Port Knocking: The best security you can have on your computer or server (Deployment + Configuration)

Striking ports (in English port knocking) is undoubtedly a practice that all of us who manage servers should know, here I explain in detail what this is and how to implement and configure this 😉

Right now those of us who manage a server have SSH access to that server, some we change the default port of SSH and it no longer uses port 22 and others simply leave it like that (something not recommended), however the server has enabled SSH access through some port and this is already a 'vulnerability'.

With Port Knocking we can achieve the following:

1. SSH access is not enabled by any port. If we have SSH configured for port 9191 (for example) that port (9191) will be closed for everyone.
2. If someone wants to access the server by SSH, obviously, they will not be able to, since port 9191 is closed ... but, if we use a 'magic' or secret combination, that port will be opened, for example:

1. I telnet to port 7000 of the server
2. I do another telnet to port 8000 of the server
3. I do another telnet to port 9000 of the server
4. The server detects that someone has made the secret combination (touch ports 7000, 8000 and 9000 in that order) and will open port 9191 so that the login is requested by SSH (it will open it only for the IP from which the combination was made port number satisfactory).
5. Now to close SSH I just telnet to port 3500
6. I'll do another telnet to port 4500
7. And finally another telnet to port 5500
8. Performing this other secret combination that the server detects will close port 9191 again.

In other words, explaining this even more simply ...

With Port Knocking our server may have certain ports closed, but when the server detects that from X IP the correct port combination was made (configuration previously defined in a configuration file) will execute certain command on itself obviously (command also defined in config file).

Is it understood not? 🙂

How to install a daemon for Port Knocking?

I do it with the package kockd, which will allow us in a very, very simple and fast way to implement and configure Port Knocking.

Install the package: knockd

How to configure Port Knocking with knockd?

Once installed we go on to configure it, for this we edit (as root) the file /etc/knockd.conf:

nano /etc/knockd.conf

As you can see in that file there is already a default configuration:

 Explaining the default settings is really simple.

- First, UseSyslog means that to record activity (log) we will use / var / log / syslog.
- Second, in the section [openSSH] It is where obviously the instructions to open SSH will go, first we have the sequence of ports (the secret combination) that is configured by default (port 7000, port 8000 and finally port 9000). Obviously the ports can be changed (in fact I recommend it) as they do not have to be 3 necessarily, they can be more or less, it depends on you.
- Third, seq_timeout = 5 means the time to wait for the secret port combination to take place. By default it is set 5 seconds, this means that once we start to carry out the port knocking (that is, when we telnet to port 7000) we have a maximum of 5 seconds to finish the correct sequence, if 5 seconds pass and we have not finished the port knocking then it will simply be as if the sequence was invalid.
- Fourth, command it doesn't need much explanation. This will simply be the command that the server will execute when it detects the combination defined above. The command that is set by default what it does is open port 22 (change this port for your SSH one) only to the IP that made the correct combination of ports.
- Fifth, tcpflags = syn With this line we specify the type of packets that the server will recognize as valid for the knocking port.

Then there is the section to close the SSH, that the default configuration is nothing more than the same sequence of ports above but in the opposite order.

Here is a configuration with some modifications:

 How to start the knockd daemon?

To start it we must first modify (as root) the file / etc / default / knockd:

nano /etc/default/knockd

There we change line number 12 that says: «START_KNOCKD = 0»And change that 0 to 1, we would have:«START_KNOCKD = 1«

Once this is done now we simply start it:

service knockd start

And voila, it is configured and working.

Port Knocking with knockd up and running!

As you can see in the previous configuration, if a port knock is made to port 1000, then to 2000 and finally to 3000 then port 2222 (my SSH) will open, well here another computer executing port knock:

Once I press [Enter] on Knock No.1, on No.2 and finally on No.3 the port will open, here is the log:

As you can see, when knocking port 1000, stage 1 was registered, then at 2000 it will be stage 2 and finally at 3 with 3000, when doing this, the command that I declared in the .conf is executed and that's it. .

Then to close the port it would only be to knock 9000, 8000 and finally 7000, here is the log:

And well here the explanation of use ends 😀

As you can see, Port Knocking is truly interesting and useful, because although we do not simply want to open a port after a certain combination of ports, the command or order that the server will execute may vary, that is ... instead of opening a port we can declare to kill a process, stop a service like apache or mysql, etc ... the limit is your imagination.

Port Knocking only works when you have a physical server or when the virtual server is KVM technology. If your VPS (virtual server) is OpenVZ then Port Knocking I don't think it works for you because you can't directly manipulate iptables

Well and so far the article ... I am not by far an expert in this matter but I wanted to share with you this interesting process.


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

27 comments, leave yours

Leave a Comment

Your email address will not be published. Required fields are marked with *



  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   ErunamoJAZZ said

    Excellent article, it's quite interesting and I didn't know it existed ... it would be great if you keep putting out articles for newbie sysadmin and that 😀

    Greetings and thanks ^ _ ^

    1.    KZKG ^ Gaara said

      Thank you for comment.
      Yes ... it is that with the articles on DNS of FICO, I do not want to be left behind LOL !!!

      Nothing seriously. Several months ago I heard something about Port Knocking and it immediately caught my attention, but since I thought it was going to be very complex at that moment I did not decide to go in, just yesterday reviewing some packages from the repo I discovered knockd and decided to give it a try, and here is the tutorial.

      I've always liked to put technical articles, some may not be interesting enough but ... I hope others are 😉


    2.    Mario said

      Hello, I know that this article has been around for some time but I send my query to see if someone can solve it for me.
      The fact is that I have implemented port knocking to my raspberry to try to improve security when I connect to it from outside the local network. For this to work I had to open the range of ports on the 7000-9990 router directing to the machine. Is it safe to open those ports on the router or, on the contrary, when trying to have more security, am I doing the opposite?

      Greetings and thank you.

  2.   eVeR said

    Great, I've been a sysadmin for years and didn't know him.
    One question ... how do you do the "knocks"?
    Do you telnet against those ports? What does telnet answer you? Or is there some "knock" wave command?
    Cool cool is article. Spectacular. Thanks a lot

    1.    KZKG ^ Gaara said

      I did the test with telnet and everything worked wonders ... but, curiously there is a 'knock' command, do a man knock so you can see 😉

      The telnet doesn't really respond to me at all, iptables with the DROP policy makes it not respond at all and the telnet stays there waiting for a response (which will never arrive), but the knockd daemon will recognize the knock even if no one responds 😀

      Thank you very much for your comment, it is a pleasure to know that my articles still like ^ _ ^

  3.   st0rmt4il said

    Added to Favorites! : D!

    Thank you!

    1.    KZKG ^ Gaara said

      Thanks 😀

  4.   dhunter said

    Ahh security, that pleasant feeling of when we secure the pc to plumb, and then days / weeks later trying to connect from some remote place we cannot access because the firewall is in "no one for anyone" mode, this is called staying outside the castle in terms of sysadmins. 😉

    That is why this post is so useful, with the knockd you can access from anywhere that can send a packet to your local network, and the attackers lose interest when they see that the ssh port is closed, I do not think they will knock brute force to open the port.

  5.   Manual said

    Hey, the article is great.

    One thing: does it serve to connect from outside the local network?

    I say this because I have the router with the ports closed minus the one that corresponds to the ssh that is redirected to the server.

    I imagine that in order for it to work from outside the local network, it will be necessary to open the ports of the router corresponding to Port Knocking and make them also redirect to the server.

    Mmm ...

    I don't know to what extent it is safe to do this.

    What do you think?

    1.    KZKG ^ Gaara said

      I'm not very sure, I have not done the test but I think yes, you should open ports on the router otherwise you could not knock the server.

      Do the test without opening ports on the router, if it does not work for you it is a shame, because I agree with you, it is not advisable to open these ports on the router.

      1.    Manual said

        Indeed, we must open the ports and redirect them to the computer we are calling.


  6.   Rabba08 said

    Great thank you very much! I have just started studying the networking career and these tutorials are great for me! thanks for taking the time to share the knowledge

    1.    KZKG ^ Gaara said

      I have learned a lot over the years with the global Linux community ... for a few years I have wanted to contribute too, that is precisely why I write 😀

  7.   janus981 said

    Thank you very much, you do not know how it helps me, I am about to set up a server and this is going great for me.


    1.    KZKG ^ Gaara said

      That's what we are for, to help 😉

  8.   Jean ventura said

    Excellent article! I had no knowledge of this and it helps me a lot (I am using RackSpace that uses KVM, so it suits me like a glove!). Added to favorite.

    1.    KZKG ^ Gaara said

      Thanks for commenting 🙂

  9.   Algabe said

    As always FromLinux brings us excellent post with tutorials that are really useful to put into action, thanks for sharing! 🙂

    1.    KZKG ^ Gaara said

      Thank you for your comment 🙂
      Yes, we always try to satisfy that thirst for knowledge that our readers have 😀

  10.   Timbleck said

    Interesting, did not know the option.
    Go straight to fattening my chop library.
    Thank you!

    1.    KZKG ^ Gaara said

      A pleasure for me 😀

  11.   Frederick. A. Valdés Toujague said

    Greetings KZKG ^ Gaara !!! You squeezed. Tremendous article to secure servers. No @% * & ^ idea that such a thing exists. I'll try it. Thank you

  12.   White ^ necklace said

    this is great…. ^ - ^

  13.   LearnLinux said

    Hello, could you explain how to install it in CentOS 5.x?

    I have downloaded the rpm:

    rpm -i knock-0.5-3.el5.rf.x86_64.rpm

    Configure the configuration file with 15 seconds of time and the port that I use to connect by ssh to my vps

    The demon begins:
    / usr / sbin / knockd &

    I telnet and nothing the port does not close, by default the port is open, but it does not close.

    Am I doing something wrong?

  14.   Hello said

    Mmmm, the telnet requests to those ports could be learned by the admin of our local network, or by our service provider, no? It would block external people but not them, so if they want to activate our port they could do it because See the requests we make, mmm let's say it protects but not 100%

    1.    Roberto said

      It could be, but I don't think they are going to imagine that certain telnet executes X action. Unless they see that the same telnet patterns are followed.

  15.   Pablo Andres Diaz Aramburo said

    Interesting article, I have a question. I think there is an error in the configuration file image, because if you analyze well, in both lines of the command you are using ACCEPT in Iptables. I think one should be ACCEPT and another should be REJECT.

    Otherwise, excellent initiative. Thank you very much for taking the time to explain your knowledge to others.