Port knocking is a technique that you can use to protect from Brute Force attacks. What it does exactly, it will knock the MikroTik router in a similar way when you go to a visit to your friend, and you knock his house’ door. In case your friend opens the door for you and invite you to enter, then you can go inside his house, otherwise you will stay outside.

Same thing with port knocking on MikroTik router, you will have to knock on the MikroTik router on a port that you define. In case this is successful, then you can do Winbox, ssh, telnet, etc… to the router.

Let me explain it in a better way. Say that you want to allow, from the WAN, access to the MikroTik router only via Winbox using port knocking. Then you need to create some filter rules doing the following:

1. First rule: any device coming to the WAN interface as TCP port 1111 (you can define the port that you want), then add its IP to an address list (called Pnock1) for 10s.
2. Second rule: if the same device (meaning same source IP) has tried to do a connection on the WAN interface of the MikroTik router as TCP port 2222 within the 10s, then add its IP to a new address list (called Pnock2) and leave it there for 30 min.
3. Third rule: in this rule you will say that any IP which is inside the 2^nd address list (Pnock2), is allowed to do Winbox to the router.
4. Fourth rule: in this rule, you just drop any input traffic to the MikroTik router coming on the WAN interface.

 

Doing those rules, only people who know the right destination TCP ports (1111 and 2222) can do the port knocking and able to connect via Winbox on the MikroTik router (if they have the right username and password), otherwise all other input traffic to the WAN interface will be blocked.

This is how the port knocking works, let’s apply that in a LAB and see if it will work for us.

 

LAB: Port Knocking

Now we know the theory behind port knocking, let’s do a LAB to see if it will work for us.

I have here a PC which is able to reach R1 via the internet. I want to configure port knocking on R1 in a way that only users can login to the router via Winbox after the port knocking is successful.

I have to create the 1^st filter rule on the MikroTik router saying that any traffic coming to the router itself as TCP on port 1111, then add the IP address of the source in an address list called “Pnock1” and leave it for 10s. Let’s do that:

[mepr-show rules=”319″ unauth=”message”]

This rule says exactly what we wanted to do. Now anyone doing TCP connection on port 1111 to the MikroTik router on its interface Ether1, the IP of the source will go for 10s inside the Pnock1 address list.

The rule which has to come after it, is that in case the same source IP, and within the 10s, has done another TCP connection to the MikroTik router on port 2222 on port Ether1, then we will put it in an address list called Pnock2 and will leave it for 30 min.

Let’s do that:

With this 2^nd rule, the user has 10 seconds to retry to do another connection on TCP port 2222, and in case he did then his IP will go to Pnock2 address list and will stay for 30 min (you can make the duration longer or less if you want).

Let’s consider that the IP of the source went to the Pnock2 address list, now we should allow this IP to do Winbox to the router. Let’s do that rule for it:

With this 3^rd rule, I am just saying that the IPs which are inside the Pnock2 address list and coming to the router itself on the interface Ether1, are allowed to do Winbox to the router (port 8291 is the Winbox port).

However, if we keep it as it is, then the user can do any other traffic to the router such as ssh, telnet, ftp, ping, etc…..

For this reason, we have to do the final rule to say that any other input traffic coming to the router from Ether1, then we will have to drop them. Let’s do that:

Now my port knocking configuration has been finished. Let’s try to test it and see if it is going to work.

1^st I need to do a TCP session on port 1111 and directly do another TCP session on port 2222 within 10 seconds, then I will try if Winbox would open. Let’s try 1^st to thing if I can still login to the router via Winbox without going through the port knocking process:

You can see clearly; port knocking is not allowing me.

Let’s do now the TCP connection on port 1111:

This will do the work. You can use Winbox or any other application that uses TCP.

Let’s do now the TCP connection on port 2222 within the 10 seconds that I have:

This has been done.

Now my computer IP should be in the Pnock2 address list for 30 min, and I can login to Winbox without any issue. Let’s try:

Here I am inside the router. Excellent!

I am curious to see what the address lists will contain now:

The address list that is available is Pnock2 because Pnock1 expired after 10 seconds.

Do you think that my PC is able to ping to the router IP? Think of it for a few seconds. We have only allowed Winbox for incoming traffic to the MikroTik router and disallowed anything else. The ping works on ICMP, but it is coming to the router, meaning chain input. And we have a rule at the end saying that any traffic coming to the router which is not Winbox then disable it.

Let’s try to ping:

I can see that ping from my PC to the router has failed big time, while I am still connected Winbox to the router from the same PC ????

Final thing that I want to do in this LAB is just to share with you the script to create the firewall rules for Port Knocking:

/ip firewall filter

add action=add-src-to-address-list address-list=Pnock1 address-list-timeout=10s chain=input comment=”Port Knocking” dst-port=1111 in-interface=ether1 \

    protocol=tcp

add action=add-src-to-address-list address-list=Pnock2 address-list-timeout=30m chain=input dst-port=2222 in-interface=ether1 protocol=tcp \

    src-address-list=Pnock1

add action=accept chain=input dst-port=8291 in-interface=ether1 protocol=tcp src-address-list=Pnock2

add action=drop chain=input in-interface=ether1

[/mepr-show]