Securing Your Network MikroTik Router Firewall Best Practices
MikroTik Firewall : Securing your Router with Port Knocking
Your router serves as the first line of defense for your network, protecting your local devices from the outside world. However, traditional firewalls may not be enough to protect your network from advanced threats. One solution is to use port knocking, a technique that can be used to improve the security of your MikroTik firewall. In this article, we will explain how to secure your router using port knocking.
What is Port Knocking?
Port knocking is a security technique that provides an additional layer of protection for network services. It involves "knocking on" a sequence of ports in a predefined order to communicate with a firewall, which will open up a port or service for a short period of time. After this period, the port or service is closed again, providing an additional layer of protection against attackers who try to scan ports or brute force their way into your network.
Setting up Port Knocking on your MikroTik Router
The following steps will guide you through the process of setting up port knocking to secure your MikroTik firewall:
Step 1: Define the sequence of ports to use
The first step is to define a sequence of ports that will be used for port knocking. You can choose any sequence of ports, as long as they are not commonly used and cannot be guessed easily. We recommend using a sequence of at least three or four ports to provide adequate security. For this example, we will use the following sequence: 1234, 4321, 5678.
Step 2: Adding Firewall Rules
The next step is to add firewall rules to allow or deny access to specific ports based on the port knocking sequence. Open up Winbox and go to IP > Firewall > Filter
Once you are on the Filter tab, you need to add new rules to the Input Chain. Click on the Add new (+) button to add a new firewall rule.
Configure the following settings for the new rule:
Chain: Input
Protocol: TCP
Dst. Port: 1234,4321,5678
In the Advanced Tab set:
Action : Drop
Repeat this step three times, one rule for each port in the sequence (1234, 4321, and 5678).
Step 3: Setup Port Knocking Rules
Now we will add a rule to allow access to the SSH service only if the correct port knocking sequence has been used. Go to IP > Firewall > Filter and click the Add new (+) button to add a new firewall rule.
Configure the following settings for the new rule:
Chain: Input
Dst. Port: 22 (SSH)
In. Interface: WAN
Protocol: tcp
Go to the Advanced tab and add the following values:
Action: Accept
Add Src. Address: 0.0.0.0/0
Add Src. Address List: portknocking
Src. Ports: 0-65535
Dst. Ports: 22
Add Src. Address to Address List: yes
Click OK to save the rule.
Step 4: Configure the Port Knocking Script
The final step is to create a script that will perform the port knocking sequence and add the IP address of the client to a list of authenticated users on the MikroTik router. Open up the New Terminal in Winbox and run the following command:
/ip firewall address-list add address=0.0.0.0 list=portknocking timeout=60s /ip firewall filter add action=accept chain=input dst-port=22 in-interface=WAN protocol=tcp src-address-list=portknocking add action=drop chain=input dst-port=1234 protocol=tcp add action=jump chain=input jump-target=port-knocking-test protocol=tcp /ip firewall raw add action=drop chain=prerouting dst-port=1234 protocol=tcp src-address-list=! add action=accept chain=port-knocking chain=forward dst-port=22 protocol=tcp src-address-list=authenticated-users /ip firewall script add name=port-knocking-test policy=read,write source="#!/bin/bash\n\nif [ \"$dst-address\" != \"101.101.101.101\" ] ; then\n exit 0\nfi\n\nif [ \"$src-address\" = \"1.2.3.4\" -o \"$src-address\" = \"2.3.4.5\" -o \"$src-address\" = \"3.4.5.6\" ] ; then\n /ip firewall address-list add list=authenticated-users timeout=3h address=$src-address\n exit 0\nfi\n\nif [ \"$src-address-list\" = \"portknocking\" ] ; then\n exit 0\nfi\n\nexit 1\n"
Replace the $dst-address value with the public IP address of your MikroTik router, and replace the $src-address values with the IPs that are allowed to perform the port knocking sequence. In this example, we allow 1.2.3.4, 2.3.4.5, and 3.4.5.6 to perform the port knocking sequence.
Conclusion
Port knocking is a powerful security technique that can be used to improve the security of your MikroTik firewall. By using a predefined sequence of ports to communicate with your firewall, you can effectively add an additional layer of protection to your network services against advanced threats. With the steps outlined in this article, you can easily set up port knocking on your MikroTik router and enhance the security of your network.
Remember that no security measure is foolproof, and port knocking is not a replacement for traditional firewalls and other security measures. It is important to use a variety of security measures to protect your network from advanced threats.
Post a Comment for "Securing Your Network MikroTik Router Firewall Best Practices"