Community discussions

MikroTik App
  4. RouterOS
  5. General

Port Knocking

Post Reply
 
fpascual
Member Candidate
Member Candidate
Topic Author
Posts: 140
Joined: Mon May 29, 2006 3:17 pm

Port Knocking

Thu Jan 04, 2007 4:53 pm

I configure port knocking for ssh login but doesn't work at least that use an open port by mikrotik (like 80).

Rules:

;;; Port Knocking SSH - Interface Externa
chain=input in-interface=externa src-address=0.0.0.0/0 protocol=tcp dst-port=80 action=add-src-to-address-list address-list=ssh_ok address-list-timeout=1h
;;; Acepto SSH Verificado - Port Knocking Interface Externa
chain=input in-interface=externa src-address=0.0.0.0/0 protocol=tcp dst-port=22 src-address-list=ssh_ok action=accept
;;; Dropeo Resto SSH
chain=input src-address=0.0.0.0/0 protocol=tcp dst-port=22 action=drop

If I use other port (like 887) doesn't work.
What i'm doing wrong ?


Thanks !
Top
 
User avatar
mneumark
Member
Member
Posts: 370
Joined: Thu Jun 08, 2006 7:20 am
Location: Escalon, CA
Contact:
Contact mneumark

Fri Jan 05, 2007 7:19 am

So let me get this right. When you visit your http://youriptoyourmikrotik:80 you want it to add your ip address to a address list?
Top
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Fri Jan 05, 2007 10:26 am

a i understood than that is working, but he wants it to be 887

check firewall rules, if there is any port-blocking on port you desire, but i would suggest t use port above 1024.
Top
 
fpascual
Member Candidate
Member Candidate
Topic Author
Posts: 140
Joined: Mon May 29, 2006 3:17 pm

Fri Jan 05, 2007 2:23 pm

Yes janisk, 887 is an example only.
If i configure port 5555 doesn't work. I make a telnet to my host port 5555 and don't matches with "add-src-to-address-list" action.
Do you understand ?.


Thanks
Top
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Fri Jan 05, 2007 2:39 pm

are you sure that you send TCP packet?

you can simply check by adding rule that logs what is coming in
Top
 
fpascual
Member Candidate
Member Candidate
Topic Author
Posts: 140
Joined: Mon May 29, 2006 3:17 pm

Fri Jan 05, 2007 4:12 pm

I tested with "telnet my_host 7777" comand from remote windows and doesn't work.

Look the rules:

1 ;;; Port Knocking SSH - Interface Externa
chain=input in-interface=externa src-address=0.0.0.0/0 protocol=tcp dst-port=7777 action=add-src-to-address-list address-list=ssh_ok address-list-timeout=2h

2 ;;; Acepto SSH Verificado - Port Knocking Interface Externa
chain=input in-interface=externa src-address=0.0.0.0/0 protocol=tcp dst-port=22 src-address-list=ssh_ok action=accept

3 ;;; Dropeo Resto SSH
chain=input src-address=0.0.0.0/0 protocol=tcp dst-port=22 action=drop

If I put a rule (number 4) with accept any any dst port 7777 either work.
Top
 
maxfava
Member Candidate
Member Candidate
Posts: 225
Joined: Mon Oct 17, 2005 12:30 am

Fri Jan 05, 2007 4:36 pm

1 ;;; Port Knocking SSH - Interface Externa
chain=input in-interface=externa src-address=0.0.0.0/0 protocol=tcp dst-port=7777 action=add-src-to-address-list address-list=ssh_ok address-list-timeout=2h

2 ;;; Acepto SSH Verificado - Port Knocking Interface Externa
chain=input in-interface=externa src-address=0.0.0.0/0 protocol=tcp dst-port=22 src-address-list=ssh_ok action=accept

3 ;;; Dropeo Resto SSH
chain=input src-address=0.0.0.0/0 protocol=tcp dst-port=22 action=drop
before 1;;; add
chain=input in-interface=externa src-address=0.0.0.0/0 protocol=tcp dst-port=7777 action=log prefix=7777

chain=input in-interface=externa src-address=0.0.0.0/0 protocol=tcp action=log

after try and see what the log shows.
Top
Post Reply
  4. RouterOS
  5. General