Community discussions

MikroTik App
 
pezhsha
just joined
Topic Author
Posts: 6
Joined: Sat Jan 26, 2019 3:24 pm

Knock secret daily changeable

Wed May 15, 2019 10:29 am

there are 3 scripts here , fwknock.rsc , miknock.rsc & knockgen.py The fwknock.rsc adds the static Firewall rules on your mikrotik for to craete an static IP as
Admin address list (Change it for your desired IP) and also due to it after ping and knock 2 ports the dynamic Admin will be add to address list for 1 hour.
/ip firewall address-list
add address=192.168.25.252 list=Admin
/ip firewall filter
add action=drop chain=input dst-port=20,21,22,23,80,8291 protocol=tcp \
    src-address-list=!Admin
add action=add-src-to-address-list address-list=ICMP address-list-timeout=20s \
    chain=input protocol=icmp comment="ICMP"
add action=add-src-to-address-list address-list="ICMP+TCP 10000" \
    address-list-timeout=20s chain=input dst-port=10000 protocol=tcp \
    src-address-list=ICMP comment="knockP1"
add action=add-src-to-address-list address-list=Admin address-list-timeout=1h \
    chain=input dst-port=15000 protocol=tcp src-address-list="ICMP+TCP 10000" comment="knockP2"
you can use miknock.rsc for to scheduler daily change knock port numbers. Change the Salt , SaltPort and MainPort for to customize the calculation ports.
:local Salt 456
:local SaltPort 30
:local MainPort 10000
:local dateNow [/system clock get date];
:local dateNowDay [:pick $dateNow 4 6]
:local dateNowMonth [:pick $dateNow 0 3]
:local dateNowYear [:pick $dateNow 7 11]
:local months ("jan","feb","mar","apr","may","jun","jul","aug","sep","oct","nov","dec");
:set dateNowMonth ([:find $months $dateNowMonth -1 ] + 1)
:local newPassword ("$dateNowYear" + "$dateNowDay" + "$dateNowMonth" - "$Salt");
:if ( $dateNowDay < 15 ) do={
:set newPassword ("$dateNowYear" - "$dateNowDay" - "$dateNowMonth" + "$Salt");
};
:local PortOne ("$MainPort" + "$newPassword" - "$SaltPort");
:local PortTwo ("$MainPort" - "$newPassword" + "$SaltPort");
/ip firewall filter set dst-port=$PortOne [find comment=knockP1];
/ip firewall filter set dst-port=$PortTwo [find comment=knockP2];
The final scrip knockgen.py can help you for to create the command that you can use on your PC for knocking the MIkrotik. Be sure the Salt , SaltPort and MainPort are the same with in the miknock.rsc if you changed , also change the IP to your Mikrotik IP

more info here and download the files :
[moreinfo][https://github.com/scriptik/miKnock]
Last edited by pezhsha on Wed May 15, 2019 11:54 am, edited 2 times in total.
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 891
Joined: Fri Nov 10, 2017 8:19 am

Re: Knock secret daily changeable

Wed May 15, 2019 11:10 am

Are you aware that port-knocking is nothing else than different variant of plain-text password? It is not even security-by-obscurity because those ports are clearly visible to anyone on the link.
I don't understand why people still spend so much effort implementing such insecure approach.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3343
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Knock secret daily changeable

Wed May 15, 2019 11:12 am

Can you edit your post and add som information in the top on what this is and what its used for.
Also use the code tag button to add code tags around your script. Button look like this above the post </>
 
pezhsha
just joined
Topic Author
Posts: 6
Joined: Sat Jan 26, 2019 3:24 pm

Re: Knock secret daily changeable

Wed May 15, 2019 11:34 am

Are you aware that port-knocking is nothing else than different variant of plain-text password? It is not even security-by-obscurity because those ports are clearly visible to anyone on the link.
I don't understand why people still spend so much effort implementing such insecure approach.
Thank you for your caution , but all of the parameters are just sample and you can change it for yourself as me did
 
pezhsha
just joined
Topic Author
Posts: 6
Joined: Sat Jan 26, 2019 3:24 pm

Re: Knock secret daily changeable

Wed May 15, 2019 11:53 am

Can you edit your post and add som information in the top on what this is and what its used for.
Also use the code tag button to add code tags around your script. Button look like this above the post </>
I added code tags .
The first script just adds the simple knock port firewall and the second script changes the ports daily according
to the time and date and for to create the different values I added some Salts that you can change it yourself.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3343
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Knock secret daily changeable

Wed May 15, 2019 11:56 am

You should write some header, like this script is used to secure the switch access etc. Example, Why do we need it?
 
pezhsha
just joined
Topic Author
Posts: 6
Joined: Sat Jan 26, 2019 3:24 pm

Re: Knock secret daily changeable

Wed May 15, 2019 12:41 pm

You should write some header, like this script is used to secure the switch access etc. Example, Why do we need it?
See this please why we need port knocking , I add some things later in the header

https://mum.mikrotik.com/presentations/US10/discher.pdf
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Knock secret daily changeable

Wed May 15, 2019 2:34 pm

It is not even security-by-obscurity because those ports are clearly visible to anyone on the link.
Not everyone is on same link. ISP where server is connected can see the ports, ISP where I'm connecting from can too, and so can anyone in between. But random internet hackers from elsewhere can't, they have to guess the right ports. So as a very simple first layer, why not.
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 891
Joined: Fri Nov 10, 2017 8:19 am

Re: Knock secret daily changeable

Wed May 15, 2019 2:54 pm

So as a very simple first layer, why not.
You are literary arguing in favour of plain-text passwords. Can you imagine logging into your Gmail or Hotmail on plain old http? :roll:
Sorry, I just can't agree with this approach. And I will warn people every time I notice someone promoting port-knocking as a "security measure".
Image
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Knock secret daily changeable

Wed May 15, 2019 3:27 pm

No, I'm just saying that it may be good enough as simple additional protection (not in any definitive sense) against random bots. So they won't start guessing real service's passwords right away, but they will have to guess some ports first. It is slightly better with it than without it...
 
jkyawesome
newbie
Posts: 29
Joined: Mon Sep 17, 2018 12:34 am

Re: Knock secret daily changeable

Wed May 15, 2019 4:57 pm

Port knocking at least 4 ports in the correct order provide a layer of security. High port, Low Port, High Port, Low Port.
1. Port scanning all ports not responding
2. Attacker would have to know you are using Port Knocking
3. Port Knocking only allows the IP address that did the port knocking in and can be limited to a certain period of time 20 min
4.Changing the ports daily would increase the security.
5. Port knocking is only first layer of security.

Who is online

Users browsing this forum: No registered users and 5 guests