Page 1 of 1
Port Knocking
Posted: Thu Jan 04, 2007 4:53 pm
by fpascual
I configure port knocking for ssh login but doesn't work at least that use an open port by mikrotik (like 80).
Rules:
;;; Port Knocking SSH - Interface Externa
chain=input in-interface=externa src-address=0.0.0.0/0 protocol=tcp dst-port=80 action=add-src-to-address-list address-list=ssh_ok address-list-timeout=1h
;;; Acepto SSH Verificado - Port Knocking Interface Externa
chain=input in-interface=externa src-address=0.0.0.0/0 protocol=tcp dst-port=22 src-address-list=ssh_ok action=accept
;;; Dropeo Resto SSH
chain=input src-address=0.0.0.0/0 protocol=tcp dst-port=22 action=drop
If I use other port (like 887) doesn't work.
What i'm doing wrong ?
Thanks !
Posted: Fri Jan 05, 2007 7:19 am
by mneumark
So let me get this right. When you visit your
http://youriptoyourmikrotik:80 you want it to add your ip address to a address list?
Posted: Fri Jan 05, 2007 10:26 am
by janisk
a i understood than that is working, but he wants it to be 887
check firewall rules, if there is any port-blocking on port you desire, but i would suggest t use port above 1024.
Posted: Fri Jan 05, 2007 2:23 pm
by fpascual
Yes janisk, 887 is an example only.
If i configure port 5555 doesn't work. I make a telnet to my host port 5555 and don't matches with "add-src-to-address-list" action.
Do you understand ?.
Thanks
Posted: Fri Jan 05, 2007 2:39 pm
by janisk
are you sure that you send TCP packet?
you can simply check by adding rule that logs what is coming in
Posted: Fri Jan 05, 2007 4:12 pm
by fpascual
I tested with "telnet my_host 7777" comand from remote windows and doesn't work.
Look the rules:
1 ;;; Port Knocking SSH - Interface Externa
chain=input in-interface=externa src-address=0.0.0.0/0 protocol=tcp dst-port=7777 action=add-src-to-address-list address-list=ssh_ok address-list-timeout=2h
2 ;;; Acepto SSH Verificado - Port Knocking Interface Externa
chain=input in-interface=externa src-address=0.0.0.0/0 protocol=tcp dst-port=22 src-address-list=ssh_ok action=accept
3 ;;; Dropeo Resto SSH
chain=input src-address=0.0.0.0/0 protocol=tcp dst-port=22 action=drop
If I put a rule (number 4) with accept any any dst port 7777 either work.
Posted: Fri Jan 05, 2007 4:36 pm
by maxfava
1 ;;; Port Knocking SSH - Interface Externa
chain=input in-interface=externa src-address=0.0.0.0/0 protocol=tcp dst-port=7777 action=add-src-to-address-list address-list=ssh_ok address-list-timeout=2h
2 ;;; Acepto SSH Verificado - Port Knocking Interface Externa
chain=input in-interface=externa src-address=0.0.0.0/0 protocol=tcp dst-port=22 src-address-list=ssh_ok action=accept
3 ;;; Dropeo Resto SSH
chain=input src-address=0.0.0.0/0 protocol=tcp dst-port=22 action=drop
before 1;;; add
chain=input in-interface=externa src-address=0.0.0.0/0 protocol=tcp dst-port=7777 action=log prefix=7777
chain=input in-interface=externa src-address=0.0.0.0/0 protocol=tcp action=log
after try and see what the log shows.