Port Knocking

From MikroTik Wiki
Revision as of 07:04, 10 September 2015 by Pauls (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

PORT KNOCKING IN MIKROTIK


Summary

This article describes how to use a feature called Port Knocking, to improove the security of your MikroTik device, and minimize a risk of hacking attempts over such protocols like SSH, Telnet, Winbox, etc.

Port knocking is a method that enables access to the router only after receiving a sequenced connection attempts on a set of prespecified closed ports. Once correct sequence of the connection attempts is received, the RouterOS dynamicly adds a host source IP to the allowed address list and You will be able to connect your router.


Example

This example demonstrates how to set your router to use port knocking method:

First firewall rule will store all source ip's which makes connection to router with tcp protocol on port 9000.

/ip firewall filter
add action=add-src-to-address-list address-list="port:9000" \
    address-list-timeout=1m chain=input dst-port=9000 protocol=tcp

Second rule adds source ip to "secure" address list only if a host has the same ip address, stored by first firewall rule, and knocks on tcp port 6000.

add action=add-src-to-address-list address-list="secure" address-list-timeout=\
    1m chain=input dst-port=6000 protocol=tcp src-address-list="port:9000"

Third rule is created to accept all connection to router from "secure" host.

add chain=input src-address-list=secure action=accept

Everything else is droped by this rule.

add action=drop chain=input 


Warning: After enabling these firewall rules you will be disconected from the router, and to restore connection, port knocking will be required!


Port knocking

You can use some of online awailable port-knock clients, or manualy connect router IP address with defined ports, for example:

Install and use knockd package in linux:

sudo apt-get install knockd

Knock the router:

knock ''hostname'' ''port1'' ''port2'' ''port3''

Or simply type router ip and port in your web browser:

http://RouterIP:9000/
http://RouterIP:6000/

Note: Timeout, ip protocols and ports can be changed regarding your needs.



Reza Moghadam


--MikroTik Certified Trainer 16:16, 12 April 2013 (UTC)