I can copy your knock and get access, I can deny you service by messing up your knocks by sending packets with a fake IP, it is also insanely inefficient in the amount of data and time spent vs the amount of information exchanged
Who cares? Serious attackers have access to the actual TCP connection you make to sshd. If there's a preauth vulnerability in sshd, they'll just use that to deliver the payload.
Port knocking is silly. If you're scared of preauth sshd zero-day, deploy an encrypted tunnel.
Replay attacks don't work against proper port knocking.
Take for example, knockknock-daemon. It sends just one SYN packet where packets IP and TCP headers are encrypted request to open a specified port. Port is closed after connection.
Entirely possible, as I said this is the first time I read about this, so the port knocking I refer to is the kind described, which is using a sequence of ports as a key.
I don't know python but this implementation seems broken in the same way (or more precisely, under the same circumstances). I just realized, you don't even need to copy the knock. If you have access to the network traffic (which you would need to copy the knock in the first place), you also have access to the TCP sequence numbers. You can just connect from the user's IP after he performs the knock, or even let him connect and inject packets at some later point. This program seems to rely on the TCP authentication of IP address which is completely negated if the attacker can monitor traffic.
The goal of knocking is to expose running services as little as possible and do it in a stealthy way.
An observer watching packets has no way to know that the SYN packet transmitted is a port knocking request. Even if they know, there is no way to determine which port was requested to open.
I don't understand what you mean. How would you prevent the attacker from knowing the port, except by only sending the port knock, and then never actually connecting?
Let's say the attacker has no idea you're using port knocking and even somehow missed your port knock packet completely, but after that captures subsequent traffic. He will still see the sequence numbers in the SYN/ACK from the server which is all he needs. Once he has that, he is an equal party to you (the legitimate client) in that connection.