I actually time out after 2 seconds at each step, and only last address list takes a bit longer so the script to trigger
the action don't need to run too often.
Actually a question: Do you think it is better to "knock" in bigger time distance (and its hard to trace / see that
those knocks are related) or do it in shorter distance and leave less "surface attack" as the lists time out faster?
I know leave +- 500ms between each "knock" , the different packets that make out the knock-sequence are stored in the ACL for 10 second or something. So time-window / window-of-opportunity is quite small.
I think attack-surface is pretty small when having these ACL's timeout in the order of "seconds".
I had to experiment a bit with the timers because I also have a rule to add "port-scanners" straight onto a ACL and they are stuck on there for a week or so.
This port-knocking in essence is also port-scanning, so I added an "exclusion" for that port-scanning rules that it does not trigger IF you made it already onto some stage in the knocking-sequence.
I use the
Weight Threshold
Delay Threshold
Low Port Weight
High Port Weight
parameters for this. So any public IP that tries certain quantities of probes over a period of several hours is thrown on the "Port Scanners" list.
It was a bit tuning to make sure port-knocking was not captured by this rules. Offcourse using a Portknock APP with a saved sequence normally prevents this, but some intermediate network-issue can prevent certain things to come through from the first time , hence I'm not toooo aggressive on the parameters.
The downside is that these ACL's do not survive reboots. See below an example. I had upgraded my Mikrotik hence the list got flushed
But in average about 170-200 IP's are on that port-scanner list and remain there for a week.
Sure they would get denied anyway by a final "drop any" rule, so my "construction" is more just to make thing visible and for fun actually.
(below graph is over 1 month)