My first entry in the blog will explain how to secure access to a Mikrotik device. In order to do this we will use three methods:
The Mikrotik device have three hypothetical interfaces:
- Disable unnecessary protocols.
- Firewall filters:
- Port knocking technique.
- Detection and filter of force brute attacks technique.
The Mikrotik device have three hypothetical interfaces:
- ether1: WAN interface. It has a public IP address and, of course, it has Internet access.
- ether2: LAN interface dedicated to user network. In this interface we want to allow manager access, but we want to make the access safe anyway.
First method: Make Mikrotik listen only for needed services.
Mikrotik can disable the protocols that you don’t need in ip service menu, so the first step is configure them. In this example we want to disable all manage protocols but SSH (the device will only listen for SSH and drops any other request).
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=10.0.0.0/24
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=10.0.0.0/24
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
And this is all about this method.
Second method: Port Knocking.
This is a little more interesting section. This is the goal: SSH port is disabled by default. To enable it you must to knock two doors. Knock a door is as easy as send a well known formatted packet (in this example first door opens when the device receive a TCP packet in port 2500 and second door opens when the device receive a TCP packet in port 2600). After this you can open a SSH session.
Port knocking prevents from port scanning techniques, because SSH port is closed until somebody knocks the doors.
Make sure you read the complete section before apply any command because its order is important to ensure you don’t loose the connection to the device you are configuring.
Let's go!
In first step, we disable any kind of traffic that has not been previously stablished:
Port knocking prevents from port scanning techniques, because SSH port is closed until somebody knocks the doors.
Make sure you read the complete section before apply any command because its order is important to ensure you don’t loose the connection to the device you are configuring.
Let's go!
In first step, we disable any kind of traffic that has not been previously stablished:
/ip firewall filter
add chain=input connection-state=established,related
add action=drop chain=input
add action=drop chain=input
Print command should show something like this:
0 chain=input action=accept connection-state=established,related log=no log-prefix=""
1 chain=input action=drop log=no log-prefix=""
1 chain=input action=drop log=no log-prefix=""
After this, in second step, we can add a rule that implement the first knock:
add chain=input connection-state=new dst-port=2500 protocol=tcp action=add-src-to-address-list address-list=DOOR1 address-list-timeout=30s log=no log-prefix="" place-before=1
The only thing this rule do is adding the IP address source that had send a TCP packet with destination port 2500 to an address list called “DOOR1” during 30 seconds. Cause Mikrotik applies rules in order, this rule must be applied before the rule that drops all incoming traffic.
0 chain=input action=accept connection-state=established,related log=no log-prefix=""
1 chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=DOOR1 address-list-timeout=30s dst-port=2500 log=no log-prefix=""
2 chain=input action=drop log=no log-prefix=""
1 chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=DOOR1 address-list-timeout=30s dst-port=2500 log=no log-prefix=""
2 chain=input action=drop log=no log-prefix=""
The second knock only occurs after the first one. Do this is as easy as add a new condition to rule: source IP must be in address-list “DOOR1”:
add chain=input connection-state=new dst-port=2600 protocol=tcp src-address-list=DOOR1 action=add-src-to-address-list address-list=DOOR2 address-list-timeout=2m log=no log-prefix="" place-before=2
I have incremented the timeout because sometimes I mistake the device password and I need several tries.
And finally, the SSH access:
add chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=DOOR2 log=no log-prefix="" place-before=3
The print command must look like this:
0 chain=input action=accept connection-state=established,related log=no log-prefix=""
1 chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=DOOR1 address-list-timeout=30s dst-port=2500 log=no log-prefix=""
2 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=DOOR1 address-list=DOOR2 address-list-timeout=2m dst-port=2600 log=no log-prefix=""
3 chain=input action=accept connection-state=new protocol=tcp src-address-list=DOOR2 dst-port=22 log=no log-prefix=""
4 chain=input action=drop log=no log-prefix=""
2 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=DOOR1 address-list=DOOR2 address-list-timeout=2m dst-port=2600 log=no log-prefix=""
3 chain=input action=accept connection-state=new protocol=tcp src-address-list=DOOR2 dst-port=22 log=no log-prefix=""
4 chain=input action=drop log=no log-prefix=""
Now a port scan will be useless:
You can knock with command "nmap -PN --host_timeout 201 --max-retries 0 -p 2500 10.0.0.1". I will use a simple ssh access with destination port 2500.
And this is an access example:
Ok. A bit further away. What about if you think “I only need port knocking on WAN interface, not on LAN interface"?. It's as easy as adding a rule that places in DOOR2 the access that comes from LAN interface:
add chain=input connection-state=new dst-port=22 in-interface=ether2 action=add-src-to-address-list address-list=DOOR2 address-list-timeout=1s log=no log-prefix="" protocol=tcp place-before=3
You can add a list of ACCESS_WHITELIST to this rule.
Extra security configuration: detect and filter port scanning. Port knocking can be a good way to make your device access safe, but you can go a step further away. There is another way to detect intrusions tries: filter the port scanning.
From Mikrotik wiki: port scan detection. In order to integrate this configuration with the rest of them you can place the rule before the port knocking rules.
add chain=input protocol=tcp psd=21,3s,3,1
action=add-src-to-address-list address-list=ACCESS_BLACKLIST address-list-timeout=30m log=no log-prefix="" place-before=1
action=add-src-to-address-list address-list=ACCESS_BLACKLIST address-list-timeout=30m log=no log-prefix="" place-before=1
And a rule that drops the traffic from hosts listed in “ACCESS_BLACKLIST”.
add chain=input action=drop port=22 protocol=tcp src-address-list=ACCESS_BLACKLIST place-before=5
The output of print command:
0 chain=input action=accept connection-state=established,related log=no log-prefix=""
1 chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=ACCESS_BLACKLIST address-list-timeout=30m log=no log-prefix=""
2 chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=DOOR1 address-list-timeout=30s dst-port=2500 log=no log-prefix=""
3 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=DOOR1 address-list=DOOR2 addresslist-timeout=2m dst-port=2600 log=no log-prefix=""
4 chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=DOOR2 address-list-timeout=1s in-interface=ether2 dst-port=22 log=no log-prefix=""
5 chain=input action=drop protocol=tcp src-address-list=ACCESS_BLACKLIST port=22 log=no log-prefix=""
6 chain=input action=accept connection-state=new protocol=tcp src-address-list=DOOR2 dst-port=22 log=no log-prefix=""
7 chain=input action=drop log=no log-prefix=""
1 chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=ACCESS_BLACKLIST address-list-timeout=30m log=no log-prefix=""
2 chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=DOOR1 address-list-timeout=30s dst-port=2500 log=no log-prefix=""
3 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=DOOR1 address-list=DOOR2 addresslist-timeout=2m dst-port=2600 log=no log-prefix=""
4 chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=DOOR2 address-list-timeout=1s in-interface=ether2 dst-port=22 log=no log-prefix=""
5 chain=input action=drop protocol=tcp src-address-list=ACCESS_BLACKLIST port=22 log=no log-prefix=""
6 chain=input action=accept connection-state=new protocol=tcp src-address-list=DOOR2 dst-port=22 log=no log-prefix=""
7 chain=input action=drop log=no log-prefix=""
A port scan test on WAN interface:
The address list with the source IP address of the port scanner:
A try of access after a port scan:
And the result: SSH connection tries will be dropped
Third method: detect and filter brute force attacks.
Imagine a very intelligent attacker had obtained the format of the packets for knocking the doors. He will try to probe a force brute attack in order to obtain the device user and password.
This method assumes that more than three tries of authentication in less than a minute is an attack (or a very clumsy operator that needs to be punished). For each new connection to SSH port we will add the source IP to an additional address-list (ACCESS_TRY_1, ACCESS_TRY_2 and ACCESS_TRY_3). After this, the next try will be considered as an attack and will be dropped.
After you have knocked two doors, your IP must be in address-list “DOOR2”, so we must change the rule 6 to something like this:
an example of a brute force attack:
And a bit further again: email when your router detect and filter an attack. You need only two configurations: “/tool e-mail” and “system loggin”. In addition you can add a prefix to log line.
Finally, the complete script that resume all the post is the following:
This method assumes that more than three tries of authentication in less than a minute is an attack (or a very clumsy operator that needs to be punished). For each new connection to SSH port we will add the source IP to an additional address-list (ACCESS_TRY_1, ACCESS_TRY_2 and ACCESS_TRY_3). After this, the next try will be considered as an attack and will be dropped.
After you have knocked two doors, your IP must be in address-list “DOOR2”, so we must change the rule 6 to something like this:
set 6 connection-state=new port=22 protocol=tcp src-address-list=DOOR2 action=add-src-to-address-list address-list=ACCESS_TRY_1 address-list-timeout=20s place-before=5
OK. The second try will be similar to the first, but it will check the address-list ACCESS_TRY_1. Must be placed before the rule that register the first try, because if not, this rule will be executed immediately after and will register the first try as a new second try (Remember: Mikrotik matches the rules in order).
We will use the same procedure with third try, but the address list that we will add the source IP will be ACCESS_BLACKLIST.
The result must be like this:
The result must be like this:
0 chain=input action=accept connection-state=established,related log=no log-prefix=""
1 chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=ACCESS_BLACKLIST address-list-timeout=30m log=no log-prefix=""
2 chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=DOOR1 address-list-timeout=30s dst-port=2500 log=no log-prefix=""
3 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=DOOR1 address-list=DOOR2 address-list-timeout=2m dst-port=2600 log=no log-prefix=""
4 chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=DOOR2 address-list-timeout=1s in-interface=ether2 dst-port=22 log=no log-prefix=""
5 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ACCESS_TRY_3 address-list=ACCESS_BLACKLIST address-list-timeout=20s port=22 log=no log-prefix=""
6 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ACCESS_TRY_2 address-list=ACCESS_TRY_3 address-list-timeout=20s port=22 log=no log-prefix=""
7 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ACCESS_TRY_1 address-list=ACCESS_TRY_2 ddress-list-timeout=20s port=22 log=no log-prefix=""
8 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=DOOR2 address-list=ACCESS_TRY_1 address list-timeout=20s port=22 log=no log-prefix=""
9 chain=input action=drop protocol=tcp src-address-list=ACCESS_BLACKLIST port=22 log=no log-prefix=""
10 chain=input action=accept connection-state=new protocol=tcp src-address-list=DOOR2 dst-port=22 log=no log-prefix=""
11 chain=input action=drop log=no log-prefix=""
1 chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=ACCESS_BLACKLIST address-list-timeout=30m log=no log-prefix=""
2 chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=DOOR1 address-list-timeout=30s dst-port=2500 log=no log-prefix=""
3 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=DOOR1 address-list=DOOR2 address-list-timeout=2m dst-port=2600 log=no log-prefix=""
4 chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=DOOR2 address-list-timeout=1s in-interface=ether2 dst-port=22 log=no log-prefix=""
5 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ACCESS_TRY_3 address-list=ACCESS_BLACKLIST address-list-timeout=20s port=22 log=no log-prefix=""
6 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ACCESS_TRY_2 address-list=ACCESS_TRY_3 address-list-timeout=20s port=22 log=no log-prefix=""
7 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ACCESS_TRY_1 address-list=ACCESS_TRY_2 ddress-list-timeout=20s port=22 log=no log-prefix=""
8 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=DOOR2 address-list=ACCESS_TRY_1 address list-timeout=20s port=22 log=no log-prefix=""
9 chain=input action=drop protocol=tcp src-address-list=ACCESS_BLACKLIST port=22 log=no log-prefix=""
10 chain=input action=accept connection-state=new protocol=tcp src-address-list=DOOR2 dst-port=22 log=no log-prefix=""
11 chain=input action=drop log=no log-prefix=""
an example of a brute force attack:
And a bit further again: email when your router detect and filter an attack. You need only two configurations: “/tool e-mail” and “system loggin”. In addition you can add a prefix to log line.
/ip firewall filter
set 5 log=yes log-prefix="IP BACKLISTED"
/system logging action
add email-to=somebody@example.com name=mail target=email
/system logging
add action=mail prefix=**IP-BANNED** topics=firewall
Finally, the complete script that resume all the post is the following:
/ip firewall filter
add chain=input connection-state=established,related
add chain=input protocol=tcp psd=21,3s,3,1 \
add chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=DOOR2
add action=drop chain=input
/system logging actionadd chain=input protocol=tcp psd=21,3s,3,1 \
action=add-src-to-address-list address-list=ACCESS_BLACKLIST address-list-timeout=30m
add chain=input connection-state=new dst-port=2500 protocol=tcp \
action=add-src-to-address-list address-list=DOOR1 address-list-timeout=30s
add chain=input connection-state=new dst-port=2600 protocol=tcp src-address-list=DOOR1 \
action=add-src-to-address-list address-list=DOOR2 address-list-timeout=2m
add chain=input connection-state=new dst-port=22 in-interface=ether2 protocol=tcp \
action=add-src-to-address-list address-list=DOOR2 address-list-timeout=1s
add chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ACCESS_TRY_3 \
action=add-src-to-address-list address-list=ACCESS_BLACKLIST address-list-timeout=20s \
log=yes log-prefix="IP BACKLISTED"
add chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ACCESS_TRY_2 \log=yes log-prefix="IP BACKLISTED"
action=add-src-to-address-list address-list=ACCESS_TRY_3 address-list-timeout=20s
add chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ACCESS_TRY_1 \
action=add-src-to-address-list address-list=ACCESS_TRY_2 address-list-timeout=20s
add chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=DOOR2 \
action=add-src-to-address-list address-list=ACCESS_TRY_1 address-list-timeout=20s
add action=drop chain=input port=22 protocol=tcp src-address-list=ACCESS_BLACKLISTadd chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=DOOR2
add action=drop chain=input
add email-to=somebody@example.com name=mail target=emai
/system logging
add action=mail prefix=**IP-BAN** topics=firewall
I hope you enjoy it!