Port Knocking: How to Hide SSH Ports and Make Your Linux Server Invisible to Botnets – ITFROMZERO

Table of Contents

The Problem: When Fail2Ban Still Leaves Traces

Just put a VPS on the Cloud for about 24 hours, and you’ll see your SSH logs (/var/log/auth.log) flooded with thousands of unauthorized login attempts. Botnets scan ports 24/7, and even if you change port 22 to 2222, tools like Nmap can easily detect the running service within seconds.

After 6 months of running production server clusters, I’ve found Port Knocking to be an extremely practical additional security layer. Instead of blocking after an attack like Fail2Ban, Port Knocking keeps the SSH port in a Closed state. Your server will be like a brick wall with no windows. Only when you send a sequence of packets (the knock) in a specific secret order will the SSH door temporarily open for your IP address.

How Port Knocking Works

The knockd service runs in the background to monitor network logs. When you send packets to predefined ports (e.g., 7001, 8005, 9002), it triggers an iptables script. This command adds your IP to a whitelist to access port 22 for a specific duration.

Interestingly, the ports used for “knocking” don’t need to be open on the firewall. knockd captures packets directly from the network interface (libpcap) before the firewall rejects them. From the outside, the server looks like a “black hole” with no active services.

Installing and Configuring knockd on Ubuntu/Debian

Step 1: Install the Package

Installing knockd is quick and easy with the following command:

sudo apt update && sudo apt install knockd -y

Step 2: Set Up the Knock Sequence

All important configurations are located in the /etc/knockd.conf file. Be sure to change the default ports to avoid predictability.

sudo nano /etc/knockd.conf

Edit the file content according to the practical template below:

[options]
    UseSyslog

[openSSH]
    sequence    = 7542,8231,9145
    seq_timeout = 5
    command     = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
    tcpflags    = syn

[closeSSH]
    sequence    = 9145,8231,7542
    seq_timeout = 5
    command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
    tcpflags    = syn

Technical Notes:

sequence: Choose 3-4 random ports in the 1024-65535 range.
seq_timeout: You must complete the “knock” within 5 seconds.
command: Use the -I (Insert) parameter to place the rule at the top of the iptables chain, giving it the highest priority.

Step 3: Enable the Daemon

Open the /etc/default/knockd file to allow the service to run automatically:

sudo nano /etc/default/knockd

Set START_KNOCKD=1. Check your network interface using the ip link show command (usually eth0 or ens3) and update it:

KNOCKD_OPTS="-i eth0"

Then restart the service:

sudo systemctl enable --now knockd

Step 4: Configure the Firewall to Block SSH by Default

This is when we “close the door” to the server. Warning: Do not disconnect your current SSH session until you have successfully tested your first knock.

# Allow established connections (to avoid getting kicked out immediately)
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Reject all new connections to port 22
sudo iptables -A INPUT -p tcp --dport 22 -j REJECT

If you need to calculate IP ranges to limit access for a specific office subnet, the IP Subnet Calculator tool will help you get the exact CIDR range in seconds.

How to Open the Port from Your Local Machine

Once port 22 is blocked, you must perform the knock sequence before running a standard SSH command.

Using the knock Command

On Linux/macOS, install the knockd client and run:

knock your-server-ip 7542 8231 9145

Using Netcat (nc)

If you don’t want to install extra tools, a simple bash loop is enough to trigger it:

for x in 7542 8231 9145; do nc -z your-server-ip $x; done

After knocking, you can ssh user@server as usual. Once you’re done, perform the reverse sequence to close the port.

Real-world Tips to Avoid Getting Locked Out

Implementing Port Knocking is great, but keep these 3 critical points in mind:

Network Latency: If the network lags, packets may arrive out of order. Try knocking 2-3 times if you can’t get in.
Server Reboots: Manual iptables rules are lost on reboot. You should use iptables-persistent to save rules or add a startup script.
Always Have a Backup Plan: Always maintain access to your VPS provider’s Web Console (VNC) to fix things if you accidentally misconfigure the firewall.

Conclusion

Port Knocking doesn’t replace SSH Keys, but it completely eliminates the noise from automated attacks. When attackers don’t see port 22 open, they will skip your server to find easier targets. This is a highly effective “stealth” security method that every Linux administrator should consider implementing.