Difference between revisions of "Port Knocking"

From MikroTik Wiki
Jump to: navigation, search
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
PORT KNOCKING IN MIKROTIK
 
 
 
 
==Summary==
 
==Summary==
This article describes how to use a feature called Port Knocking, to improove the security of your  
+
This article describes how to use a feature called Port Knocking, to improve the security of your  
 
MikroTik device, and minimize a risk of hacking attempts over such protocols like SSH, Telnet, Winbox, etc.
 
MikroTik device, and minimize a risk of hacking attempts over such protocols like SSH, Telnet, Winbox, etc.
  
 
Port knocking is a method that enables access to the router only after receiving a sequenced connection attempts on a set of
 
Port knocking is a method that enables access to the router only after receiving a sequenced connection attempts on a set of
 
prespecified closed ports.  
 
prespecified closed ports.  
Once correct sequence of the connection attempts is received, the RouterOS dynamicly adds a host source IP to the allowed
+
Once the correct sequence of the connection attempts is received, the RouterOS dynamically adds a host source IP to the allowed
 
address list and You will be able to connect your router.  
 
address list and You will be able to connect your router.  
  
Line 16: Line 13:
 
<p>This example demonstrates how to set your router to use port knocking method:</p>
 
<p>This example demonstrates how to set your router to use port knocking method:</p>
  
First firewall rule will store all source ip's which makes connection to router with tcp protocol on port 9000.
+
The First firewall rule will store all source ip's which makes connection to router with tcp protocol on port 9000.
 
<pre>
 
<pre>
 
/ip firewall filter
 
/ip firewall filter
Line 23: Line 20:
 
</pre>
 
</pre>
  
Second rule adds source ip to "secure" address list only if a host has the same ip address, stored by first firewall rule,
+
Second rule adds the source ip to "secure" address list only if a host has the same ip address, stored by first firewall rule,
 
and knocks on tcp port 6000.
 
and knocks on tcp port 6000.
 
<pre>
 
<pre>
add action=add-src-to-address-list address-list="secure" address-list-timeout=\
+
add action=add-src-to-address-list address-list="secure" address-list-timeout=1m \
    1m chain=input dst-port=6000 protocol=tcp src-address-list="port:9000"
+
chain=input dst-port=6000 protocol=tcp src-address-list="port:9000"
 
</pre>
 
</pre>
  
Third rule is created to accept all connection to router from "secure" host.
+
The third rule is created to accept all connections to the router from "secure" host.
 
<pre>
 
<pre>
 
add chain=input src-address-list=secure action=accept
 
add chain=input src-address-list=secure action=accept
 
</pre>
 
</pre>
  
Everything else is droped by this rule.
+
Everything else is dropped by this rule.
 
<pre>
 
<pre>
 
add action=drop chain=input  
 
add action=drop chain=input  
Line 45: Line 42:
 
==Port knocking==
 
==Port knocking==
  
You can use some of online awailable port-knock clients, or manualy connect router IP address with defined ports, for example:
+
You can use some of online available port-knock clients, or manually connect router IP address with defined ports.
 +
Here are some examples how to knock your router:
 +
 
 +
'''Use nmap command to knock the router:'''
 +
<pre>
 +
for x in 9000 6000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x router_ip_address; done
 +
</pre>
  
Install and use knockd package in linux:
+
'''Install and use knockd package in linux:'''
 
<pre>
 
<pre>
 
sudo apt-get install knockd
 
sudo apt-get install knockd
Line 54: Line 57:
 
Knock the router:
 
Knock the router:
 
<pre>
 
<pre>
knock ''hostname'' ''port1'' ''port2'' ''port3''
+
knock ''router_ip_address'' ''port1'' ''port2''  
 
</pre>
 
</pre>
  
Or simply type router ip and port in your web browser:
+
'''Or simply type router ip and port in your web browser:'''
 
<pre>
 
<pre>
http://RouterIP:9000/
+
http://router_ip_address:9000/
http://RouterIP:6000/
+
http://router_ip_address:6000/
 
</pre>
 
</pre>
  
 
{{Note|'''Timeout, ip protocols and ports can be changed regarding your needs.'''}}
 
{{Note|'''Timeout, ip protocols and ports can be changed regarding your needs.'''}}
 
 
 
Reza Moghadam
 
 
 
--MikroTik Certified Trainer 16:16, 12 April 2013 (UTC)
 

Latest revision as of 09:29, 10 September 2015

Summary

This article describes how to use a feature called Port Knocking, to improve the security of your MikroTik device, and minimize a risk of hacking attempts over such protocols like SSH, Telnet, Winbox, etc.

Port knocking is a method that enables access to the router only after receiving a sequenced connection attempts on a set of prespecified closed ports. Once the correct sequence of the connection attempts is received, the RouterOS dynamically adds a host source IP to the allowed address list and You will be able to connect your router.


Example

This example demonstrates how to set your router to use port knocking method:

The First firewall rule will store all source ip's which makes connection to router with tcp protocol on port 9000.

/ip firewall filter
add action=add-src-to-address-list address-list="port:9000" \
    address-list-timeout=1m chain=input dst-port=9000 protocol=tcp

Second rule adds the source ip to "secure" address list only if a host has the same ip address, stored by first firewall rule, and knocks on tcp port 6000.

add action=add-src-to-address-list address-list="secure" address-list-timeout=1m \
 chain=input dst-port=6000 protocol=tcp src-address-list="port:9000"

The third rule is created to accept all connections to the router from "secure" host.

add chain=input src-address-list=secure action=accept

Everything else is dropped by this rule.

add action=drop chain=input 


Icon-warn.png

Warning: After enabling these firewall rules you will be disconected from the router, and to restore connection, port knocking will be required!


Port knocking

You can use some of online available port-knock clients, or manually connect router IP address with defined ports. Here are some examples how to knock your router:

Use nmap command to knock the router:

for x in 9000 6000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x router_ip_address; done

Install and use knockd package in linux:

sudo apt-get install knockd

Knock the router:

knock ''router_ip_address'' ''port1'' ''port2'' 

Or simply type router ip and port in your web browser:

http://router_ip_address:9000/
http://router_ip_address:6000/
Icon-note.png

Note: Timeout, ip protocols and ports can be changed regarding your needs.