Securing MikroTik Routers With Proxy Whitelisting

Keeping your MikroTik router secure is of utmost importance. There are a lot of ways you can secure your router, but one of the most effective methods is by port knocking. In this article, we will explain what port knocking is and how it can help keep your router secure.

What is Port Knocking?

Port knocking is a security technique used to prevent unauthorized access to a network. It involves sending a series of connection attempts to specific ports in a particular sequence. Only after the correct sequence of connection attempts has been made, the requested port will be opened thereby allowing access to the network.

Why Use Port Knocking?

Port knocking makes it much more difficult for hackers to gain unauthorized access to your network through open ports. Since port knocking operates outside of the traditional authentication and encryption mechanisms, it provides another layer of security that makes it more difficult for any potential threat to exploit.

Some of the key benefits of using port knocking to secure your MikroTik router include:

• Bolsters the router's security by reducing the number of open ports
• Prevents automated brute-force attacks by significantly limiting the number of attempts possible
• Provides an additional security layer outside of the traditional authentication and encryption methods
• Minimizes the risks of malicious activity like denial-of-service attacks, man-in-the-middle attacks and other attacks aimed at open ports

How to Set Up Port Knocking on a MikroTik Router

The following steps will guide you on how to set up port knocking on your MikroTik router:

Step 1: Plan Your Sequence and Open Ports

The first step in implementing port knocking on your MikroTik router is deciding on the sequence of ports you want to use and which ports to open. Remember that port knocking can only work if there is a correct sequence of connection attempts. Here is an example of a valid port knocking sequence:

• Attempt to connect to port 3000
• Attempt to connect to port 4000 within 10 seconds
• Attempt to connect to port 5000 within 10 seconds

Once you have planned out the sequence, you can begin opening the ports in your MikroTik router.

Step 2: Configure the MikroTik Firewall

The second step involves configuring the MikroTik firewall. Follow these steps to configure your MikroTik firewall:

1. Log in to the MikroTik router and open WinBox or WebFig
2. Go to IP > Firewall > Filter Rules
3. Click the + sign to add a new rule
4. Set Chain to input
5. Set Protocol to TCP
6. Set Dst. Port List to 3000
7. Click on Action tab and set Action to mark connection
8. Set the New Connection Mark to portknock-1
9. Click OK to save the rule
10. Repeat steps 3-9 for port 4000 and 5000

Here is an example of the MikroTik firewall rule to enable port knocking:

  /ip firewall filter  add chain=input protocol=tcp dst-port=3000 action=mark-connection new-connection-mark=portknock-1 \  add chain=input protocol=tcp dst-port=4000 action=mark-connection connection-mark=portknock-1 new-connection-mark=portknock-2 \  add chain=input protocol=tcp dst-port=5000 action=accept connection-mark=portknock-2  

Step 3: Configure the Knock Script

The final step involves configuring the knock script. Follow these steps to configure the knock script:

1. Log in to the MikroTik router and open WinBox or WebFig
2. Go to System > Scripts
3. Click the + sign to add a new script
4. Set the Name to knock
5. Set the Source to:

 :local knocklen 3 :local knockport1 3000 :local knockport2 4000 :local knockport3 5000 :local ignoreIP "10.10.10.5,10.10.10.6"   :local knock1count [:len [/ip firewall connection find connection-mark=portknock-1]] :if ($knock1count=$knocklen) do=     :log error message="Port Knock1 Sequence OK"          :local knock2count [:len [/ip firewall connection find connection-mark=portknock-2]]     :if ($knock2count=1) do=         :log warning message="Port Knock2 Sequence OK"                  :foreach i in=[/ip firewall connection find connection-mark=portknock-1] do=             :local theIP [/ip firewall connection get $i src-address]             :if ([:find $ignoreIP "$theIP"]=0) do=                 /ip firewall connection remove $i                                        /ip firewall filter enable [find chain=forward]       

6. Click OK to save the script

You now have successfully configured your MikroTik router to utilize port knocking for access control. However, it's important to note that port knocking is not a silver bullet against all network threats. You still need to maintain other security measures such as strong passwords, up-to-date software, and regular backups in place to ensure maximum security.

In Conclusion

Port Knocking is a powerful and effective method of securing your MikroTik router. It significantly reduces the risk of unauthorized access and opens up a world of new security possibilities. However, it's essential to understand that it's not a replacement for traditional security measures like strong passwords, up-to-date software, and regular backups. Used in conjunction with these security protocols, port knocking can become an essential tool in maintaining the security and integrity of your network systems

mikrotik knocking

mikrotik routers

mikrotik

wifi spectrum routers securing compatible

Share :

You may like these posts :

• 
  Exploring MikroTik RouterOS Firewall Policies For VPN
• 
  Improving Network Efficiency With MikroTik Router Proxy Server
• 
  The Different VPN Protocols Supported By MikroTik Routers
• 
  Troubleshooting MikroTik Router Proxy Configuration