Port Knocking: Difference between revisions
No edit summary |
No edit summary |
||
(One intermediate revision by the same user not shown) | |||
Line 23: | Line 23: | ||
and knocks on tcp port 6000. | and knocks on tcp port 6000. | ||
<pre> | <pre> | ||
add action=add-src-to-address-list address-list="secure" address-list-timeout=\ | add action=add-src-to-address-list address-list="secure" address-list-timeout=1m \ | ||
chain=input dst-port=6000 protocol=tcp src-address-list="port:9000" | |||
</pre> | </pre> | ||
Line 42: | Line 42: | ||
==Port knocking== | ==Port knocking== | ||
You can use some of online available port-knock clients, or manually connect router IP address with defined ports | You can use some of online available port-knock clients, or manually connect router IP address with defined ports. | ||
Here are some examples how to knock your router: | |||
Install and use knockd package in linux: | '''Use nmap command to knock the router:''' | ||
<pre> | |||
for x in 9000 6000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x router_ip_address; done | |||
</pre> | |||
'''Install and use knockd package in linux:''' | |||
<pre> | <pre> | ||
sudo apt-get install knockd | sudo apt-get install knockd | ||
Line 51: | Line 57: | ||
Knock the router: | Knock the router: | ||
<pre> | <pre> | ||
knock '' | knock ''router_ip_address'' ''port1'' ''port2'' | ||
</pre> | </pre> | ||
Or simply type router ip and port in your web browser: | '''Or simply type router ip and port in your web browser:''' | ||
<pre> | <pre> | ||
http:// | http://router_ip_address:9000/ | ||
http:// | http://router_ip_address:6000/ | ||
</pre> | </pre> | ||
{{Note|'''Timeout, ip protocols and ports can be changed regarding your needs.'''}} | {{Note|'''Timeout, ip protocols and ports can be changed regarding your needs.'''}} | ||
Latest revision as of 08:29, 10 September 2015
Summary
This article describes how to use a feature called Port Knocking, to improve the security of your MikroTik device, and minimize a risk of hacking attempts over such protocols like SSH, Telnet, Winbox, etc.
Port knocking is a method that enables access to the router only after receiving a sequenced connection attempts on a set of prespecified closed ports. Once the correct sequence of the connection attempts is received, the RouterOS dynamically adds a host source IP to the allowed address list and You will be able to connect your router.
Example
This example demonstrates how to set your router to use port knocking method:
The First firewall rule will store all source ip's which makes connection to router with tcp protocol on port 9000.
/ip firewall filter add action=add-src-to-address-list address-list="port:9000" \ address-list-timeout=1m chain=input dst-port=9000 protocol=tcp
Second rule adds the source ip to "secure" address list only if a host has the same ip address, stored by first firewall rule, and knocks on tcp port 6000.
add action=add-src-to-address-list address-list="secure" address-list-timeout=1m \ chain=input dst-port=6000 protocol=tcp src-address-list="port:9000"
The third rule is created to accept all connections to the router from "secure" host.
add chain=input src-address-list=secure action=accept
Everything else is dropped by this rule.
add action=drop chain=input
Warning: After enabling these firewall rules you will be disconected from the router, and to restore connection, port knocking will be required!
Port knocking
You can use some of online available port-knock clients, or manually connect router IP address with defined ports. Here are some examples how to knock your router:
Use nmap command to knock the router:
for x in 9000 6000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x router_ip_address; done
Install and use knockd package in linux:
sudo apt-get install knockd
Knock the router:
knock ''router_ip_address'' ''port1'' ''port2''
Or simply type router ip and port in your web browser:
http://router_ip_address:9000/ http://router_ip_address:6000/
Note: Timeout, ip protocols and ports can be changed regarding your needs.