For instance, if I want to mitigate SSH brute force attempts, I first close all ports on the firewall, then fire up knockd. When knockd hears the correct knock sequence, it opens access to TCP port 22 for 10 seconds to the "knocker", who must authenticate via SSH during those 10 seconds. Then it closes new requests to port 22, but allows the established SSH session to continue.
What about eavesdroppers listening for the knock sequence, you ask? Very good question! You have the option of using a one-time-sequences file. It's just a list of different knocks that you come up with. The client and server both have the list and they use each sequence only once. That way anybody can listen to the knock sequence and will not know what the next valid knock will be.
Here's a simple perl script to generate the secret one-time-sequences file
## The number of knock sequences to generate
$num_knocks = 1000;
## The number of ports in each knock
$knock_size = 10;
print " ";
print int(rand(64511) + 1024);
print "," unless $_ == 10;
Redirect the output into a file and put that file on both computers. Use it for the one_time_sequences directive of knockd. The knock client needs a little trickery to use the file. I'll later share a script that does just that!