How to Make Your Server Invisible with Knockd

When you have a server that is publicly accessible, hackers can easily scan your IP address and check for open ports (particularly port 22 that is used for SSH) on your server. One way to hide your server from hackers is knockd. Knockd is a is a port-knock server. It listens to all traffic on an ethernet or other available interfaces, waiting for special sequences of port-hits. Clients such as telnet or Putty initiate port-hits by sending a TCP or packet to a port on the server.

In this article we will look at how we can use knockd to hide services running on a Linux server.

Install Knockd on a Linux Server

Knockd is available in most distro’s repositories. On a Debian/Ubuntu/Ubuntu-based server, you can use the apt-get command to install knockd.

For Fedora, CentOS, or REHL users, you can use the yum command:

Install and Configure Iptables

If you don’t have Iptables installed on your server, install it now.

The package iptables-persistent takes over the automatic loading of saved iptables.

Next, you need to allow already established connections as well as current sessions through iptables. Use the following command to achieve this task:

Next, you need to block all incoming connections to port 22 SSH.

Now let’s save the firewall rules via the following commands:

You can go ahead and check whether you have indeed blocked port 22 by connecting to your server via your computer.

Configure  Knockd

Now it is time to configure knockd default settings. It is located at “/etc/knockd.conf.” To do so, change to the knockd configuration file using the following command:

For illustration purposes, I am using the leafpad editor. On your server you can use nano or Vi.

The screenshot shows the knockd configuration file.


  • Options: You can find configuration options for Knockd in this field. As you can see in the screenshot above, it uses syslog for logging.
  • OpenSSH: This field is made up of sequence, sequence timeout, command and tcp flags.
  • Sequence: It shows the port sequence that can be used as a pattern by the client to initiate an action.
  • Sequence Timeout: It shows total time allocated to Clients to complete the required port knock sequence.
  • Command: This is the command that will be executed once the knocking sequence by the client matches the pattern in the sequence field.
  • TCP_FLAGS: This is the flag that must be set on the knocks issued by the client. If the flag was incorrect but the knock pattern bcorrect, the action will not be triggered.

Note: The iptables command in the OpenSSH section in Knockd configuration file uses the -A option to append this rule to the end of the INPUT chain. This causes all the remaining connections to drop.

To prevent it, replace it with the following below:

This command ensures that a new rule will be added to the top of the INPUT chain to accept ssh connections.

Enable and Start Knockd Service

Use the following procedure to enable the knockd service in “/etc/default/knock.”

Change value from 0 to 1 as shown in the screenshot.



Afterwards, save and close the file “/etc/default/knockd.”

Next, you can start the knockd service by using one of the following commands:


Time to Knock-Test Your Linux Server

Now it’s time to test your Linux SSH server. To open port 22 at a specified IP address, use the following on your computer. (You will need to install knockd on your computer, too)

You need to replace “my-server-ip” with your server’s IP address.

You can now connect to port 22 SSH by using the following command:

After you have finished with whatever you wanted to do via port 22, you can close it using the following command:


With knockd, you are well-assured that your SSH server is secured nad safe from attackers with sophisticated scanners. In addition, you are completely in charge of your SSH server.

Michael Aboagye

Michael wears many hat in the opensource industry. He is based in Accra, Ghana. He revels in anything Linux and Devops.


  1. This did nothing to explain the power behind knockd.

    It showed how to do the configurations very well. I could have explained in more detail why we are doing this, and how knockd is helping secure us.


  2. Hello ,

    The document has a critical error so if you follow the configuration in knockd.conf it WILL NOT WORK. !
    The problem is the command in [OpenSSH] sections -> “command = /sbin/iptables -A INPUT -s %IP% -p tcp –dport 22 -j ACCEPT”
    Explanation : The “-A INPUT” option is putting the rule in the END of your firewall section so it will go after the rule you already have in your firewall witch REJECT the port 22.
    You have to change the ” -A INPUT” to “-I INPUT 1” This will add this rule as rule 1 at the top of the firewall section. Now it is working.
    One more thing …. You can also use other programs than knock to open the port sequence on your remote server like nmap which you can find with windows too.
    Here are the commands for linux
    for x in 7000 8000 9000; do nmap -Pn –host_timeout 201 –max-retries 0 -p $x server_ip_address; done

    Of course to close the port you type or you can make a script of these comands..!

    for x in 9000 8000 7000; do nmap -Pn –host_timeout 201 –max-retries 0 -p $x server_ip_address; done

    Please correct this. Thank you for your time.

  3. I forgot to say that the server_ip_address = your remote server ip address or a ddns domain name. !

    Have a nice day

Comments are closed.