Hetzner - DokuWiki




In this quick tutorial, I would like to explain how you can make SSHD a little more secure with the help of Knock and iptables.

I will be using Gentoo in this tutorial! Things might be different with other distributions!

Please test these things first locally! If you make mistakes, you will possibly lock yourself out of your own server! Everyone makes mistakes—even I do. If I happen to make mistakes here somewhere along the way, that's your problem. So read everything really carefully first and really check on things as you go!


Once your knockd is set up, you will only be able to access the server with the help of knockd via SSH.

So that's going to look a little something like this:

knock <our IP or domain> 1234 5678 91011
ssh user@host


Knockd will be found in just about every distribution's package manager. With Gentoo, for example, you can use the command

emerge knock

If you can't find it, look here: Knock.

I don't think that I need to explain too much here because any quasi-skilled administrator should be able to build a program from source or install a package they downloaded


Depending on the installation there should now be a file called knockd.conf in /etc or another configuration directory.

Now we are going to edit this file:

      logfile = /var/log/knockd.log
      sequence      = 1234,5678,9101
      seq_timeout   = 15
      tcpflags      = syn
      start_command = /sbin/iptables -A open -s %IP% -p tcp --dport 22 -j ACCEPT
      cmd_timeout   = 10
      stop_command  = /sbin/iptables -D open -s %IP% -p tcp --dport 22 -j ACCEPT

Explaination of that:

[options] = basic setting for knockd
logfile = location of knockd logs.

[opencloseSSH] = name of the configuration section, in this case, opening and closing of the SSH ports
sequence = the ports on which we need to knock onso that we get access
seq_timeout = the time that the knockd waits before it considers a sequence as finished
seq_timeout must be longer than cmd_timeout!
tcpflags = type of packets to which the knockd should react (fin|syn|rst|psh|ack|urg)
start_command = the command that will be run after a successful knock
cmd_timeout = time after which stop_command will be executed
stop_command = command that will be run after cmd_timeout has expired, in this case the command will remove the iptables rule that granted access to port 22 for a specific IP

You can play around with these commands a little bit, but if you don't know what you're doing, you shouldn't.


Now we're going to start knockd to test it:

knockd --debug --verbose
odin ~ # knockd --debug --verbose
config: new section: 'options'
config: log file: /var/log/knockd.log
config: new section: 'opencloseSSH'
config: opencloseSSH: sequence: 1234:tcp,5678:tcp,9101:tcp
config: opencloseSSH: seq_timeout: 15
config: tcp flag: SYN
config: opencloseSSH: start_command: /sbin/iptables -A open -s %IP% -p tcp --dport 22 -j ACCEPT
config: opencloseSSH: cmd_timeout: 10
config: opencloseSSH: stop_command: /sbin/iptables -D open -s %IP% -p tcp --dport 22 -j ACCEPT
ethernet interface detected
Local IP:
listening on eth0…

Now we are going to try a knock from another computer:

knock 1234 5678 9101

Now you should see the following on the server:

2006-10-27 15:41:57: tcp: -> 74 bytes opencloseSSH: Stage 1
2006-10-27 15:41:57: tcp: -> 74 bytes opencloseSSH: Stage 2
2006-10-27 15:41:57: tcp: -> 74 bytes opencloseSSH: Stage 3 opencloseSSH: OPEN SESAME
opencloseSSH: running command: /sbin/iptables -A open -s -p tcp --dport 22 -j ACCEPT opencloseSSH: command timeout

opencloseSSH: running command: /sbin/iptables -D open -s -p tcp --dport 22 -j ACCEPT

If this is the case, we are done with the configuration and we can now start knockd.

Starting knockd

If you install knockd with the package manager of your distribution, there should also usually be an init scrip. With Gentoo, for example, we simply start knockd by running:

/etc/init.d/knock start

That should be similar to other distributions. Now you should let it start when you boot your computer, but this may depend on the distribution. With Gentoo, the command to start knockd at startup will look like this:

rc-update add knock default


Now we are done with everything and knockd is running. Below, I've listed a few links and will also add a Wiki article for SSHD and/or iptables. Whoever wants to can also add a few external links to iptables and SSHD.



--idle 16:02, 27. Nov 2006 (CET)

© 2018. Hetzner Online GmbH. Alle Rechte vorbehalten.