Mikrotik – Port Knocking
Following up on my last post, I decided to give a few more details on the various things I mentioned. The first of which is a more in depth look at Port Knocking using Layer 7 packet sniffing. I will go over a few quick steps to get this running on your Mikrotik, and let you expand from there. Since I generally don’t use the command line on mine, you will have to suffice with some screen shots. I feel its easier to learn the concepts this way, rather than blindly typing in commands anyway.
The concept itself is a simple one, your router will watch for an incoming sequence of packets, and will grant you access to specific parts of the network if you know the secret knock. While the security of this method is fairly laughable, it can be used to define a second layer of defense (must knock before you can SSH or VPN). Since most attempts to exploit systems nowadays is done by automated bots, not having SSH open to the outside world can be the difference between your server being assimilated into the bot net, or not.
To begin, we will lay down the first basic Firewall rule. So login to your Mikrotik and create a new Firewall entry under “Filter Rules”. This will be in the “forward” chain. We will need to be defining only a small subset of the options. The first will be the Destination IP. This will the external IP Address that you want the packet to be sent. It should be something within your externally facing IP Range but it doesn’t have to be currently utilized by a server or device (or it can be, it could even be the router itself if you have a single external IP). The second important option is the Port and Protocol. We will be using UDP for this example, but only because its easier to write a script to send those types of packets (we will get to that later). As for the port, you can choose any port you like (1-65535) and it could even be utilized by another service. At this point, the Mikrotik is looking at all traffic, before allowing it through or dropping it. We are only going to be reading the data, and not allowing / disallowing it ourselves, so your later firewall rules will still parse this traffic to determine whether to drop or not. For this example, I choose UDP 53684. Since my last firewall rule is a blanket DROP, this packet will never pass my router and no one would ever know that I am truely utilizing this port for knocking. Your source will be 0.0.0.0/0 to show that we want to allow this from anywhere, but you could easily lock this down also to improve security if you know exactly where you will be coming from (but then why would you need to knock?).
Creating the entry, you will have something that looks like this.
You will now need to switch over to the “Action’ tab, so we can say what we want to do when we receive this packet. You will want to select “Add src to Address List” and add a name for that address list (it can be anything). The 3rd setting is the timeout. Meaning that after X amount of time, this address will expire and be removed from this address list. I choose the time of 1 second, which is a long time in the world of streaming packets. From there, just hit OK, and your first knocking rule is made.
Now as described in my last article, not only do we want to ensure the correct ports are knocked on. Each port will be looking for an exact string of data using Layer 7 packet sniffing. This is to ensure that no random port scan just happened to hit every port in the correct order. So in order to facilitate this, you will need to go over to the “Layer7 Protocols” tab and create a new entry. You can name it what ever you like (I just name it the port number I utilized so as not to confuse them since I will be creating several of them). As for the data, you will want a string of letters and numbers. Placing them inbetween a ^ and a $ will ensure this is an exact match (^ means the beginning of the packet, $ the end). Leaving characters out would mean the string could match inside a much larger string, which is not what we are after. An important thing to note: You must enter all letters as lower case. The Mikrotik will change all upper case characters to lower case before comparing them, as I had to spend several hours of debugging to discover.
Now, we must tell the previously made firewall rule to utilize this rule, so go back and edit it. Click on the “Advanced” tab, and select the rule you created under the “Layer7 Protocol” option. Then hit OK.
Well now we have our first rule. Our other rules will be exactly like this one, but utilizing different ports (and IP Addresses if you like), different Layer7 Rules, and different address lists. So go ahead and create 2 more (click the Copy button, and then just change what needs changing). In my example I used address lists KNOCK1, KNOCK2, COMEIN as my lists. That last list is the list they will be added to show that they have properly knocked and should be allowed in. You will want to change the “time out” to something more suitable than 1 second. You could change it to “1d 00:00:00″ to allow access for 1 day if you like, or “01:00:00″ for 1 hour.
You will then want to create 1 last rule. This will be our rule that actually accepts their traffic if they are on the last list. It will have an action of “Accept” and we will setup the Source Address List in a second. As for the rest, just setup exactly what you want them to be allowed to acecss. It could be complete access to your network, access to VPN, or as in the example below, access to SSH into a server.
Now that you have your rules, we need to ensure that someone does the secret knock in the correct order.
To do this, just go the your 2nd rule (do not do this to the 1st one) and click the “Advanced” tab. On the “Src Address List” option, select the Src Address List that your 1st rule adds them to. Then hit OK. What this does is ensures that the rule will only process if the user has already been flagged by the first rule. You will want to this to the rest of them, selecting the address list from the previous rules in order.
So at this point, everything should be setup. In your Mikrotik, you should have something like this (you can change the columns shown in the interface by clicking the little down arrow button on the far right of the column row).
See how the Address Lists follow each other? The Address List column is the address list they will be added to, and the “Src Address List” is the address list they must be in for them to be accepted and passed into the next one. Once they make their way down to the bottom rule, they are in an address list for 24 hours, and allowed access to the resource.
Now that we have our fancy rules, we need to test it. For 99% of my script needs nowadays, I utilize Autoit. Partially because I am lazy, but mostly because it just works so well. To begin with we will just create a simple script to send the data we want to the ports we want. So create a new script like this. I won’t go over each line of code as that is outside the bounds of this article, but you should easily be able to find where you need to change the IP Addresses, Ports, and L7 data to match what you entered.
UDPStartup()$socket = UDPOpen("18.104.22.168", 53684) $status = UDPSend($socket, "knockknock") UDPCloseSocket($socket)$socket = UDPOpen("22.214.171.124", 25124) $status = UDPSend($socket, "whoisthere") UDPCloseSocket($socket)$socket = UDPOpen("126.96.36.199", 45215) $status = UDPSend($socket, "itsmestupid") UDPCloseSocket($socket) UDPShutdown()
Now, all that is left is testing. Compile the autoit script, and run it. If you are watching your firewall rules, you should see the packet counter increment on each of your rules in turn, as each packet is received. Checking the “Address List” tab should show your IP belonging to the “COMEIN” address list. Then just verify that you can access the resource properly. Now as long as you carry this little executable with you, you will be able to gain access to your network from anywhere (assuming there is no firewall there blocking you)
If its not working? Well just read back over the instructions and see if you can figure out where you went wrong. If everything is working correctly, you can then expand the firewall rules to have a few traps or to require more knocks. You can also extend the Autoit script to sit in your tray, and keep knocking on a different port, which just resets the time out counter on the last rule fairly easily using the above example (make it check if you are in the last list, and then re-adds to the last list, which resets the timeout). You can then have it auto luanch WinSCP or Putty, or what ever floats your boat.
If you have any questions, feel free to drop me a comment.