Difference between revisions of "Port Knocking"

From MikroTik Wiki
Jump to: navigation, search
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
PORT KNOCKING IN MIKROTIK
+
==Summary==
 +
This article describes how to use a feature called Port Knocking, to improve the security of your
 +
MikroTik device, and minimize a risk of hacking attempts over such protocols like SSH, Telnet, Winbox, etc.
  
In this article I want to describe how to use port knocking in mikrotik Router [ Board & OS ] .
+
Port knocking is a method that enables access to the router only after receiving a sequenced connection attempts on a set of
About Port Knocking :
+
prespecified closed ports.
 +
Once the correct sequence of the connection attempts is received, the RouterOS dynamically adds a host source IP to the allowed
 +
address list and You will be able to connect your router.  
  
This Feature allowed network administrators to configure Devices in more secure than default state .
 
  
In this way you can block SSH , Telnet , Mac Telnet  , Winbox and etc. protocol to avoid hacking or brute force attack , and mikrotik only Listening to administrator acts and then Open That port administrator need to configure mikrotik and monitoring .
+
==Example==
  
I want to block some TCP Protocols , They are may be Insecure your Router ( SSH , Telnet , Winbox ) .
+
<p>This example demonstrates how to set your router to use port knocking method:</p>
After administrator want to configure mikrotik , Should be Send ICMP Messages to Mirktoik And then Open or Send Web ( TCP 80 ) Rquest To mikrotik , then SSH , Telnet , Winbox Would be Opened For Specific time need  .
 
  
Follow Me  :
+
The First firewall rule will store all source ip's which makes connection to router with tcp protocol on port 9000.
 
<pre>
 
<pre>
 
/ip firewall filter
 
/ip firewall filter
 
+
add action=add-src-to-address-list address-list="port:9000" \
add action=add-src-to-address-list address-list=ICMP address-list-timeout=1m chain=input \
+
    address-list-timeout=1m chain=input dst-port=9000 protocol=tcp
  disabled=no protocol=icmp
 
 
 
add action=add-src-to-address-list address-list="ICMP + Http" address-list-timeout=1m chain=input  
 
  disabled=no dst-port=80 protocol=tcp src-address-list=ICMP
 
 
 
add  action=drop chain=input disabled=no dst-port=22,23,8291 protocol=tcp \
 
  src-address-list="!ICMP + Http"
 
 
</pre>
 
</pre>
Explain :
 
 
we need to reminds ICMP packets received to Mikrotik , because Mikrtoik Router is to Listen to administrator , for this reason we use Address Lists .
 
We add a new rule to filter every body send ICMP packet to Mikrtoik  and this information can be valid 1 minutes for mikrotik .
 
  
 +
Second rule adds the source ip to "secure" address list only if a host has the same ip address, stored by first firewall rule,
 +
and knocks on tcp port 6000.
 
<pre>
 
<pre>
add action=add-src-to-address-list address-list=ICMP address-list-timeout=1m chain=input disabled=no protocol=icmp
+
add action=add-src-to-address-list address-list="secure" address-list-timeout=1m \
 +
chain=input dst-port=6000 protocol=tcp src-address-list="port:9000"
 
</pre>
 
</pre>
  
then , mikrotik know , for open its Connection Port ( SSH , telnet , Winbox ) Need be listen to Web ( TCP 80 ) Request and if that person send ICMP packet , now send Web Request , Is Administrator , This Condition also Can be Match by Address List .
+
The third rule is created to accept all connections to the router from "secure" host.
 
 
 
<pre>
 
<pre>
add action=add-src-to-address-list address-list="ICMP + Http" address-list-timeout=1m chain=input disabled=no dst-port=80 protocol=tcp src-address-list=ICMP
+
add chain=input src-address-list=secure action=accept
 
</pre>
 
</pre>
  
in This step , mikrotik can be know , A Person in First Send ICMP , And Then That Person Send Web Request , So Mikrotik Open SSH , Telnet , Winbox , Only For That Person With That IP Addresses In Address List .
+
Everything else is dropped by this rule.
 
 
 
<pre>
 
<pre>
add action=drop chain=input disabled=no dst-port=22,23,8291 protocol=tcp src-address-list="!ICMP + Http"
+
add action=drop chain=input  
 
</pre>
 
</pre>
  
For Test :
 
  
After Done All Rules , you can see loss connection to mikrotik .
+
{{Warning|'''After enabling these firewall rules you will be disconected from the router, and to restore connection, port knocking will be required!'''}}
  
Please test Telnet , SSH , Winbox to connect to mikrtoik .
+
==Port knocking==
  
First Ping Mikrtoikt , Second Enter Mikrotik IP Address In Your browser , Then you can made connection to mirktoik with SSH or Telnet or Winbox .
+
You can use some of online available port-knock clients, or manually connect router IP address with defined ports.
 +
Here are some examples how to knock your router:
  
 +
'''Use nmap command to knock the router:'''
 +
<pre>
 +
for x in 9000 6000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x router_ip_address; done
 +
</pre>
  
Reza Moghadam
+
'''Install and use knockd package in linux:'''
 +
<pre>
 +
sudo apt-get install knockd
 +
</pre>
  
 +
Knock the router:
 +
<pre>
 +
knock ''router_ip_address'' ''port1'' ''port2''
 +
</pre>
 +
 +
'''Or simply type router ip and port in your web browser:'''
 +
<pre>
 +
http://router_ip_address:9000/
 +
http://router_ip_address:6000/
 +
</pre>
  
--MikroTik Certified Trainer 16:16, 12 April 2013 (UTC)
+
{{Note|'''Timeout, ip protocols and ports can be changed regarding your needs.'''}}

Latest revision as of 08:29, 10 September 2015

Summary

This article describes how to use a feature called Port Knocking, to improve the security of your MikroTik device, and minimize a risk of hacking attempts over such protocols like SSH, Telnet, Winbox, etc.

Port knocking is a method that enables access to the router only after receiving a sequenced connection attempts on a set of prespecified closed ports. Once the correct sequence of the connection attempts is received, the RouterOS dynamically adds a host source IP to the allowed address list and You will be able to connect your router.


Example

This example demonstrates how to set your router to use port knocking method:

The First firewall rule will store all source ip's which makes connection to router with tcp protocol on port 9000.

/ip firewall filter
add action=add-src-to-address-list address-list="port:9000" \
    address-list-timeout=1m chain=input dst-port=9000 protocol=tcp

Second rule adds the source ip to "secure" address list only if a host has the same ip address, stored by first firewall rule, and knocks on tcp port 6000.

add action=add-src-to-address-list address-list="secure" address-list-timeout=1m \
 chain=input dst-port=6000 protocol=tcp src-address-list="port:9000"

The third rule is created to accept all connections to the router from "secure" host.

add chain=input src-address-list=secure action=accept

Everything else is dropped by this rule.

add action=drop chain=input 


Icon-warn.png

Warning: After enabling these firewall rules you will be disconected from the router, and to restore connection, port knocking will be required!


Port knocking

You can use some of online available port-knock clients, or manually connect router IP address with defined ports. Here are some examples how to knock your router:

Use nmap command to knock the router:

for x in 9000 6000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x router_ip_address; done

Install and use knockd package in linux:

sudo apt-get install knockd

Knock the router:

knock ''router_ip_address'' ''port1'' ''port2'' 

Or simply type router ip and port in your web browser:

http://router_ip_address:9000/
http://router_ip_address:6000/
Icon-note.png

Note: Timeout, ip protocols and ports can be changed regarding your needs.