Port Knocking

Technologies Feb 25, 2021

I must've been living under a rock....cuz I just found about port knocking and why its such a good security measure.


Port knocking is the modern equivalent of the secret knock. As the term implies, the door to a service or port will only open if the listed ports in the config file is knocked in a certain order. If the system is fully protected, external entities have no way of finding out the ports to knock and wont be able to uncover/access the "hidden" service.

Consider the following as an Example:
A cloud server has been configured with SSH service for remote administration on port 22. In this case port 22 would have to be open on the system firewall (IPTables/UFW). However, this means that anyone who knows the server's IP (via DNS resolution) would be able to discover the SSH service. This might allow attackers to brute force the ssh login which increases the attack vector of the server. That's when Port Knocking comes in handy! After setting up a script with knockd to monitor incomming TCP SYN packets for a secret knock, port 22 will always will always appear closed unless those ports mentioned in the config file are knocked in order. [i.e 666, 777, 888]

How Port Knocking Can Add Extra Layer of Server Security (thegeekstuff.com)


Solid Security Measure

Default Port Knocking would be viable for those small scale servers which are managed by one or two system admins as it adds a layer of security and doesn't directly expose them to the internet. [Security Through Obscurity] This also leads to reduced attack vector. [SSH Brute Force]


Failure of Daemon

Port Knocking heavily depends on the Port Knocking daemon. If the daemon were to fail, there is no way of fixing it remotely unless you already have a live session into the server. This is one risk that you will risk taking if you were to deploy this.

Sniffed Knocks

The other worry is that an attacker would be able to sniff your knocks going to the particular ports. Encryption won't necessarily do much as the type of traffic for port knocking is well known and the attacker would only need to know the server' IP and destination ports. Both of which won't be encrypted.

Okei...enough of theory! Lets try this Port Knocking out on a throwaway server.



  • Internet Connectivity
  • Pre configured IPTABLES (Read More)


[email protected]:~# sudo apt-get install knockd


Once everything is installed, its time to make changes to the /etc/knockd.conf.

[email protected]:~# cat /etc/knockd.conf

        sequence    = 666,667,668
        seq_timeout = 25
        command     = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn

        sequence    = 668,667,666
        seq_timeout = 25
        command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn

This config ensures the following:

  • If the ports 666, 667 and 668 are knocked in order, a new iptables rule allowing communications to port 22 will be added
  • If the ports `668, 667 and 6686 are knocked in order, another iptables rule denying communications to port 22 will be added

The next file to look at is, /etc/default/knockd. The target ethernet adapter has to be set in this file.

[email protected]:~# cat /etc/default/knockd 
# control if we start knockd at init or not
# 1 = start
# anything else = don't start

# command line options
KNOCKD_OPTS="-i eth0"

After completing these steps, all there's left to do is start the service!

[email protected]:~# sudo service knockd start


When I tried to SSH into my server, I was getting this Connection Refused prompt.

However, a simple NMAP scan revealed that port 22 was actually open but filtered.


The following command will knock the specified ports in order.

knock <hostname> <port 1> <port 2> <port 3>
└─# knock nee.amster 666 667 668   

After knocking, I was successfully able to negotiate an SSH connection with my server with no issues!

Late to the party...but I guess late is better than not turning up. Time to deploy this on all my servers! 🐍