Difference between revisions of "Port Knocking"

From MikroTik Wiki
Jump to: navigation, search
m (format code)
 
(5 intermediate revisions by 2 users not shown)
Line 1: Line 1:
PORT KNOCKING IN MIKROTIK
+
==Summary==
 +
This article describes how to use a feature called Port Knocking, to improve the security of your
 +
MikroTik device, and minimize a risk of hacking attempts over such protocols like SSH, Telnet, Winbox, etc.
  
In this article I want to describe how to use port knocking in mikrotik Router [ Board & OS ] .
+
Port knocking is a method that enables access to the router only after receiving a sequenced connection attempts on a set of
About Port Knocking :
+
prespecified closed ports.
 +
Once the correct sequence of the connection attempts is received, the RouterOS dynamically adds a host source IP to the allowed
 +
address list and You will be able to connect your router.  
  
This Feature allowed network administrators to configure Devices in more secure than default state .
 
  
In this way you can block SSH , Telnet , Mac Telnet  , Winbox and etc. protocol to avoid hacking or brute force attack , and mikrotik only Listening to administrator acts and then Open That port administrator need to configure mikrotik and monitoring .
+
==Example==
  
I want to block some TCP Protocols , They are may be Insecure your Router ( SSH , Telnet , Winbox ) .
+
<p>This example demonstrates how to set your router to use port knocking method:</p>
After administrator want to configure mikrotik , Should be Send ICMP Messages to Mirktoik And then Open or Send Web ( TCP 80 ) Rquest To mikrotik , then SSH , Telnet , Winbox Would be Opened For Specific time need  .
 
  
Follow Me  :
+
The First firewall rule will store all source ip's which makes connection to router with tcp protocol on port 9000.
 
<pre>
 
<pre>
 
/ip firewall filter
 
/ip firewall filter
 +
add action=add-src-to-address-list address-list="port:9000" \
 +
    address-list-timeout=1m chain=input dst-port=9000 protocol=tcp
 +
</pre>
  
add action=add-src-to-address-list address-list=ICMP address-list-timeout=1m chain=input \
+
Second rule adds the source ip to "secure" address list only if a host has the same ip address, stored by first firewall rule,
  disabled=no protocol=icmp
+
and knocks on tcp port 6000.
 +
<pre>
 +
add action=add-src-to-address-list address-list="secure" address-list-timeout=1m \
 +
chain=input dst-port=6000 protocol=tcp src-address-list="port:9000"
 +
</pre>
  
add action=add-src-to-address-list address-list="ICMP + Http" address-list-timeout=1m chain=input  
+
The third rule is created to accept all connections to the router from "secure" host.
  disabled=no dst-port=80 protocol=tcp src-address-list=ICMP
+
<pre>
 +
add chain=input src-address-list=secure action=accept
 +
</pre>
  
add action=drop chain=input disabled=no dst-port=22,23,8291 protocol=tcp \
+
Everything else is dropped by this rule.
  src-address-list="!ICMP + Http"
+
<pre>
 +
add action=drop chain=input  
 
</pre>
 
</pre>
Explain :
 
  
we need to reminds ICMP packets received to Mikrotik , because Mikrtoik Router is to Listen to administrator , for this reason we use Address Lists .
 
We add a new rule to filter every body send ICMP packet to Mikrtoik  and this information can be valid 1 minutes for mikrotik .
 
  
add action=add-src-to-address-list address-list=ICMP address-list-timeout=1m chain=input disabled=no protocol=icmp
+
{{Warning|'''After enabling these firewall rules you will be disconected from the router, and to restore connection, port knocking will be required!'''}}
  
then , mikrotik know , for open its Connection Port ( SSH , telnet , Winbox ) Need be listen to Web ( TCP 80 ) Request and if that person send ICMP packet , now send Web Request , Is Administrator , This Condition also Can be Match by Address List .
+
==Port knocking==
  
add action=add-src-to-address-list address-list="ICMP + Http" address-list-timeout=1m chain=input disabled=no dst-port=80 protocol=tcp src-address-list=ICMP
+
You can use some of online available port-knock clients, or manually connect router IP address with defined ports.
 +
Here are some examples how to knock your router:
  
in This step , mikrotik can be know , A Person in First Send ICMP , And Then That Person Send Web Request , So Mikrotik Open SSH , Telnet , Winbox , Only For That Person With That IP Addresses In Address List .
+
'''Use nmap command to knock the router:'''
 +
<pre>
 +
for x in 9000 6000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x router_ip_address; done
 +
</pre>
  
add action=drop chain=input disabled=no dst-port=22,23,8291 protocol=tcp src-address-list="!ICMP + Http"
+
'''Install and use knockd package in linux:'''
 +
<pre>
 +
sudo apt-get install knockd
 +
</pre>
  
For Test :
+
Knock the router:
After Done All Rules , you can see loss connection to mikrotik .
+
<pre>
Please test Telnet , SSH , Winbox to connect to mikrtoik .
+
knock ''router_ip_address'' ''port1'' ''port2''
First Ping Mikrtoikt , Second Enter Mikrotik IP Address In Your browser , Then you can made connection to mirktoik with SSH or Telnet or Winbox .
+
</pre>
  
 +
'''Or simply type router ip and port in your web browser:'''
 +
<pre>
 +
http://router_ip_address:9000/
 +
http://router_ip_address:6000/
 +
</pre>
  
By Reza Moghadam
+
{{Note|'''Timeout, ip protocols and ports can be changed regarding your needs.'''}}
MTCNA # 1102NA155
 
R.Moghadam@Hotmail.Com
 

Latest revision as of 08:29, 10 September 2015

Summary

This article describes how to use a feature called Port Knocking, to improve the security of your MikroTik device, and minimize a risk of hacking attempts over such protocols like SSH, Telnet, Winbox, etc.

Port knocking is a method that enables access to the router only after receiving a sequenced connection attempts on a set of prespecified closed ports. Once the correct sequence of the connection attempts is received, the RouterOS dynamically adds a host source IP to the allowed address list and You will be able to connect your router.


Example

This example demonstrates how to set your router to use port knocking method:

The First firewall rule will store all source ip's which makes connection to router with tcp protocol on port 9000.

/ip firewall filter
add action=add-src-to-address-list address-list="port:9000" \
    address-list-timeout=1m chain=input dst-port=9000 protocol=tcp

Second rule adds the source ip to "secure" address list only if a host has the same ip address, stored by first firewall rule, and knocks on tcp port 6000.

add action=add-src-to-address-list address-list="secure" address-list-timeout=1m \
 chain=input dst-port=6000 protocol=tcp src-address-list="port:9000"

The third rule is created to accept all connections to the router from "secure" host.

add chain=input src-address-list=secure action=accept

Everything else is dropped by this rule.

add action=drop chain=input 


Icon-warn.png

Warning: After enabling these firewall rules you will be disconected from the router, and to restore connection, port knocking will be required!


Port knocking

You can use some of online available port-knock clients, or manually connect router IP address with defined ports. Here are some examples how to knock your router:

Use nmap command to knock the router:

for x in 9000 6000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x router_ip_address; done

Install and use knockd package in linux:

sudo apt-get install knockd

Knock the router:

knock ''router_ip_address'' ''port1'' ''port2'' 

Or simply type router ip and port in your web browser:

http://router_ip_address:9000/
http://router_ip_address:6000/
Icon-note.png

Note: Timeout, ip protocols and ports can be changed regarding your needs.