Also, you can use ICMP with custom packet size and you can ping (ping -l for Windows or ping -s for linux) from any OS without installing extra software. Packet size to ping should be packet size - 28 bytes (IP Header + ICMP Header).
The timeout isn't very clear in the firewall GUI (web and Winbox), by default you can just choose "non dynamic" or "non static". Because of this video I've learned that you can also use any times you like. Thanks.
Love the video! Would love to see what you were talking about towards the end regarding a passphrase on top of this great trick! Love the contrast as always you all are incredible!
Just going to leave this here if you google around a bit you'll find a slide show that has an example of how you do this. The key takeaways is that you create a layer 7 rule to match the passphrase along with the knocks. Then so long all matches you'll get in. Haven't added that part, but will be trying it later. I'll add another comment or edit my original with the syntax.
Instead of configuring port ranges to secure the knocking you can use this line before to block port scanners add action=drop chain=input comment="dropping port scanners" in-interface-list=WAN src-address-list=\ "port scanners" add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input \ comment="Port scanners to list " in-interface-list=WAN log=yes log-prefix=scanner protocol=tcp \ psd=21,3s,3,1
Please do a new series of videos about vlans. Each episode should start of selecting devices to method, theory about that method, example configuration for Access/Tagged/Hybrid and Trunk - those on one device only, and how use those vlans on /ip/address to reach them, how use that method with bonding and Q&Q. I hope you can stop this series on 6 episodes bcs I know at least 6 way of creating vlans and each should be shorter then 1h. I hope you clear all stuff about VLAN on MikroTik by that videos, I wait for that video series. Remember, Hybrid port are for wifi AccessPoint very very important.
Interesting. But you know what? Your (I suppose bash) `for` loop at 10:00 has in fact single item, which was interpreted as list in single `nmap` command.
In general I fail to see the need for port knocking now that MT has wireguard built-in. Druvis, when is port knocking useful (better option than wireguard)???
Wireguard ports seem to be undetectable by port scan due to the use of UDP and PKI, but you might not always want to run everything through it. Or maybe you are restricted to using some weaker tunneling protocols - you could then hide those with port knocking.
@@Problembaer4 if you put those rules for black listing in prerouting... I assure you it will catch incoming connections. My f--koff list is generated there.
@@ChrisNicholson then you need the define the DST-IP (the Router-IP itself) somehow. Via the input-chain, the routing-decision was already done. So yeah, I think both ways are possible but for most people the firewall is easier to understand as a "prerouting" chain.
While this looks impressive and is technically "cool", it doesn't really add much in terms of security. Some ports need to be publicly available (webserver, etc.). All of them should be inherently secure. Hence it makes more sense to focus on hardening the services rather than adding some magic in front of it. Focussing on ports in terms of security feels like it's 1995 again 😂.
Wrote this .bat script to protect my ports. Works only with windows: @echo off set target_ip=11.22.33.44 set /a PacketSize1=111 set /a PacketSize2=222 set /a PacketSize3=333 set ip=%target_ip% set /a size1=%PacketSize1%-28 set /a size2=%PacketSize2%-28 set /a size3=%PacketSize3%-28 set info=IP is: %ip%, ICMP size: %size1%, %size2%, %size3%; echo %info% CLS ping %ip% -l %size1% -n 2 CLS ping %ip% -l %size2% -n 2 CLS ping %ip% -l %size3% -n 2 CLS @echo off REM 2 sec hold ping -n 2 localhost>nul exit
![Port Knocking Attack | Ryan's CTF [17] Knock-Knock FINALE](http://i.ytimg.com/vi/sOy6pU8CaCU/mqdefault.jpg)
Also, you can use ICMP with custom packet size and you can ping (ping -l for Windows or ping -s for linux) from any OS without installing extra software. Packet size to ping should be packet size - 28 bytes (IP Header + ICMP Header).
Very nice by You at Mikrotik! It opened up a really nice feature! Thanks!!!!
The timeout isn't very clear in the firewall GUI (web and Winbox), by default you can just choose "non dynamic" or "non static". Because of this video I've learned that you can also use any times you like. Thanks.
Love the video! Would love to see what you were talking about towards the end regarding a passphrase on top of this great trick!
Love the contrast as always you all are incredible!
See link in description, it has that step
When I try viewing that in your documentation it just reveals rand string of characters.
@@mikrotik I see only random string there - "VGhlbiBjcmVhdGUg....."
Just going to leave this here if you google around a bit you'll find a slide show that has an example of how you do this. The key takeaways is that you create a layer 7 rule to match the passphrase along with the knocks. Then so long all matches you'll get in. Haven't added that part, but will be trying it later. I'll add another comment or edit my original with the syntax.
@@xtlmeth mum.mikrotik.com/presentations/US10/discher.pdf
Very thanksful Eng Druvis..! 🌹🙏
did that some years ago. works pretty good
btw. druvis seems to be quite a fast typer ;)
He is your have to pay attention and flow in same frequency as his .
Nice! Please consider adding Single Packet Authorization (fwknop) instead of the archaic port knocking method.
Nice presentation. Thanks
Please do cover the passphrase thing in a coming video. Thank you :)
Instead of configuring port ranges to secure the knocking you can use this line before to block port scanners
add action=drop chain=input comment="dropping port scanners" in-interface-list=WAN src-address-list=\
"port scanners"
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input \
comment="Port scanners to list " in-interface-list=WAN log=yes log-prefix=scanner protocol=tcp \
psd=21,3s,3,1
Good point, but if you do it as in the video, it doesn't matter if someone is using cookie cutter scanning or if they are targeting specific ports.
Please do a new series of videos about vlans. Each episode should start of selecting devices to method, theory about that method, example configuration for Access/Tagged/Hybrid and Trunk - those on one device only, and how use those vlans on /ip/address to reach them, how use that method with bonding and Q&Q. I hope you can stop this series on 6 episodes bcs I know at least 6 way of creating vlans and each should be shorter then 1h. I hope you clear all stuff about VLAN on MikroTik by that videos, I wait for that video series. Remember, Hybrid port are for wifi AccessPoint very very important.
Interesting. But you know what? Your (I suppose bash) `for` loop at 10:00 has in fact single item, which was interpreted as list in single `nmap` command.
In general I fail to see the need for port knocking now that MT has wireguard built-in. Druvis, when is port knocking useful (better option than wireguard)???
Wireguard ports seem to be undetectable by port scan due to the use of UDP and PKI, but you might not always want to run everything through it. Or maybe you are restricted to using some weaker tunneling protocols - you could then hide those with port knocking.
Hey Druvis, the "low" part of "allow" is prounced like "loud" without the end "d" sound.
👏👏👏
Why not put this in prerouting of mangle?
I think you cannot allow acces to the router itself (input-chain) via magling.
@@Problembaer4 if you put those rules for black listing in prerouting... I assure you it will catch incoming connections. My f--koff list is generated there.
@@ChrisNicholson then you need the define the DST-IP (the Router-IP itself) somehow. Via the input-chain, the routing-decision was already done. So yeah, I think both ways are possible but for most people the firewall is easier to understand as a "prerouting" chain.
@@Problembaer4 I use the wan interface.
Well... that looks like nice thing.
Knock, Knock, Who's there ?
cAP ax
Actually it's Druvis
While this looks impressive and is technically "cool", it doesn't really add much in terms of security. Some ports need to be publicly available (webserver, etc.). All of them should be inherently secure. Hence it makes more sense to focus on hardening the services rather than adding some magic in front of it.
Focussing on ports in terms of security feels like it's 1995 again 😂.
knock knock, who's there?
isis
666.
Lol, Druvis.
Wrote this .bat script to protect my ports. Works only with windows:
@echo off
set target_ip=11.22.33.44
set /a PacketSize1=111
set /a PacketSize2=222
set /a PacketSize3=333
set ip=%target_ip%
set /a size1=%PacketSize1%-28
set /a size2=%PacketSize2%-28
set /a size3=%PacketSize3%-28
set info=IP is: %ip%, ICMP size: %size1%, %size2%, %size3%;
echo %info%
CLS
ping %ip% -l %size1% -n 2
CLS
ping %ip% -l %size2% -n 2
CLS
ping %ip% -l %size3% -n 2
CLS
@echo off
REM 2 sec hold
ping -n 2 localhost>nul
exit
fool consol use