I would like the router to run a script when it encounters a port knock. Is this possible?
One method I did think of was to implement port-knock normally (it puts src-address in a list with 8 second timeout), and then a script that runs every 5 seconds checks to see if the list is empty.
If the list is empty, it does nothing. If the list is not empty, it runs the actual intended script.
This is quite a workaround, and I was hoping for a cleaner method.
Any ideas?
My actual reason for doing this is so a normal end-user can allow tech support to access their network through pptp by enabling the tech support ppp account with the click of a button on the end user’s desktop. The end user simply click a pre-made knock.exe batch file, and it enables the tech support ppp account for x hours. This gives the end user some control over their network, and they don’t have to worry about someone logging in without them knowing about it… and they don’t have to learn how to use winbox or telnet.
Possibly a stupid idea: if you have an unused ethernet interface on the routers, put a /32 address on it. Make a netwatch script that monitors that IP address and on up enables your PPP user, and on down disables it. Give the end user a hard loop - they plug it into the port to enable PPP for you, and unplug it to disable.
I’m glad you wrote that, because I would not have thought of it. However, that increases work and complexness for the user. You probably don’t want an average end user unplugging cables from the router.
Actually, I’ve been thinking about this and I bet the best solution, short of API which I don’t want to get into yet, would be to script a telnet session to a batch file. A batch file that runs a telnet script to run a script on the router… simple. There are free command-line programs available that will script telnet scripts. Of course, for security, you need a limited telnet user since the password would be scripted in plain-text.
Thank you for that in-depth article, although I’m not asking how to setup port knocking. I was actually asking how to make Port Knocking run a script, which that article does not mention.
How would I do that? I could not use src-address because the knock is coming from a different computer? Wouldn’t I still need a script to change the firewall?