segunda-feira, 4 de janeiro de 2016

Mikrotik - "porta dos fundos"

Configure Port-Knocking in RouterOS.

Port knocking is a method of establishing a connection to a networked device that has no open ports.
Before a connection is established, ports are opened using a port knock sequence, which is a series of connection attempts to closed ports.

A remote host generates and sends an authentic knock sequence in order to manipulate device firewall rules to open one or more specific ports.
Once the desired ports are opened, the remote host can establish a connection and begin a session (in this example, SSH will be available after issuing the correct Knocking Sequence to a RouterOS Based Router).
Optionally, another knock sequence may used to trigger the closing of the previously enabled port.
/ip firewall filter
add action=log chain=input log-prefix="KNOCK STAGE 01" disabled=no\
    protocol=tcp dst-port=1010
add action=add-src-to-address-list address-list="KNOCK STAGE 01"\
    address-list-timeout=15s chain=input disabled=no\
    dst-port=1010 protocol=tcp
add action=log chain=input log-prefix="KNOCK STAGE 02" disabled=no\
    protocol=tcp dst-port=2020 src-address-list="KNOCK STAGE 01"
add action=add-src-to-address-list address-list="KNOCK STAGE 02"\
    address-list-timeout=15s chain=input disabled=no\
    dst-port=2020 protocol=tcp
add action=log chain=input log-prefix="KNOCK STAGE 03" disabled=no\
    protocol=tcp dst-port=3030 src-address-list="KNOCK STAGE 02"
add action=add-src-to-address-list address-list="KNOCK STAGE 03"\
    address-list-timeout=15s chain=input disabled=no\
    dst-port=3030 protocol=tcp
add action=accept chain=input disabled=no\
    dst-port=22 protocol=tcp src-address-list="KNOCK STAGE 03"
In this example Address-Lists are created with a validity of 15s, so the knocking sequence needs to be issued quite fast.
Better security will be granted using a sequence with decreasing port number and different protocols (to avoid basic Port Scans).
Example: 30001/TCP -> 2001/UDP -> 101/TCP => Open 22/TCP.


0 comentários: