This article describes how to use a feature called Port Knocking, to improve the security of your MikroTik device, and minimize a risk of hacking attempts over such protocols like SSH, Telnet, Winbox, etc.
Port knocking is a method that enables access to the router only after receiving a sequenced connection attempts on a set of prespecified closed ports. Once the correct sequence of the connection attempts is received, the RouterOS dynamically adds a host source IP to the allowed address list and You will be able to connect your router.
This example demonstrates how to set your router to use port knocking method:
The First firewall rule will store all source ip's which makes connection to router with tcp protocol on port 9000.
/ip firewall filter add action=add-src-to-address-list address-list="port:9000" \ address-list-timeout=1m chain=input dst-port=9000 protocol=tcp
Second rule adds the source ip to "secure" address list only if a host has the same ip address, stored by first firewall rule, and knocks on tcp port 6000.
add action=add-src-to-address-list address-list="secure" address-list-timeout=1m \ chain=input dst-port=6000 protocol=tcp src-address-list="port:9000"
The third rule is created to accept all connections to the router from "secure" host.
add chain=input src-address-list=secure action=accept
Everything else is dropped by this rule.
add action=drop chain=input
You can use some of online available port-knock clients, or manually connect router IP address with defined ports. Here are some examples how to knock your router:
Use nmap command to knock the router:
for x in 9000 6000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x router_ip_address; done
Install and use knockd package in linux:
sudo apt-get install knockd
Knock the router:
knock ''router_ip_address'' ''port1'' ''port2''
Or simply type router ip and port in your web browser: