modified on 12 April 2013 at 16:16 ••• 23,579 views

Port Knocking

From MikroTik Wiki

Jump to: navigation, search

PORT KNOCKING IN MIKROTIK

In this article I want to describe how to use port knocking in mikrotik Router [ Board & OS ] . About Port Knocking :

This Feature allowed network administrators to configure Devices in more secure than default state .

In this way you can block SSH , Telnet , Mac Telnet , Winbox and etc. protocol to avoid hacking or brute force attack , and mikrotik only Listening to administrator acts and then Open That port administrator need to configure mikrotik and monitoring .

I want to block some TCP Protocols , They are may be Insecure your Router ( SSH , Telnet , Winbox ) . After administrator want to configure mikrotik , Should be Send ICMP Messages to Mirktoik And then Open or Send Web ( TCP 80 ) Rquest To mikrotik , then SSH , Telnet , Winbox Would be Opened For Specific time need .

Follow Me  :

/ip firewall filter

add action=add-src-to-address-list address-list=ICMP address-list-timeout=1m chain=input \
  disabled=no protocol=icmp

add action=add-src-to-address-list address-list="ICMP + Http" address-list-timeout=1m chain=input 
  disabled=no dst-port=80 protocol=tcp src-address-list=ICMP

add  action=drop chain=input disabled=no dst-port=22,23,8291 protocol=tcp \
  src-address-list="!ICMP + Http"

Explain :

we need to reminds ICMP packets received to Mikrotik , because Mikrtoik Router is to Listen to administrator , for this reason we use Address Lists . We add a new rule to filter every body send ICMP packet to Mikrtoik and this information can be valid 1 minutes for mikrotik .

add action=add-src-to-address-list address-list=ICMP address-list-timeout=1m chain=input disabled=no protocol=icmp

then , mikrotik know , for open its Connection Port ( SSH , telnet , Winbox ) Need be listen to Web ( TCP 80 ) Request and if that person send ICMP packet , now send Web Request , Is Administrator , This Condition also Can be Match by Address List .

add action=add-src-to-address-list address-list="ICMP + Http" address-list-timeout=1m chain=input disabled=no dst-port=80 protocol=tcp src-address-list=ICMP

in This step , mikrotik can be know , A Person in First Send ICMP , And Then That Person Send Web Request , So Mikrotik Open SSH , Telnet , Winbox , Only For That Person With That IP Addresses In Address List .

add action=drop chain=input disabled=no dst-port=22,23,8291 protocol=tcp src-address-list="!ICMP + Http"

For Test :

After Done All Rules , you can see loss connection to mikrotik .

Please test Telnet , SSH , Winbox to connect to mikrtoik .

First Ping Mikrtoikt , Second Enter Mikrotik IP Address In Your browser , Then you can made connection to mirktoik with SSH or Telnet or Winbox .


Reza Moghadam


--MikroTik Certified Trainer 16:16, 12 April 2013 (UTC)