Port Knocking: Complete Guide with Practical Use Cases and Server Configurations
1. Introduction
In modern network security, exposing services like SSH, RDP, or web servers to the internet can create attack surfaces for unauthorized access. Even with firewalls in place, attackers can attempt brute-force attacks, port scans, or exploits.
Port Knocking is a stealth security technique designed to protect network services by hiding open ports and only allowing access after a predefined sequence of connection attempts.
In simpler terms:
- The server appears closed to outsiders.
- Only a client knowing the correct “knock sequence” can gain access.
- It is like a secret handshake for your network services.
Port knocking is particularly useful for:
- SSH protection in servers exposed to the internet
- Reducing the attack surface on sensitive services
- Dynamic firewall rules without VPNs or additional software
This guide explores the concept, implementation, practical use cases, and configurations of port knocking.
2. How Port Knocking Works
2.1 Concept
Port knocking works by monitoring network traffic for connection attempts on closed ports in a specific order.
- A client attempts to connect to ports
7000 → 8000 → 9000. - A daemon on the server detects this “knock sequence”.
- If the sequence is correct, the server opens a specific port (e.g.,
SSH:22) temporarily for the client IP.
Key Points:
- Ports remain stealthy until the correct sequence is detected.
- Can be implemented using iptables, firewalls, or specialized daemons like
knockd. - Adds an additional layer of security by obscurity.
2.2 Port Knocking vs Traditional Firewalls
| Feature | Traditional Firewall | Port Knocking | | | -- | - | | Port Visibility | Open ports visible | All ports appear closed | | Security Level | Relies on rules only | Requires correct knock sequence | | Access Control | Based on IP, range | Based on knock sequence | | Attack Surface | Potential brute-force targets | Minimal visible attack surface |
3. Installation of Port Knocking Daemon (knockd)
3.1 On Linux (Debian/Ubuntu/Kali)
sudo apt update
sudo apt install knockd -y
Verify Installation:
knockd -v
Output Example:
knockd 0.7.4 - TCP/UDP port knocking server
3.2 On CentOS / RHEL
sudo yum install epel-release -y
sudo yum install knock -y
4. Configuration of Port Knocking
The configuration file for knockd is typically located at:
/etc/knockd.conf
4.1 Sample Configuration
[options]
UseSyslog
[openSSH]
sequence = 7000,8000,9000
seq_timeout = 15
command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = 9000,8000,7000
seq_timeout = 15
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
Explanation:
[openSSH]→ opens SSH port after sequence7000 → 8000 → 9000seq_timeout→ max time in seconds between knockscommand→ the action executed, here adding an iptables rule[closeSSH]→ closes the SSH port using the reverse sequence
4.2 Enabling and Starting knockd
sudo systemctl enable knockd
sudo systemctl start knockd
sudo systemctl status knockd
Output Example:
● knockd.service - LSB: start/stop knockd
Loaded: loaded (/etc/init.d/knockd)
Active: active (running)
5. Client-Side Usage
Clients need to send the knock sequence using the knock command:
knock 192.168.1.100 7000 8000 9000
Explanation:
192.168.1.100→ server IP- Ports
7000 8000 9000→ sequence defined inknockd.conf
After sending the sequence, SSH can be accessed:
ssh user@192.168.1.100
To close the port:
knock 192.168.1.100 9000 8000 7000
6. Advanced Configurations
6.1 Using UDP Instead of TCP
[openSSH]
sequence = 7000,8000,9000
seq_timeout = 10
command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
protocol = udp
- Useful if TCP traffic is filtered or logged differently
6.2 Multiple Services
[openWeb]
sequence = 1000,2000,3000
seq_timeout = 15
command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 80 -j ACCEPT
tcpflags = syn
- Opens web server port only after correct knock sequence
6.3 Time-Based Restrictions
- Using
seq_timeoutensures the sequence must be sent within a limited time to prevent brute-force sequences.
7. Practical Use Case: Protecting SSH
Scenario: You have a public server and want to:
- Hide SSH port (22) from port scans
- Allow only trusted users with secret knock sequences
Steps:
- Install
knockd - Configure
knockd.confwith a secret sequence - Enable and start
knockd - Configure the firewall to drop all other incoming connections to port 22
- Clients use the knock sequence to access SSH
Result:
- SSH is invisible to unauthorized users
- Only those knowing the sequence can connect
- Firewall logs show no open port 22 attempts
8. Security Considerations
- Port knocking obscures services, but does not replace strong authentication
- Use strong SSH passwords or key-based authentication
- Avoid simple sequences like
1234 5678 9012 - Sequences can be logged; consider encrypted port knocking (Single Packet Authorization) for higher security
9. Testing and Verification
- Check firewall rules before knocking:
sudo iptables -L -n
- Client sends knock sequence:
knock 192.168.1.100 7000 8000 9000
- Verify port is open:
nmap -p 22 192.168.1.100
Expected Output:
PORT STATE SERVICE
22/tcp open ssh
- Connect via SSH and verify logs:
ssh user@192.168.1.100
10. Conclusion
Port knocking is an effective method to obscure services and reduce attack surfaces. By combining it with strong authentication, firewalls, and VPNs, it provides a stealthy layer of defense for sensitive services like SSH and web servers.
Key Takeaways:
- Hides ports until correct sequence is detected
- Easy to configure with
knockd - Can protect multiple services using different sequences
- Use in combination with other security measures for optimal protection