This article describes how to use a feature called Port Knocking, to improve the security of your MikroTik device, and minimize a risk of hacking attempts over such protocols like SSH, Telnet, Winbox, etc.
Port knocking is a method that enables access to the router only after receiving a sequenced connection attempts on a set of prespecified closed ports. Once the correct sequence of the connection attempts is received, the RouterOS dynamically adds a host source IP to the allowed address list and You will be able to connect your router.
This example demonstrates how to set your router to use port knocking method:
The First firewall rule will store all source ip's which makes connection to router with tcp protocol on port 9000.
/ip firewall filter add action=add-src-to-address-list address-list="port:9000" \ address-list-timeout=1m chain=input dst-port=9000 protocol=tcp
Second rule adds the source ip to "secure" address list only if a host has the same ip address, stored by first firewall rule, and knocks on tcp port 6000.
add action=add-src-to-address-list address-list="secure" address-list-timeout=\ 1m chain=input dst-port=6000 protocol=tcp src-address-list="port:9000"
The third rule is created to accept all connections to the router from "secure" host.
add chain=input src-address-list=secure action=accept
Everything else is dropped by this rule.
add action=drop chain=input
You can use some of online available port-knock clients, or manually connect router IP address with defined ports, for example:
Install and use knockd package in linux:
sudo apt-get install knockd
Knock the router:
knock ''hostname'' ''port1'' ''port2'' ''port3''
Or simply type router ip and port in your web browser:
--MikroTik Certified Trainer 16:16, 12 April 2013 (UTC)