 Protect Remote Access Services (e.g. SSH)

Scenario: Administrators need to securely access SSH services from different locations (e.g., home, coffee shop, mobile network) without exposing the SSH port to the public network.

Implementation: Use fwknop or tnok, the client sends SPA data packets or TOTP knock packets, and the server verifies and temporarily opens the SSH port (default 22) after verification.

Advantages: Prevent Nmap and other port scanning tools from discovering services, reducing the risk of zero-day vulnerabilities being exploited.

Example: Remote team members use fwknop client to send SPA data packets on Windows or Android devices, securely access company internal servers.

3.2 Service Protection in Cloud Environments

Scenario: Internal services (e.g., databases, web servers) in AWS, Azure, and other cloud platforms need to be accessed through the public network, but the ports need to be avoided from being directly exposed.

Implementation: PortGuard integrates with NAT to allow external clients to access internal services in the RFC 1918 address space through SPA.

Advantages: Supports complex network topologies, suitable for hybrid cloud and multi-tenant environments.

Example: Run fwknopd on AWS EC2 instances, dynamically open the MySQL port (3306) for authorized users to access.

3.3 Defend Against Port Scanning and Brute Force

Scenario: Servers face port scanning (e.g., Nmap) or brute force attacks, and need to hide service ports to reduce the attack surface.

Implementation: PortGuard maintains the default drop firewall policy, only opening ports after receiving valid SPA data packets.

Advantages: Even if there are unpatched vulnerabilities, attackers cannot discover service ports.

Example: Prevent SSH brute force, fwknop only opens ports after verifying HMAC.

3.4 Support Multiple Service Protection

Scenario: Enterprises need to protect multiple services (e.g., SSH, RDP, VPN, database) but do not want all ports to be open all the time.

Implementation: fwknop supports defining multiple services and ports in access.conf, and the client can specify the target protocol and port.

Advantages: Flexible rule configuration, support custom timeout and port open strategies.

Example: Configure fwknop to protect both SSH (tcp/22) and OpenVPN (udp/1194).

3.5 Embedded or IoT Device Security

Scenario: IoT devices or embedded systems need remote management, but the device resources are limited and vulnerable to attacks.

Implementation: Run lightweight fwknopd or tnokd on resource-constrained devices, control access through SPA or TOTP.

Advantages: Low resource consumption, suitable for small devices.

Example: Protect the Web service running on Raspberry Pi.

3.6 Third-Party Device Integration

Scenario: Need to integrate with devices that do not support native fwknop (e.g., Cisco routers), control firewall rules.

Implementation: The command open/close cycle (command open/close cycle) feature of fwknop allows executing custom scripts to dynamically modify the ACL of third-party devices.

Advantages: Extensible, support non-standard firewall devices.

Example: Run fwknopd on Linux servers, update the ACL of Cisco routers through SSH.

3.7 Technical Details

  • fwknop supports defining timeout (CMD_CYCLE_TIMER), port open automatically closed, reducing exposure time.
  • Can be combined with VPN (e.g., WireGuard, OpenVPN) to build a secure private network.
  • Supports X-Forwarded-For header parsing, suitable for SPA in HTTP environment.

4. How Secure is PortGuard?

PortGuard's security is primarily dependent on the single-packet authorization (SPA) mechanism of fwknop, combined with encryption, authentication, and firewall integration, providing multi-layered protection. The following is a detailed analysis of security:

4.1 Encryption and Authentication

Encryption: fwknop supports Rijndael (AES) symmetric encryption or GnuPG asymmetric encryption, and the SPA data packet content cannot be directly parsed.

Authentication: Use HMAC-SHA256 (default) or higher versions for data packet authentication, ensuring data integrity and source trust.

Security: Prevent man-in-the-middle (MITM) and replay attacks, HMAC applied after encryption, resisting CBC mode padding oracle attacks (e.g., Vaudenay attacks).

Limitations: Symmetric encryption requires client and server shared keys, improper key management may lead to leakage; GnuPG mode requires maintaining key rings,

4.2 Prevent Port Scanning

Mechanism: PortGuard uses the default drop firewall policy, and the service port is invisible when not authorized, so Nmap and other tools cannot detect it.

Security: Significantly reduces the attack surface, even if there are zero-day vulnerabilities, attackers cannot locate the service port.

Limitations: If the knock data packet is sniffed (traditional port knocking is more susceptible to this), attackers may attempt replay (SPA has solved this problem through HMAC).

4.3 Resist Brute Force

Mechanism: SPA data packets need to be correctly encrypted and HMAC authenticated, brute force is almost impossible (data packets with failed HMAC are discarded directly).

Security: Compared to traditional port knocking, SPA's single-packet design and encryption mechanism significantly improve the ability to resist brute force.

Limitations: Configuration errors (e.g., weak keys or disabled HMAC) may reduce security.

✨ Features

Robust Security Features
🔓 Robust Security Features
State-of-the-Art Encryption Technology
PortGuard uses advanced encryption technology to ensure data security, providing robust protection against unauthorized access and ensuring the confidentiality of your data.
System Reliability
📈 System Reliability
Unmatched Stability
Rigorously tested, PortGuard runs stably in various environments, ensuring high availability and reliability for critical applications.
Cross-Platform Compatibility
💻 Cross-Platform Compatibility
Seamless Multi-Platform Support
Supports Windows, macOS, Linux, and more, allowing seamless integration into diverse IT environments and catering to a wide range of users.
Open Source Flexibility
🔓 Open Source Flexibility
Empower Your Security with Open Source
PortGuard is open source and supports private deployment, giving users full control over their security infrastructure and the ability to customize it to their needs.

People ❤️ Fwknop

User Comment

John

Port Knocking Security
PortGuard's port knocking mechanism has significantly improved our network security. By dynamically opening ports only for authenticated clients, we've effectively eliminated the risk of port scanning and brute-force attacks, making it nearly impossible for attackers to detect our services using tools like port scanners.
User Comment

Michael

Nmap Protection
Setting up PortGuard was surprisingly straightforward. The documentation is clear, and the configuration files are well-organized. I was able to integrate it into our existing infrastructure without any major issues. It works seamlessly with our firewall (iptables), and the learning curve was minimal. Now, we're protected from Nmap scans and other port scanning tools.
User Comment

James

Port Scan Prevention
One of the best features of PortGuard is how it prevents port scanning. By closing all ports and only opening them temporarily after a valid SPA packet is received, it eliminates the risk of port scanning and brute-force attacks. It's a game-changer for securing SSH and other critical services from port scanners and other port scanning tools.
User Comment

David

Secure Remote Access
PortGuard has made remote access to our servers much more secure. Instead of exposing SSH to the internet, we now use SPA to grant access only when needed. It's perfect for our remote team members who need to connect securely from different locations, without worrying about Nmap scans or other port scanning threats.
User Comment

Olivia

Customizable Security
The flexibility of PortGuard is impressive. We can configure it to work with multiple services, not just SSH. The ability to define custom rules and timeouts for port openings makes it adaptable to our specific use cases. It's a highly customizable solution that helps us stay ahead of port scanning threats like Nmap.
User Comment

William

Reliable Security
PortGuard has been a game-changer for our network security. With its integration of WireGuard VPN and OpenVPN, we've been able to create a private network that ensures our data remains secure and protected from prying eyes. The reliability of this setup gives us complete peace of mind, knowing that our data is safe from unauthorized access.
Download Now

Telegram

PortGuard Tutorial

Copyright 2025 PortGuard. All rights reserved.