What is Port Knocking?

By on February 27th, 2017

In this tutorial we can check What is Port Knocking?

Security is one of the most important parameter that should be kept in account when you are on a hosting account. There are many security measures that can be used to ensure your server is secure. There are different methods to implement the security. You could secure the website and the whole server. Port knocking is a technique used to secure your server. If you own a VPS or a dedicated server, using port knocking is a good idea to ensure improved security. In this article, we are going to see what the Port Knocking is and how does it secure the server.


What is Port Knocking

Port Knocking is a technique that is used to improve the security of a webserver. It works with the help of the firewall. This method helps to identify which users are legitimate, so that blocking is effective. These ports will be closed on the firewall by default. A pre-defined sequence is needed to implement Port Knocking. If one tries with connection attempts according to this sequence, then the port that needs to be open will be opened. This will allow for the customer to connect to correct port. The primary advantage of this method is that the ports protected by Port Knocking will be shown unavailable for a usual port scan.

Please be aware that the Port Knocking shouldn’t be used as the only security measure, but also along with the other security strategies.


The IPTABLES and Port Knocking

Iptables need to be installed on the server to implement Port Knocking. As we’ve seen earlier, Port Knocking works with the firewall, iptables. To understand how Port Knocking works, we need to discuss iptables. Here is a brief overview.



IPtables is a user-space application. It allows us to configure the Linux kernel firewall. The iptables maintains a number of chains like the Input Chain, the Output Chain, the Forward Chain, etc. We can configure these chains with the users IP address accessing the server. We can allow or block users by adding them to the appropriate chains.

The format of an iptables will be as below.

target     port  opt source             destination

ACCEPT    all  —  anywhere            anywhere

To add a rule to the INPUT chain of the iptables, it will need the format specified below.

iptables -A INPUT -p tcp –dport 80 -j ACCEPT


How Does Port Knocking work

There is a module in the iptables called “recent”. It is used to dynamically create a list of IP addresses. This list will be based on the connection whether the connection was successful or unsuccessful. The firewall will find out the connections made by the user. There will be a pre-defined sequence that will be used by the firewall. If failed attempts from a user occur in this sequence. The desired port will be opened, so that the customer can connect to the port.

A sample session with the port knocking will be looking like the below.

$ ssh usr@host # No response (Ctrl+c to exit)


$ nmap -Pn –host_timeout 201 –max-retries 0  -p 1122 host #knocking port 1122

$ nmap -Pn –host_timeout 201 –max-retries 0  -p 2233 host #knocking port 2233

$ ssh user@host # Now logins are allowed

usr@host’s password:

There are various methods to implement Port Knocking. A specialized daemon can be used to handle the Port Knocking or an iptables.rules file can be created.


Port Knocking using a specialized daemon

We can use a particular daemon so that the daemon will handle the port knocking. It will allow you to set this up easily.


Port Knocking using IPTABLES

To use the Port Knocking with the iptables only, we need to create a custom file. Create the file /etc/iptables/iptables.rules for handling Port Knocking. We are going to see a sample file here. The rules are set up to open the port user defined SSH port 8855 after a sequence of knocks to the ports 1111 then 2222 and 3333. Please keep in mind that we are implementing the single knocking here. Primarily, we should define the default filter policies and chains for the script. We are using the OUTPUT ACCEPT in this example.

We can define the filter as following





:TRAFFIC – [0:0]

:SSH-INPUT – [0:0]


Now, we need to add the following rules. These rules are for the main chain.



-A TRAFFIC -m state –state NEW -m tcp -p tcp –dport 8855 -m recent –rcheck –seconds 30 –name SSH2 -j ACCEPT

The third line on the above script will open the port 8855 for 30 seconds only if the IP address that is trying to connect is on the list SSH2. Please be aware that the port will be closed after 30 seconds and a new Port Knocking attempt can be initiated from that IP address too.

The full content of the file iptables.rules will be looking like the following.





:TRAFFIC – [0:0]

:SSH-INPUT – [0:0]


# TRAFFIC chain for Port Knocking. The correct port sequence in this example is 8881 -> 7777 -> 9991; any other sequence will drop the traffic


-A TRAFFIC -p icmp –icmp-type any -j ACCEPT


-A TRAFFIC -m state –state NEW -m tcp -p tcp –dport 22 -m recent –rcheck –seconds 30 –name SSH2 -j ACCEPT

-A TRAFFIC -m state –state NEW -m tcp -p tcp -m recent –name SSH2 –remove -j DROP

-A TRAFFIC -m state –state NEW -m tcp -p tcp –dport 9991 -m recent –rcheck –name SSH1 -j SSH-INPUTTWO

-A TRAFFIC -m state –state NEW -m tcp -p tcp -m recent –name SSH1 –remove -j DROP

-A TRAFFIC -m state –state NEW -m tcp -p tcp –dport 7777 -m recent –rcheck –name SSH0 -j SSH-INPUT

-A TRAFFIC -m state –state NEW -m tcp -p tcp -m recent –name SSH0 –remove -j DROP

-A TRAFFIC -m state –state NEW -m tcp -p tcp –dport 8881 -m recent –name SSH0 –set -j DROP

-A SSH-INPUT -m recent –name SSH1 –set -j DROP

-A SSH-INPUTTWO -m recent –name SSH2 –set -j DROP



# END or further rules


If you need any further assistance please contact our support department.



One Response to “What is Port Knocking?”

  1. Paul Manoli says:

    Good to know. Very informative. Thank you

Leave a Reply