That's all fine and dandy, but what happens if the filesystem gets full? What happens when the daemon gets killed because of some runaway process eating up the system's RAM and swap? What happens if something else which either of those two things depend on just up and stop working? You most likely end up with a server that you will have to physically access. Port knocking daemons rely on reading failed (and filtered/prohibited) log file entries from a firewall system. AFAIK, there are no kernel-based port knocking implementations available, which for me would be the real key to adoption.
However, that is not to say that there are not downsides.
Every single one of them have noted a significant reduction in the amount of bandwidth consumed by things like SSH brute-force attacks as a result.
While I have not deployed it yet, I know many people who have deployed it.
