Knock secret daily changeable

RouterOS Scripting
1

there are 3 scripts here , fwknock.rsc , miknock.rsc & knockgen.py The fwknock.rsc adds the static Firewall rules on your mikrotik for to craete an static IP as
Admin address list (Change it for your desired IP) and also due to it after ping and knock 2 ports the dynamic Admin will be add to address list for 1 hour.

/ip firewall address-list
add address=192.168.25.252 list=Admin
/ip firewall filter
add action=drop chain=input dst-port=20,21,22,23,80,8291 protocol=tcp \
    src-address-list=!Admin
add action=add-src-to-address-list address-list=ICMP address-list-timeout=20s \
    chain=input protocol=icmp comment="ICMP"
add action=add-src-to-address-list address-list="ICMP+TCP 10000" \
    address-list-timeout=20s chain=input dst-port=10000 protocol=tcp \
    src-address-list=ICMP comment="knockP1"
add action=add-src-to-address-list address-list=Admin address-list-timeout=1h \
    chain=input dst-port=15000 protocol=tcp src-address-list="ICMP+TCP 10000" comment="knockP2"

you can use miknock.rsc for to scheduler daily change knock port numbers. Change the Salt , SaltPort and MainPort for to customize the calculation ports.

:local Salt 456
:local SaltPort 30
:local MainPort 10000
:local dateNow [/system clock get date];
:local dateNowDay [:pick $dateNow 4 6]
:local dateNowMonth [:pick $dateNow 0 3]
:local dateNowYear [:pick $dateNow 7 11]
:local months ("jan","feb","mar","apr","may","jun","jul","aug","sep","oct","nov","dec");
:set dateNowMonth ([:find $months $dateNowMonth -1 ] + 1)
:local newPassword ("$dateNowYear" + "$dateNowDay" + "$dateNowMonth" - "$Salt");
:if ( $dateNowDay < 15 ) do={
:set newPassword ("$dateNowYear" - "$dateNowDay" - "$dateNowMonth" + "$Salt");
};
:local PortOne ("$MainPort" + "$newPassword" - "$SaltPort");
:local PortTwo ("$MainPort" - "$newPassword" + "$SaltPort");
/ip firewall filter set dst-port=$PortOne [find comment=knockP1];
/ip firewall filter set dst-port=$PortTwo [find comment=knockP2];

The final scrip knockgen.py can help you for to create the command that you can use on your PC for knocking the MIkrotik. Be sure the Salt , SaltPort and MainPort are the same with in the miknock.rsc if you changed , also change the IP to your Mikrotik IP

more info here and download the files :
[moreinfo][https://github.com/scriptik/miKnock]

2

Are you aware that port-knocking is nothing else than different variant of plain-text password? It is not even security-by-obscurity because those ports are clearly visible to anyone on the link.
I don’t understand why people still spend so much effort implementing such insecure approach.

3

Can you edit your post and add som information in the top on what this is and what its used for.
Also use the code tag button to add code tags around your script. Button look like this above the post </>

4

Thank you for your caution , but all of the parameters are just sample and you can change it for yourself as me did

5

I added code tags .
The first script just adds the simple knock port firewall and the second script changes the ports daily according
to the time and date and for to create the different values I added some Salts that you can change it yourself.

6

You should write some header, like this script is used to secure the switch access etc. Example, Why do we need it?

7

See this please why we need port knocking , I add some things later in the header

8

Not everyone is on same link. ISP where server is connected can see the ports, ISP where I’m connecting from can too, and so can anyone in between. But random internet hackers from elsewhere can’t, they have to guess the right ports. So as a very simple first layer, why not.

9

You are literary arguing in favour of plain-text passwords. Can you imagine logging into your Gmail or Hotmail on plain old http? :unamused:
Sorry, I just can’t agree with this approach. And I will warn people every time I notice someone promoting port-knocking as a “security measure”.

10

No, I’m just saying that it may be good enough as simple additional protection (not in any definitive sense) against random bots. So they won’t start guessing real service’s passwords right away, but they will have to guess some ports first. It is slightly better with it than without it…

11

Port knocking at least 4 ports in the correct order provide a layer of security. High port, Low Port, High Port, Low Port.

  1. Port scanning all ports not responding
  2. Attacker would have to know you are using Port Knocking
  3. Port Knocking only allows the IP address that did the port knocking in and can be limited to a certain period of time 20 min
    4.Changing the ports daily would increase the security.
  4. Port knocking is only first layer of security.