Port Knocking

From MikroTik Wiki
Revision as of 08:38, 4 April 2011 by Marisb (talk | contribs) (format code)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

PORT KNOCKING IN MIKROTIK

In this article I want to describe how to use port knocking in mikrotik Router [ Board & OS ] . About Port Knocking :

This Feature allowed network administrators to configure Devices in more secure than default state .

In this way you can block SSH , Telnet , Mac Telnet , Winbox and etc. protocol to avoid hacking or brute force attack , and mikrotik only Listening to administrator acts and then Open That port administrator need to configure mikrotik and monitoring .

I want to block some TCP Protocols , They are may be Insecure your Router ( SSH , Telnet , Winbox ) . After administrator want to configure mikrotik , Should be Send ICMP Messages to Mirktoik And then Open or Send Web ( TCP 80 ) Rquest To mikrotik , then SSH , Telnet , Winbox Would be Opened For Specific time need .

Follow Me  :

/ip firewall filter

add action=add-src-to-address-list address-list=ICMP address-list-timeout=1m chain=input \
  disabled=no protocol=icmp

add action=add-src-to-address-list address-list="ICMP + Http" address-list-timeout=1m chain=input 
  disabled=no dst-port=80 protocol=tcp src-address-list=ICMP

add  action=drop chain=input disabled=no dst-port=22,23,8291 protocol=tcp \
  src-address-list="!ICMP + Http"

Explain :

we need to reminds ICMP packets received to Mikrotik , because Mikrtoik Router is to Listen to administrator , for this reason we use Address Lists . We add a new rule to filter every body send ICMP packet to Mikrtoik and this information can be valid 1 minutes for mikrotik .

add action=add-src-to-address-list address-list=ICMP address-list-timeout=1m chain=input disabled=no protocol=icmp

then , mikrotik know , for open its Connection Port ( SSH , telnet , Winbox ) Need be listen to Web ( TCP 80 ) Request and if that person send ICMP packet , now send Web Request , Is Administrator , This Condition also Can be Match by Address List .

add action=add-src-to-address-list address-list="ICMP + Http" address-list-timeout=1m chain=input disabled=no dst-port=80 protocol=tcp src-address-list=ICMP

in This step , mikrotik can be know , A Person in First Send ICMP , And Then That Person Send Web Request , So Mikrotik Open SSH , Telnet , Winbox , Only For That Person With That IP Addresses In Address List .

add action=drop chain=input disabled=no dst-port=22,23,8291 protocol=tcp src-address-list="!ICMP + Http"

For Test : After Done All Rules , you can see loss connection to mikrotik . Please test Telnet , SSH , Winbox to connect to mikrtoik . First Ping Mikrtoikt , Second Enter Mikrotik IP Address In Your browser , Then you can made connection to mirktoik with SSH or Telnet or Winbox .


By Reza Moghadam MTCNA # 1102NA155 R.Moghadam@Hotmail.Com