Difference between revisions of "Port Knocking"

From MikroTik Wiki
Jump to: navigation, search
Line 1: Line 1:
 
PORT KNOCKING IN MIKROTIK
 
PORT KNOCKING IN MIKROTIK
  
In this article I want to describe how to use port knocking in mikrotik Router [ Board & OS ] .
 
About Port Knocking :
 
  
This Feature allowed network administrators to configure Devices in more secure than default state .
+
==Summary==
 +
This article describes how to use a feature called Port Knocking, to improove the security of your
 +
MikroTik device, and minimize a risk of hacking attempts over such protocols like SSH, Telnet, Winbox, etc.
  
In this way you can block SSH , Telnet , Mac Telnet  , Winbox and etc. protocol to avoid hacking or brute force attack , and mikrotik only Listening to administrator acts and then Open That port administrator need to configure mikrotik and monitoring .
+
Port knocking is a method that enables access to the router only after receiving a sequenced connection attempts on a set of
 +
prespecified closed ports.  
 +
Once correct sequence of the connection attempts is received, the RouterOS dynamicly adds a host source IP to the allowed
 +
address list and You will be able to connect your router.  
  
I want to block some TCP Protocols , They are may be Insecure your Router ( SSH , Telnet , Winbox ) .
 
After administrator want to configure mikrotik , Should be Send ICMP Messages to Mirktoik And then Open or Send Web ( TCP 80 ) Rquest To mikrotik , then SSH , Telnet , Winbox Would be Opened For Specific time need  .
 
  
Follow Me  :
+
==Example==
 +
 
 +
<p>This example demonstrates how to set your router to use port knocking method:</p>
 +
 
 +
First firewall rule will store all source ip's which makes connection to router with tcp protocol on port 9000.
 
<pre>
 
<pre>
 
/ip firewall filter
 
/ip firewall filter
 +
add action=add-src-to-address-list address-list="port:9000" \
 +
    address-list-timeout=1m chain=input dst-port=9000 protocol=tcp
 +
</pre>
  
add action=add-src-to-address-list address-list=ICMP address-list-timeout=1m chain=input \
+
Second rule adds source ip to "secure" address list only if a host has the same ip address, stored by first firewall rule,
  disabled=no protocol=icmp
+
and knocks on tcp port 6000.
 +
<pre>
 +
add action=add-src-to-address-list address-list="secure" address-list-timeout=\
 +
    1m chain=input dst-port=6000 protocol=tcp src-address-list="port:9000"
 +
</pre>
  
add action=add-src-to-address-list address-list="ICMP + Http" address-list-timeout=1m chain=input  
+
Third rule is created to accept all connection to router from "secure" host.
  disabled=no dst-port=80 protocol=tcp src-address-list=ICMP
+
<pre>
 +
add chain=input src-address-list=secure action=accept
 +
</pre>
  
add action=drop chain=input disabled=no dst-port=22,23,8291 protocol=tcp \
+
Everything else is droped by this rule.
  src-address-list="!ICMP + Http"
+
<pre>
 +
add action=drop chain=input  
 
</pre>
 
</pre>
Explain :
 
  
we need to reminds ICMP packets received to Mikrotik , because Mikrtoik Router is to Listen to administrator , for this reason we use Address Lists .
 
We add a new rule to filter every body send ICMP packet to Mikrtoik  and this information can be valid 1 minutes for mikrotik .
 
  
 +
{{Warning|'''After enabling these firewall rules you will be disconected from the router, and to restore connection, port knocking will be required!'''}}
 +
 +
==Port knocking==
 +
 +
You can use some of online awailable port-knock clients, or manualy connect router IP address with defined ports, for example:
 +
 +
Install and use knockd package in linux:
 
<pre>
 
<pre>
add action=add-src-to-address-list address-list=ICMP address-list-timeout=1m chain=input disabled=no protocol=icmp
+
sudo apt-get install knockd
 
</pre>
 
</pre>
  
then , mikrotik know , for open its Connection Port ( SSH , telnet , Winbox ) Need be listen to Web ( TCP 80 ) Request and if that person send ICMP packet , now send Web Request , Is Administrator , This Condition also Can be Match by Address List .
+
Knock the router:
 
 
 
<pre>
 
<pre>
add action=add-src-to-address-list address-list="ICMP + Http" address-list-timeout=1m chain=input disabled=no dst-port=80 protocol=tcp src-address-list=ICMP
+
knock ''hostname'' ''port1'' ''port2'' ''port3''
 
</pre>
 
</pre>
  
in This step , mikrotik can be know , A Person in First Send ICMP , And Then That Person Send Web Request , So Mikrotik Open SSH , Telnet , Winbox , Only For That Person With That IP Addresses In Address List .
+
Or simply type router ip and port in your web browser:
 
 
 
<pre>
 
<pre>
add action=drop chain=input disabled=no dst-port=22,23,8291 protocol=tcp src-address-list="!ICMP + Http"
+
http://RouterIP:9000/
 +
http://RouterIP:6000/
 
</pre>
 
</pre>
  
For Test :
+
{{Note|'''Timeout, ip protocols and ports can be changed regarding your needs.'''}}
 
 
After Done All Rules , you can see loss connection to mikrotik .
 
 
 
Please test Telnet , SSH , Winbox to connect to mikrtoik .
 
  
First Ping Mikrtoikt , Second Enter Mikrotik IP Address In Your browser , Then you can made connection to mirktoik with SSH or Telnet or Winbox .
 
  
  

Revision as of 07:04, 10 September 2015

PORT KNOCKING IN MIKROTIK


Summary

This article describes how to use a feature called Port Knocking, to improove the security of your MikroTik device, and minimize a risk of hacking attempts over such protocols like SSH, Telnet, Winbox, etc.

Port knocking is a method that enables access to the router only after receiving a sequenced connection attempts on a set of prespecified closed ports. Once correct sequence of the connection attempts is received, the RouterOS dynamicly adds a host source IP to the allowed address list and You will be able to connect your router.


Example

This example demonstrates how to set your router to use port knocking method:

First firewall rule will store all source ip's which makes connection to router with tcp protocol on port 9000.

/ip firewall filter
add action=add-src-to-address-list address-list="port:9000" \
    address-list-timeout=1m chain=input dst-port=9000 protocol=tcp

Second rule adds source ip to "secure" address list only if a host has the same ip address, stored by first firewall rule, and knocks on tcp port 6000.

add action=add-src-to-address-list address-list="secure" address-list-timeout=\
    1m chain=input dst-port=6000 protocol=tcp src-address-list="port:9000"

Third rule is created to accept all connection to router from "secure" host.

add chain=input src-address-list=secure action=accept

Everything else is droped by this rule.

add action=drop chain=input 


Icon-warn.png

Warning: After enabling these firewall rules you will be disconected from the router, and to restore connection, port knocking will be required!


Port knocking

You can use some of online awailable port-knock clients, or manualy connect router IP address with defined ports, for example:

Install and use knockd package in linux:

sudo apt-get install knockd

Knock the router:

knock ''hostname'' ''port1'' ''port2'' ''port3''

Or simply type router ip and port in your web browser:

http://RouterIP:9000/
http://RouterIP:6000/
Icon-note.png

Note: Timeout, ip protocols and ports can be changed regarding your needs.



Reza Moghadam


--MikroTik Certified Trainer 16:16, 12 April 2013 (UTC)