Skip to main content

Secure SSH Service Using Port Knocking on Debian and Ubuntu

port knocking

In this tutorial, I’m going to show you how to use port knocking to secure SSH service on Debian and Ubuntu server. So you may ask what exactly is port knocking? And how is it going to help you secure your Debian or Ubuntu server?

Basic Idea of Port Knocking

Port knocking is a way to let only legitimate users to access services on a server and the service in this tutorial is the SSH service. The idea behind port knocking is that the SSH port on the server is protected by a firewall. The SSH service is running on the server but the SSH port is closed from the eyes of the outside world because of firewall rules. So in this situation, no one can directly connect to SSH port 22.

The server also has a knockd daemon running. knockd has the ability to change the firewall rule and thus to temporarily open SSH port 22 to a user if that user hit (or knock) some specific ports in a sequence. So the knock sequence is kind of like a password for the SSH port. Only the legitimate user with the right knock sequence can trigger the SSH port to open. When the legitimate user has finished his work, he then use another knock sequence to close SSH port.

Now let’s get our hands dirty. First we will install and configure knockd and then setup firewall rule.

Install Knockd on Debian and Ubuntu

sudo apt-get install knockd

Configure Knockd

Enable autostart on system boot

Edit /etc/default/knockd config file with nano or your favorite text editor.

sudo nano /etc/default/knockd

Find this line


Change 0 to 1.


Save and close the file.

Edit main configuration file.

sudo nano /etc/knockd.conf

You need to change three items in this file. In the [openSSH] section, the default opening knock sequence is 7000,8000,9000. You can change this to your own liking, such as 10001,10002,10003. You can also define 4 or more ports for the sequence. These ports need not be open.

Then in the iptables command, change -A to -I so that this iptables rule will be the first in the rule chain. Order in iptables rule chain matters. When you send the right knock sequence, knockd will execute this iptables command to open SSH port for your IP.

Next, in the [closeSSH] section, change the default closing knock sequence to your liking, such as 10003,10002,10001.

knockd and port knocking

Save and close the file, then start knockd daemon

sudo /etc/init.d/knockd start   or     sudo service knockd start

Note that knockd by default listens on eth0 interface. You server’s network interface might not be eth0. In this case, you will see the following error when starting knockd daemon.

[FAIL] Starting Port-knock daemon: knockd failed (could not open eth0: eth0: No such device exists (SIOCGIFHWADDR: No such device)).

You need to change the listening port of knocked. Open /etc/default/knockd and find this line

#KNOCKD_OPTS="-i eth1"

Remove # and change eth1 to your server’s network interface. If your server is using openvz virtualization, then the interface name is venet0:0

KNOCKD_OPTS="-i venet0:0"

Setup Firewall Rule Using iptables

First, you want to make sure your establish SSH connection goes on and won’t be killed by firewall rules by running the command:

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Now reject all incoming connections to port 22 using iptables:

sudo iptables -A INPUT -p tcp --dport 22 -j REJECT

The above command will append a rule to the INPUT chain telling the Linux kernel firewall to reject all TCP connections to port 22. To list kernel firewall rules, use -L option.

sudo iptables -L
iptables and port knocking

Now if you use nmap to scan your server, you will see that port 22 is filtered.

port knocking

And ssh connection will be rejected.

port knocking

Use iptables-save to save firewall rule to a file.

sudo iptables-save > firewall.rule

To restore firewall rule, use iptables-restore.

sudo iptables-restore < firewall.rule

The knockd daemon can die for reasons that you can not control. To prevent locking youself out I advise that your server does not restore this firewall rule automatically when system boot up and always restore it manually. When knockd dies, you can reboot your machine in the control panel of your hosting provider and access your server again.

Use Knock Client to Send Knock Sequence

The knockd daemon is bundled with a knock client called knock, so on your Debian or Ubuntu workstation, you can install it by running:

sudo apt-get install knockd

Example knock:

knock -v 10001 10002 10003


hitting tcp
hitting tcp
hitting tcp

Knock attempt can fail if there’s a high latency between your workstation and your server, so you may need to knock three or more times until the server acknowledge all your knock sequence.

Once all knock attempt is successful, you can ssh into your server. If you use nmap to scan your server again, you will find SSH port is open for your IP.

22/tcp   open     ssh
80/tcp   open     http
443/tcp  open     https

After you’ve done all your work, you can use port knocking to close SSH port for your IP.

knock -v 10003 10002 10001


Port knocking should not be your only protection for SSH service. Combining it with other form of protection such SSH passwordless login is highly recommended.

Do not automatically restore the above firewall rule on system boot. If the knockd daemon dies, you can reboot your server in the control panel provided by your hosting provider. Sometimes you can click a button called “console access” in the control panel to directly login. This is different from SSH login.


Rate this tutorial
[Total: 0 Average: 0]