The sys admin's daily grind: Knockd


Article from Issue 94/2008

Horror stories are full of scary characters knocking on doors at night. On Linux, we just call this port knocking, and it can actually be quite useful.

If you prefer not to have an obvious administrative port for your iptables firewall – but do need a secret one – port knocking is an interesting option that can put off script-based attacks. For the ambitious but secretive admin, the tool of choice is Knockd [1].

The package includes two components: Knock is the client that sends knocking signals, which the Knockd daemon receives.


To monitor the process, Knock, the knocking client, only needs the port number on which to knock and a -v option.

For example:

knock -v 7000 8000 9000

The tool responds immediately with the command-line output shown in Figure 1.

Figure 1: If it recognizes the knock signal, the tool responds.

The /etc/knockd.conf configuration file lets the system administrator specify the action the daemon performs when it receives a valid hit.

See Listing 1 for an example.

Listing 1



In a production environment, choose a more unusual port number, of course.

Morse Code for Fun and Profit

If it recognizes the signal, Knockd opens up port 22 for the requesting IP, which passes in its own IP (see Figure 2).

Figure 2: The Knockd daemon uses iptables to open up port 22 for the requesting IP, but only if it recognizes the knock signal.

If you knock on the ports in the wrong order, the daemon will shut down SSH access. Scatterbrained admins (like me) have another option – knockd.conf, which looks like this:

start_command = /usr/sbin/iptables -A INPUTU
 -s %IP% -p tcp --syn --dport 22 -j ACCEPT
cmd_timeout = 10
stop_command = /usr/sbin/iptables -D INPUTU
 -s %IP% -p tcp --syn --dport 22 -j ACCEPT

After knocking, the daemon launches start_command, then waits the number of minutes specified in cmd_timeout before executing stop_command.


Really paranoid system administrators will relish the option of configuring a file with a sequence of ports. Each sequence expires after use.

The Author

Charly Kühnast is a Unix operating system administrator at the Data Center in Moers, Germany. His tasks include firewall and DMZ security and availability. He divides his leisure time into hot, wet, and eastern sectors, where he enjoys cooking, fresh water aquariums, and learning Japanese, respectively.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Charly's Column

    Conventional, woodpecker-style port knocking is open to sniffing and brute force knocking attacks. Sending an encrypted packet with an access request to the server is safer and more modern. Learn more about Firewall Knock Operator, a.k.a. Fwknop.

  • Single-Packet Port Knocking

    If you are looking for an extra layer of remote access security, try single-packet port knocking.

  • Charly's Column – Whowatch

    For no particular reason, Charly occasionally patrols his server farm and hunts down attackers. He has put together a neat toolbox for this job.

  • Charly’s Column: PortSentry

    To celebrate 10 years of his column, Charly sets up a sensitive detector that measures the cosmic background radiation of the Internet.

  • The sys admin's daily grind: DenyHosts

    When it comes to warding off unwanted login tests on SSH port 22 and others, Charly likes to keep an ace or two up his sleeve by relying on DenyHosts instead of Fail2ban.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More