Knock is a kernel patch that implements a new NAT-compatible, TCP option for stealthy port knocking with a few new twists for improved security.
Background
Today, port scanners can scan all IPv4 addresses in less than one hour. Port knocking is a method for making TCP servers less visible on the Internet. The basic idea is to make a TCP server not respond (positively) to a TCP SYN request unless a particular "knock" packet has been sent first. This can be helpful for security, as an attacker that cannot establish a TCP connection also cannot really attack the TCP server. There are a bunch of existing user-space tools, such as Knock Knock and knockd. Most of these implementations send some other traffic (such as a UDP packet) to the target host to have it (briefly) open the server port. A particularly noteworthy recent idea in this domain is the SilentKnock, which adds the idea of integrating the knock secret in the initial TCP SYN packet in the SQN field, which is a technique borrowed from network steganography.
Summary: Security always requires a multi-layered scheme. SSH is a good example of this. Methods range from simple sshd configuration through the use of PAM to specify who can use SSH, to application of port-knocking techniques, or to hide the fact that SSH access even exists. Applying these techniques can make life much harder for possible intruders, who will have to go past three unusual barriers.
http://www.portknocking.org/
http://www.debian-administration.org/articles/455
http://www.shorewall.net/PortKnocking.html