Port Knocking

From MikroTik Wiki
Jump to: navigation, search


This article describes how to use a feature called Port Knocking, to improve the security of your MikroTik device, and minimize a risk of hacking attempts over such protocols like SSH, Telnet, Winbox, etc.

Port knocking is a method that enables access to the router only after receiving a sequenced connection attempts on a set of prespecified closed ports. Once the correct sequence of the connection attempts is received, the RouterOS dynamically adds a host source IP to the allowed address list and You will be able to connect your router.


This example demonstrates how to set your router to use port knocking method:

The First firewall rule will store all source ip's which makes connection to router with tcp protocol on port 9000.

/ip firewall filter
add action=add-src-to-address-list address-list="port:9000" \
    address-list-timeout=1m chain=input dst-port=9000 protocol=tcp

Second rule adds the source ip to "secure" address list only if a host has the same ip address, stored by first firewall rule, and knocks on tcp port 6000.

add action=add-src-to-address-list address-list="secure" address-list-timeout=1m \
 chain=input dst-port=6000 protocol=tcp src-address-list="port:9000"

The third rule is created to accept all connections to the router from "secure" host.

add chain=input src-address-list=secure action=accept

Everything else is dropped by this rule.

add action=drop chain=input 


Warning: After enabling these firewall rules you will be disconected from the router, and to restore connection, port knocking will be required!

Port knocking

You can use some of online available port-knock clients, or manually connect router IP address with defined ports. Here are some examples how to knock your router:

Use nmap command to knock the router:

for x in 9000 6000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x router_ip_address; done

Install and use knockd package in linux:

sudo apt-get install knockd

Knock the router:

knock ''router_ip_address'' ''port1'' ''port2'' 

Or simply type router ip and port in your web browser:


Note: Timeout, ip protocols and ports can be changed regarding your needs.