Community discussions

MikroTik App
 
channingzou
Member Candidate
Member Candidate
Topic Author
Posts: 137
Joined: Sun Feb 25, 2007 7:57 am
Location: NC,USA

how do i use port knock.exe

Tue Jul 24, 2007 8:06 am

hi,all
how do i use port knocking?
I use command below in winbox terminal
/ip firewall filter
Knock.exe 192.168.0.2 1337:tcp 7331:tcp
it not work for me how do I make it correct?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: how do i use port knock.exe

Tue Jul 24, 2007 8:32 am

what is "Knock.exe" and where did you get this command ???I suggest you to read the manual on command line interface:

http://www.mikrotik.com/testdocs/ros/2.9/ip/filter.php
 
channingzou
Member Candidate
Member Candidate
Topic Author
Posts: 137
Joined: Sun Feb 25, 2007 7:57 am
Location: NC,USA

Re: how do i use port knock.exe

Tue Jul 24, 2007 8:40 am

 
channingzou
Member Candidate
Member Candidate
Topic Author
Posts: 137
Joined: Sun Feb 25, 2007 7:57 am
Location: NC,USA

Re: how do i use port knock.exe

Tue Jul 24, 2007 8:46 am

hi, is httP://wiki.mikrotik.com means anyone can change information there,so there may not be correct?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: how do i use port knock.exe

Tue Jul 24, 2007 8:52 am

hi, is httP://wiki.mikrotik.com means anyone can change information there,so there may not be correct?
It is correct, but that command is not for RouterOS - it is for WINDOWS !!!
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7154
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: how do i use port knock.exe

Tue Jul 24, 2007 10:38 am

Add firewall rules:
/ ip firewall filter 
add chain=input protocol=tcp dst-port=1337 action= add-src-to-address-list  address-list=temp address-list-timeout=15s

add chain=input protocol=tcp dst-port=7331 src-address-listddress-list=temp action= add-src-to-address-list address-list=safe  address-list-timeout=15m
Now you can download knock.exe http://www.zeroflux.org/proj/knock/file ... cygwin.zip
and execute Knock.exe 192.168.0.2 1337:tcp 7331:tcp from windows terminal ( you will be able to access router for 15 minutes ).
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: how do i use port knock.exe

Tue Jul 24, 2007 10:43 am

Add firewall rules:
/ ip firewall filter 
add chain=input protocol=tcp dst-port=1337 action= add-src-to-address-list  address-list=temp address-list-timeout=15s

add chain=input protocol=tcp dst-port=7331 src-address-listddress-list=temp action= add-src-to-address-list address-list=safe  address-list-timeout=15m
Now you can download knock.exe http://www.zeroflux.org/proj/knock/file ... cygwin.zip
and execute Knock.exe 192.168.0.2 1337:tcp 7331:tcp from windows terminal ( you will be able to access router for 15 minutes ).
shouldn't you add some more rules to complete this setup? like rules that block people not in the safe list :)
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7154
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: how do i use port knock.exe

Tue Jul 24, 2007 11:24 am

yes right, but i just wanted to point out configuration rules for port knocking.

so the complete rule list would be:
/ ip firewall filter
add chain=input src-address-list=safe action=accept

add chain=input protocol=tcp dst-port=1337 action= add-src-to-address-list  address-list=temp address-list-timeout=15s

add chain=input protocol=tcp dst-port=7331 src-address-listddress-list=temp action= add-src-to-address-list address-list=safe  address-list-timeout=15m

add chain=input action=drop
 
channingzou
Member Candidate
Member Candidate
Topic Author
Posts: 137
Joined: Sun Feb 25, 2007 7:57 am
Location: NC,USA

Re: how do i use port knock.exe

Tue Jul 24, 2007 5:14 pm

another question, how do I add people to safe list?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7154
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: how do i use port knock.exe

Tue Jul 24, 2007 10:48 pm

why do you need to add people to safe list?
those who will know how to knock will be able to access router.

but anyway you can do this by adding static entries to list:

/ip firewall address-list
add list=safe address=xx.xx.xx.xx
 
User avatar
GWISA
Member
Member
Posts: 389
Joined: Tue Jan 31, 2006 2:37 pm
Location: Johannesburg, South Africa

Re: how do i use port knock.exe

Tue Jul 24, 2007 11:17 pm

those who will know how to knock will be able to access router.
:shock:
Good luck finding the port combination (is it just two?), and then the router password after that!
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: how do i use port knock.exe

Thu Jul 26, 2007 10:47 am

i would agree on the idea, that router needs safelist - where you know that only you will be trying to connect to your router, or you can control who tries to connect.

so create address list for safe IP that can connect without knocking
accept them before port knocking kicks in
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: how do i use port knock.exe

Thu Jul 26, 2007 11:04 am

what's the point of knocking then, if you create a safe list? anyone could spoof you IP if they knew it was in the safe list. knocking is not so easy to guess, so it is safer.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: how do i use port knock.exe

Thu Jul 26, 2007 12:05 pm

i would not agree on that completely.

but will add that security is good while costs of security is not more than value of system it protects. so, see how valuable your system is and introduce measures that you find appropriate.

(like, why to use 32 symbol password if 12 - 15 symbols password will suffice)
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: how do i use port knock.exe

Thu Jul 26, 2007 1:28 pm

OP wanted portknock :)
 
channingzou
Member Candidate
Member Candidate
Topic Author
Posts: 137
Joined: Sun Feb 25, 2007 7:57 am
Location: NC,USA

Re: how do i use port knock.exe

Fri Jul 27, 2007 5:17 pm

is pork knock only work for Public?
because I use local PC ,and I dont add any safe address list,I still can access to router
thanks!
 
channingzou
Member Candidate
Member Candidate
Topic Author
Posts: 137
Joined: Sun Feb 25, 2007 7:57 am
Location: NC,USA

Re: how do i use port knock.exe

Sat Jul 28, 2007 8:05 am

Add firewall rules:
/ ip firewall filter 
add chain=input protocol=tcp dst-port=1337 action= add-src-to-address-list  address-list=temp address-list-timeout=15s

add chain=input protocol=tcp dst-port=7331 src-address-listddress-list=temp action= add-src-to-address-list address-list=safe  address-list-timeout=15m
Now you can download knock.exe http://www.zeroflux.org/proj/knock/file ... cygwin.zip
and execute Knock.exe 192.168.0.2 1337:tcp 7331:tcp from windows terminal ( you will be able to access router for 15 minutes ).
why when I execute knock.exe ,it close automatic I have no chance to typing command.
any advice?
 
jaytcsd
Member
Member
Posts: 334
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Re: how do i use port knock.exe

Sat Jul 28, 2007 8:29 am

You have to type the command line all at once, it's not interactive, it won't prompt you for variables.

I use this batch file for my system

>>knock 172.125.3.203 45:tcp
pause
knock 172.125.3.203 46:tcp<<

that way I have to hit the enter key, that helps me to know that the command has run correctly.
 
channingzou
Member Candidate
Member Candidate
Topic Author
Posts: 137
Joined: Sun Feb 25, 2007 7:57 am
Location: NC,USA

Re: how do i use port knock.exe

Sat Jul 28, 2007 9:09 am

You have to type the command line all at once, it's not interactive, it won't prompt you for variables.

I use this batch file for my system

>>knock 172.125.3.203 45:tcp
pause
knock 172.125.3.203 46:tcp<<

that way I have to hit the enter key, that helps me to know that the command has run correctly.
I have not chance to type ,when I double click knock.exe ,it close immediately
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7154
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: how do i use port knock.exe

Sat Jul 28, 2007 11:46 am

as mentioned before knock.exe is command line utility.
http://en.wikipedia.org/wiki/Command_line_interface

http://www.microsoft.com/resources/docu ... x?mfr=true

read carefully and only then ask dumb questions.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: how do i use port knock.exe

Mon Jul 30, 2007 8:45 am

open windows command prompt, there execute the command. do not run knock.exe by clicking on it!
 
dannyboy
Member Candidate
Member Candidate
Posts: 195
Joined: Fri Sep 16, 2005 4:21 am
Location: Nicaragua/USA
Contact:

Re: how do i use port knock.exe

Tue Oct 22, 2013 5:11 pm

Hello,

I have followed the full instructions to secure my router at the same link http://wiki.mikrotik.com/wiki/Securing_ ... t_Knocking

Now I cant login to my router from anywhere!!! I downloaded the Knock.exe I run it but this does not work. I also try to type the command on the cmd prompt for windows and it says 'knock' is not recognized as an internal or external command, operable program or batch file.

Am locked out and I don't know what else to do. I dont want to reset my whole router after doing all that work.. Normis if you can and have time I can send you my IP and see if you can go into it and disable the port knocking for me? Or maybe send me info on how to exactly run the knock on windows cmd line?

The weird thing its that I did put my homes ip address on the address list and its not working..

Thanks
 
dannyboy
Member Candidate
Member Candidate
Posts: 195
Joined: Fri Sep 16, 2005 4:21 am
Location: Nicaragua/USA
Contact:

Re: how do i use port knock.exe

Tue Oct 22, 2013 5:51 pm

Never mind I got it working!!!! This is what I did for those that are having the problem:

I downloaded knock.exe from http://www.zeroflux.org/proj/knock/file ... cygwin.zip

I then unziiped and place the exe file and dll on my C drive.

I then went into cmd prompt in windows and went to the C:/ only

I then just placed the code Knock.exe (your server IP) 1337:tcp 7331:tcp Hit enter and you should get the c:/ prompt again.

Went to winbox and logged in!!

Now I am going to change the ports since everyone has seen this post and uses the ports..

Hope this helped!!

Daniel

Who is online

Users browsing this forum: fussel178, mh45, mszru, petertosh, tylorjefcoat and 28 guests