Port Knocking
PORT KNOCKING IN MIKROTIK
Summary
This article describes how to use a feature called Port Knocking, to improove the security of your MikroTik device, and minimize a risk of hacking attempts over such protocols like SSH, Telnet, Winbox, etc.
Port knocking is a method that enables access to the router only after receiving a sequenced connection attempts on a set of prespecified closed ports. Once correct sequence of the connection attempts is received, the RouterOS dynamicly adds a host source IP to the allowed address list and You will be able to connect your router.
Example
This example demonstrates how to set your router to use port knocking method:
First firewall rule will store all source ip's which makes connection to router with tcp protocol on port 9000.
/ip firewall filter add action=add-src-to-address-list address-list="port:9000" \ address-list-timeout=1m chain=input dst-port=9000 protocol=tcp
Second rule adds source ip to "secure" address list only if a host has the same ip address, stored by first firewall rule, and knocks on tcp port 6000.
add action=add-src-to-address-list address-list="secure" address-list-timeout=\ 1m chain=input dst-port=6000 protocol=tcp src-address-list="port:9000"
Third rule is created to accept all connection to router from "secure" host.
add chain=input src-address-list=secure action=accept
Everything else is droped by this rule.
add action=drop chain=input
Warning: After enabling these firewall rules you will be disconected from the router, and to restore connection, port knocking will be required!
Port knocking
You can use some of online awailable port-knock clients, or manualy connect router IP address with defined ports, for example:
Install and use knockd package in linux:
sudo apt-get install knockd
Knock the router:
knock ''hostname'' ''port1'' ''port2'' ''port3''
Or simply type router ip and port in your web browser:
http://RouterIP:9000/ http://RouterIP:6000/
Note: Timeout, ip protocols and ports can be changed regarding your needs.
Reza Moghadam
--MikroTik Certified Trainer 16:16, 12 April 2013 (UTC)