Authenticated port knocking

Letmein is a simple port knocker with a simple and secure authentication mechanism. It can be used to harden against pre-authentication attacks on services like SSH, VPN, IMAP and many more.

Image preview of letmein_overview.png

Letmein hides services on a server behind a knock authentication barrier to reduce the attack surface of a service. The service will not be accessible unless a knock authentication is successful. In case of a successful knock, the letmeind server will only open the knocked port for the client IP address that performed the knocking. Machines with different IP addresses still won't have access to the protected service.

Machines that can't successfully authenticate the knock sequence won't be able to access the protected service. They will receive a ICMP `reject` on the protected service port with the provided example `nftables.conf`. (You can also decide to `drop` the packets in your `nftables.conf` instead).

Letmein requires an `nftables` based firewall. It will *not* work with `iptables`. If you use an `iptables` based firewall, please convert to `nftables` before installing letmein. There are descriptions about how to do that on the Internet. It's not as hard and as much work as it sounds. :)

The letmein control communication itself defaults to TCP port 5800, but it can be configured to any TCP or UDP port. If you choose a UDP port as control port and configure `control-error-policy=basic-auth`, then the letmein service itself operates in stealth mode and doesn't respond to unauthenticated incoming messages.

The development source code of letmein can be downloaded using the Git version control system as follows:

git clone https://git.bues.ch/git/letmein.git

To browse the Git repository online, go to the repository web interface.
Or download the compressed snapshot.
A mirror of the repository is available on GitHub, GitLab, Bitbucket and on NotABug.org.
If you want to contribute to letmein, please read the contribution guidelines first.

letmein is stable/production quality software.
That means its features are well tested and the remaining amount of bugs probably is minor. The software does include a reasonable amount of documentation.

If you find any bugs in letmein or if you have any suggestion for new features, we would like to hear from you.
Your help is greatly appreciated and will help to create better software and improve the overall experience for everybody. So don't hesitate to report anything that that limits your letmein usage.

If you have got any code improvements or other improvements that should be merged into the project, please send such enhancements to the letmein maintainer.

Please read the contribution guidelines first.

Copyright (C) Michael Büsch
Licensed under the terms of the MIT license or under the terms of the Apache License version 2.0, at your option. See the sourcecode for details.

Updated: Wednesday 18 December 2024 16:10 (UTC)
xhtml / css