Community discussions

MUM Europe 2020
 
sejtam
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Sun Dec 14, 2014 4:23 pm

single packet authorization (or port-knocking with replay protection)?

Tue Apr 21, 2015 5:59 am

Has anyone found a way to build a port-knocking listener with cryptographic hash checking (to prevent sniffing/replay attacks) for RouterOs/Mikrotik?

it would need to be something for which a client can be built on Linux/Mac and also Android and iOS clients.

http://www.cipherdyne.org/fwknop/docs/SPA.html describes such a scheme in general using a tool called fwknop..

Not sure how one would build the daemon for this in routeros. It would require the ability to call a script from a firewall rule (with the packet as parameter) and then a script like http://forum.mikrotik.com/viewtopic.php?t=62895.

The script called from the packet filter could then hash a known password,timestamp etc and compare the result with the received packet data.if successful, the source address of the packet coudl be added to an address-list for a while to allow access..
 
kburzyns
just joined
Posts: 14
Joined: Mon Mar 09, 2015 8:50 am

Re: single packet authorization (or port-knocking with replay protection)?

Tue Apr 21, 2015 9:02 am

Port knocking on mikrotic is described here:
http://wiki.mikrotik.com/wiki/Securing_ ... rOs_Router
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: single packet authorization (or port-knocking with replay protection)?

Tue Apr 21, 2015 8:18 pm

No - there's no port knock listener process on Mikrotik, so you can't do a one packet crypto-knock.

You could make the default NAT rule for sources not in "knock-auth" list cause all traffic to be dst-nat to a host which can listen - some crypto-knock schemes use all un-bound ports to listen, and the destination port can be significant as well.....

Anyway, you could make the crypto-knock listener, upon successful knock received, send another knock to the inside address of the Mikrotik - one which would be filtered from arriving via the WAN, so no crypto is required.... then THAT knock opens the ports..... (or instead of an insider knock, use an API client, or an ssh script - whatever means you require)
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
efaden
Forum Guru
Forum Guru
Posts: 1711
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: single packet authorization (or port-knocking with replay protection)?

Thu May 28, 2015 4:22 pm

I have actually looked at this myself. Unfortunately there is nothing baked in that you have access to to do the security part of it and scripting isn't powerful enough.

Who is online

Users browsing this forum: No registered users and 23 guests