MikroTik Port Knocking
Enhancing SSH Security with Port Knocking on MikroTik Routers
In the realm of network security, implementing robust measures is crucial to safeguard against potential threats. One such technique is “Port Knocking”, a method used to enhance security by stealthily opening ports only to users who know the correct sequence or “knock.” MikroTik routers offer versatile capabilities to enforce port knocking strategies effectively.
To bolster defense against malicious actors, the first step involves swiftly blacklisting identified attackers.The following code snippet achieves this by adding the attacker’s IP address to the blacklist.
Blacklisting Attacker
Create Black List
- This command creates an address list named “Black List (SSH)” which will be used to store the IP addresses of attackers.
/ip firewall address-list
add comment="Black List (SSH)" list=bl_ssh
Blacklist SSH Rule
- Drops incoming packets from IP addresses listed in the blacklist (bl_ssh), except for those with a specific MAC address (AA:BB:CC:EE:DD:FF), while logging the incidents.
/ip firewall filter
add action=drop chain=input comment="Drop anyone in Black List (SSH)." log=\
yes log-prefix=bl_ssh src-address-list=bl_ssh src-mac-address=\
!AA:BB:CC:EE:DD:FF
Black List Chain Rules
- These rules manage the blacklisting mechanism. They categorize connection attempts into different stages based on their frequency and duration, ultimately leading to the blacklisting of persistent attackers.
/ip firewall filter
add action=jump chain=input comment="Jump to Black List (SSH) chain." \
dst-port=22,2222 in-interface=bridge_lan jump-target=bl_ssh_chain \
protocol=tcp
add action=add-src-to-address-list address-list=bl_ssh address-list-timeout=\
4w2d chain=bl_ssh_chain comment="Transfer repeated attempts from Black Lis\
t (SSH) Stage 3 to Black List (SSH)." connection-state=new \
src-address-list=bl_ssh_stage3
add action=add-src-to-address-list address-list=bl_ssh_stage3 \
address-list-timeout=1m chain=bl_ssh_chain comment=\
"Add successive attempts to Black List (SSH) Stage 3." connection-state=\
new src-address-list=bl_ssh_stage2
add action=add-src-to-address-list address-list=bl_ssh_stage2 \
address-list-timeout=1m chain=bl_ssh_chain comment=\
"Add successive attempts to Black List (SSH) Stage 2." connection-state=\
new src-address-list=bl_ssh_stage1
add action=add-src-to-address-list address-list=bl_ssh_stage1 \
address-list-timeout=1m chain=bl_ssh_chain comment=\
"Add initial attempt to Black List (SSH) Stage 1." connection-state=new
add action=return chain=bl_ssh_chain comment=\
"Return From Black List (SSH) chain."
Once the attacker is barred, the port knocking mechanism comes into play. This technique involves a sequence of connection attempts to predefined ports, akin to knocking on a door with a secret rhythm to gain access. Upon receiving the correct sequence, the router dynamically opens the designated port for communication.
Here’s where the second code snippet comes into play, orchestrating the port knocking sequence tailored to your network’s specifications.
Accept Knocked Connections
This rule accepts connections to port 457 from IP addresses listed in the “pk_sshAllow” address list, indicating successful knocking attempts.
/ip firewall filter
add action=accept chain=ssh_portKnocking comment=KnockedSuccessfully \
connection-state=new dst-port=457 log=yes log-prefix=ssh_login protocol=\
tcp src-address-list=pk_sshAllow
SSH Port Knocking Rule & Port Knocking Sequence
- SSH Port Knocking Rule: Implements port knocking for SSH access. Incoming TCP packets on specified ports (
9835,6738,6845,10685,475
) from a specific MAC address (AA:BB:CC:EE:DD:FF
) and interface (bridge_lan
) trigger a jump to a custom chain (ssh_portKnocking
) for further processing. - Port Knocking Sequence: These rules define the port knocking sequence. Each successive connection to a specific port adds the source IP address to the next stage address list, gradually allowing access.
/ip firewall filter
add action=jump chain=input comment="SSH Port Knocking" dst-port=\
9835,6738,6845,10685,475 in-interface=bridge_lan jump-target=\
ssh_portKnocking protocol=tcp src-mac-address=AA:BB:CC:EE:DD:FF
add action=add-src-to-address-list address-list=pk_sshAllow \
address-list-timeout=20s chain=ssh_portKnocking comment=\
"#KnockKnock:9835" connection-state=new dst-port=9835 protocol=tcp \
src-address-list=pk_stage3
add action=add-src-to-address-list address-list=pk_stage3 \
address-list-timeout=5s chain=ssh_portKnocking comment="#KnockKnock:6738" \
connection-state=new dst-port=6738 protocol=tcp src-address-list=\
pk_stage2
add action=add-src-to-address-list address-list=pk_stage2 \
address-list-timeout=5s chain=ssh_portKnocking comment="#KnockKnock:6845" \
connection-state=new dst-port=6845 protocol=tcp src-address-list=\
pk_stage1
add action=add-src-to-address-list address-list=pk_stage1 \
address-list-timeout=5s chain=ssh_portKnocking comment=\
"#KnockKnock:10685" connection-state=new dst-port=10685 protocol=tcp
Return Rule
This rule ensures that if none of the knocking conditions are met, the packet processing returns from the “ssh_portKnocking” chain.
/ip firewall filter
add action=return chain=ssh_portKnocking comment=\
"Return from SSH Port Knocking"
Deny All Other Incoming Traffic
To ensure that no other incoming traffic is allowed, the following MikroTik firewall filter rule is added at the end:
/ip firewall filter
add action=drop chain=input
This configuration provides an effective means to secure SSH access on MikroTik routers by implementing both port knocking and blacklisting mechanisms. By integrating these measures into your MikroTik router configuration, you fortify your network’s defenses against unauthorized access attempts.
Remember to customize the port knocking sequence and blacklist rules according to your specific security requirements.
With diligence and strategic implementation, MikroTik Port Knocking serves as a formidable barrier against potential threats, enhancing your network’s resilience in the face of adversities.