Comments on How to use Port Knocking on Ubuntu to hide the SSH port

Does this work on a CentOS server too that I only can work on through SSH? There is no display and no keyboard connected to it.

Generally this should work for all Linux distributions. You might have to check where you find a knockd .rpm package.

I use a very much simple solution on my servers. I hide a webpage which unlocks the port 22 for the IP I am calling it from and sends an email to the sysadmin. It is easy, does not need any client except a browser and fairly secure. If the page is found, I just have to rename it and it is not a security issue as it only opens ssh but does not give access.Port knocking is neat but a bit overkill and complicated.

Doesn't opening up a web page and port for your solution then expose your machine to hacks on the web server port, possibly exposing that port to hacking vulnerabilities?  So you're sort of trading one vulnerability for another?

How can I prevent forgetting to close port 22 again? What happens when my ip changes? Thanks

Well, i intergrated it trough IPTABLES directly, and also wrote rules that only 3 packets can be send for logging in after the KNOCKING seqence was correct. So i think this is very secure, if someone would detect the knocking sequence then he has only 3 times to gues the LOGIN.. after that he will be blocked and all traffic will be DROPPED, scanning doesnt work then.. because dropping all the packets.... It works as expected i locked myself out and needed to start a rescue session so i could work in some config files to put my IP on a whitelist...

So yes PORTKNOCKING is a great thing to give someone a hardtime getting into the system 

Port 22 will only stay open for excisting connection, so if you got the correct KNOCKING sequence then you can connect to port 22... after the connection is made the port will stay open as stated before. Your ip is only relevant if you combine KNOCKIN and IP SPECIFIC access. then you need to specify your new ip address... but if you only integrate KNOCKING then your ip can change as it wouldnt block you to your server.

It would be really cool if this tool had a auto close property so that if nobody is connected to port 22 after certain amount of time, it would automatically close the port and I would have to do the port knocking again to re open the port

So how do I combine this with IP whitelisting so it only opens up the port for my current IP address (from which I'm knocking)? I'm connected on a daily basis so I don't want the port open to all during that time. And I travel daily and connect with different IP addresses via my cell phone's hotspot. I want to knock on the port and then be able to login via Putty, FileZilla, Stash, Git etc via SSH and only via my current IP address. 

Running Ubuntu server 15.04 and 15.10 CLI, knockd was unreliable in that the daemon would inexplictely end, plus it would not handle repeating port-protocol knocks reliably.  I coded my own iptables-only knock rules which are available via a bash-script installer on GitHub.  I call it "POOFITEE".  Toally free, it installs iptables rules and does not have any daemon aspect that can drop dead just when you need it to work like knockd did for me.  It features two styles of knocking that I call strict rules and loose rules.  There are other options in POOFITEE, some in development stage, but the two port knocking options are fully working.  Please let me know if you have any success or difficulties with it, and I can help.  I unashameably lift up the Lordship of Jesus Christ in the project's copyright message, and that aspect of it is absolutely not negotiable.  Lord bless!

This does not work on Ubuntu 16.04

Shouldn't the [closeSSH] command end with DENY? As it is, the commands for both [open/closeSSH] appear to open port 22, which is not what it is supposed to do. This will keep the port open indefinitely for every IP address you use it from.

Don't blindly copy and paste code from general how-to sites like this. Serverfault or the official docs ( run "man knockd" or "man iptables" ) are usually much safer.

Also, this method won't work as-is on an Amazon AWS VM because firewall rules are set in the AWS management console under Security Groups.

@Jerome the rule is -D, which deletes the ACCEPT rule and is totally valid.  Don't just blindly criticise well written articles becuase you don't understand them

This did not work for me (Ubuntu 20.04) because the default knockd.conf command to open the port (A)ppends the rule after the ssh deny rule.

Changing this to (I)nsert the rule fixed this: command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT