MikroTik Port Knocking: Unlock Like a Stealth Pro

Tired of Brute Force? Time for a Secret Handshake!

In today’s interconnected world, exposing your network management ports like SSH (22) or WinBox (8291) directly to the internet is like leaving your front door wide open. Every botnet and script kiddie out there is constantly scanning for vulnerable targets, and your MikroTik router is no exception. I’ve personally seen logs filled with hundreds, sometimes thousands, of failed login attempts daily. It’s not just annoying; it’s a constant threat that drains resources and, more importantly, creates a potential backdoor into my network. This is precisely why implementing MikroTik Port Knocking became a priority for me, drastically improving my router’s defenses.

That’s why I became a huge fan of Port Knocking. Imagine a secret handshake that only you know. Before you can even attempt to log in, you have to “knock” on a specific sequence of “hidden” ports. Only then does your MikroTik briefly open the real management port for your IP address. It’s incredibly effective at drastically reducing your attack surface, essentially making your router invisible to automated scanners. This robust form of MikroTik Port Knocking provides an unparalleled layer of stealth, allowing for a much more secure remote access strategy.

In this guide, I’m going to walk you through how I’ve implemented a robust Port Knocking setup on MikroTik, complete with email notifications, so I always know when someone (hopefully me!) gets in. The best part? I’ll also show you how to create a simple, yet powerful, client script for your Android phone using Termux, allowing you to securely access your MikroTik from anywhere. Ready to make your router a digital fortress? Let’s dive in!

The Power of Port Knocking: Why I Switched

Before diving into the nitty-gritty, let’s talk about why Port Knocking is such a game-changer. My traditional approach was simply changing the default SSH or WinBox ports to something obscure like 22222 or 88888. While this helps against some generic scans, it’s easily defeated by a determined attacker using more comprehensive port scanning tools. A hidden port is still just a port waiting to be found.

Port Knocking, however, adds a layer of security through obscurity that’s far more sophisticated. It’s a “stateful” process. Your router isn’t just looking for a single open port; it’s looking for a specific sequence of connection attempts on otherwise closed ports. If you don’t send the right sequence within a given timeframe, nothing happens. My management ports literally don’t exist to anyone who doesn’t know the secret knock. This significantly reduces the chances of automated attacks and makes it much harder for a human attacker to even begin a brute-force attempt. I’ve found that this setup brings immense peace of mind, distinguishing it from other less robust solutions for MikroTik Port Knocking.

Setting Up Your MikroTik: The Brains of the Operation

The MikroTik side is where the magic happens. We’ll configure its email client, set up the firewall rules to listen for our secret knock, create a script to send email alerts, and finally, schedule that script to run periodically. For more general MikroTik security tips, you might find this article useful: Enhancing MikroTik Security.

Email Configuration: Your Security Sentry

First things first, your MikroTik needs to be able to send emails. I use Gmail for this, but you could use any SMTP server. What’s crucial here is that if you’re using Gmail, you must generate an “App Password” specifically for your MikroTik, rather than using your regular Gmail password. Google has tightened security, and this is the secure way to allow devices to send emails.

Here’s how I configure it:

/tool e-mail set address=smtp.gmail.com port=587 start-tls=yes user=your-email@gmail.com password=your-app-password from=your-email@gmail.com

What it does: This command tells your MikroTik how to connect to an SMTP server.

• address=smtp.gmail.com: Specifies the Gmail SMTP server.
• port=587: The standard port for secure SMTP.
• start-tls=yes: Ensures the connection is encrypted, which is vital for security.
• user, password, from: Your Gmail credentials (specifically the App Password) and the sender email.

Crafting Your Secret Knock: Firewall Rules for MikroTik Port Knocking

This is the core of the MikroTik Port Knocking system. We’re creating a chain of rules that react to specific connection attempts, gradually adding the source IP to different address lists.

/ip firewall filter
add chain=input protocol=tcp dst-port=1001 action=add-src-to-address-list address-list=knock1 address-list-timeout=10s comment="Port Knocking: Step 1"
add chain=input protocol=tcp dst-port=2002 src-address-list=knock1 action=add-src-to-address-list address-list=knock2 address-list-timeout=10s comment="Port Knocking: Step 2"
add chain=input protocol=tcp dst-port=3003 src-address-list=knock2 action=add-src-to-address-list address-list=authorized address-list-timeout=1h comment="Port Knocking: Final Step - Authorize"
add chain=input src-address-list=authorized action=accept comment="Allow authorized port knockers"

Let’s break it down:

1. add chain=input protocol=tcp dst-port=1001 action=add-src-to-address-list address-list=knock1 address-list-timeout=10s
   • If any IP tries to connect to port 1001 (my first secret knock), their IP is added to an address list called knock1.
   • address-list-timeout=10s: This is crucial! They only have 10 seconds to make the next knock. If they fail, their IP is removed from knock1, and they have to start over.
2. add chain=input protocol=tcp dst-port=2002 src-address-list=knock1 action=add-src-to-address-list address-list=knock2 address-list-timeout=10s
   • This rule only applies if the source IP is already in knock1. If they then hit port 2002 within the 10-second window, their IP moves to knock2.
3. add chain=input protocol=tcp dst-port=3003 src-address-list=knock2 action=add-src-to-address-list address-list=authorized address-list-timeout=1h
   • Similarly, if an IP in knock2 hits 3003, they are finally added to the authorized list.
   • address-list-timeout=1h: This means once authorized, their access lasts for an hour. Dopodiché, they’ll need to re-knock. I’ve found an hour is a good balance for my needs; you might want shorter or longer.
4. add chain=input src-address-list=authorized action=accept
   • This is the final gate! Any IP in the authorized list is now allowed to connect to any input service (like SSH, WinBox, HTTP, HTTPS) on your MikroTik. This rule should be placed above any rules that block these services, but below the knocking rules themselves.

Important Note on Rule Order: The order of these rules in your firewall filter is critical. Make sure the action=accept rule for authorized IPs comes after your specific dst-port knocking rules, but before any general drop or reject rules for your management ports. I usually put it near the top of my input chain. This ensures the MikroTik Port Knocking sequence functions as intended, providing robust network security.

Automated Alerts: The Email Notification Script

Knowing when your MikroTik Port Knocking sequence is successfully completed is invaluable for security and peace of mind. This script checks for newly authorized IPs and sends you an email.

/system script
add name=send-email source={
    :local newauth [/ip firewall address-list find where list=authorized and timeout>59m];
    :if ([:len $newauth] > 0) do={
        :local ip [/ip firewall address-list get [:pick $newauth 0] address];
        :local router [/system identity get name];
        /tool e-mail send to=recipient@example.com subject=("Port Knock Success: " . $router) body=("IP authorized via Port Knocking: " . $ip);
    }
}

How it works:

• :local newauth [/ip firewall address-list find where list=authorized and timeout>59m];: This is a clever trick! It searches the authorized address list for entries that have a timeout greater than 59 minutes. Since our timeout is 1 hour (60 minutes), this effectively finds newly added entries that haven’t been around for long.
• :if ([:len $newauth] > 0) do={ ... }: If any new authorized IPs are found…
• :local ip [/ip firewall address-list get [:pick $newauth 0] address];: It grabs the IP address of the first new authorized entry.
• :local router [/system identity get name];: Gets your router’s name for the email subject.
• /tool e-mail send ...: Sends the email to your specified recipient@example.com with the router’s name in the subject and the authorized IP in the body.

Why it’s crucial: This script acts as your immediate notification system. I’ve found this incredibly useful for monitoring who’s accessing my network and when, especially if I’m sharing access with others. It complements the MikroTik Port Knocking perfectly by providing real-time alerts and enhancing your overall network monitoring capabilities.

Keeping Watch: The Scheduler

To make sure our email script runs automatically, we’ll set up a scheduler.

/system scheduler
add name=check-auth interval=10s on-event=send-email comment="Check for new authorized IPs and send email via Port Knocking"

What it does:

• add name=check-auth: Creates a new scheduler entry.
• interval=10s: This tells the scheduler to run our send-email script every 10 seconds.
• on-event=send-email: Specifies which script to execute.

My personal take: I chose a 10-second interval because it’s frequent enough to give me near real-time alerts without overloading the router. It balances responsiveness with resource usage perfectly, enhancing the overall MikroTik Port Knocking experience.

Knocking from Your Pocket: The Android/Termux Client

Now that your MikroTik is ready, how do you perform the knock? While you could use a desktop application, I find using Termux on my Android phone incredibly convenient. Termux provides a Linux environment on your phone, allowing you to run powerful command-line tools.

Why Termux for MikroTik Port Knocking?

Termux is a fantastic open-source terminal emulator for Android. It lets you install various Linux packages, including netcat (which we’ll use for knocking) and ping. It’s lightweight, powerful, and means I don’t need a laptop just to access my MikroTik when I’m on the go. It makes performing MikroTik Port Knocking truly mobile and accessible. For more on how to set up Termux, check out Termux Essentials.

Prerequisites: What You’ll Need

Before running the script, make sure you have Termux installed from F-Droid (the Play Store version can be outdated). Once installed, open Termux and run:

pkg update && pkg upgrade
pkg install nmap-ncat # For the 'nc' (netcat) command
pkg install termux-tools # For the 'timeout' command

The Knocking Script

Save this script as portknock.sh (or any name you prefer) on your Termux file system. Remember to make it executable with chmod +x portknock.sh.

https://github.com/angolo40/mikrotik-port-knocking-client

Troubleshooting: When Things Go Wrong

Even with the best planning, sometimes things don’t work immediately. Here are common issues I’ve encountered and how to fix them, especially when dealing with MikroTik Port Knocking:

• No Email Alerts:
  • Double-check your /tool e-mail set configuration (especially the app password for Gmail).
  • Ensure the recipient@example.com in the script is correct.
  • Verify the scheduler is running (/system scheduler print) and its last-run time.
  • Check MikroTik logs (/log print) for email sending errors.
• Port Knocking Doesn’t Authorize IP:
  • Firewall Rule Order: This is the most common culprit. Make sure your MikroTik Port Knocking rules are in the correct sequence and the action=accept for authorized IPs is placed correctly before any general drop rules for your management ports. Use /ip firewall filter print.
  • address-list-timeout: Is your KNOCK_DELAY in the Termux script shorter than the address-list-timeout on the MikroTik rules? If your delay is 5 seconds and the MikroTik timeout is 3 seconds, your previous knock will expire before the next one registers!
  • Port Numbers: Are the KNOCK_PORTS in your Termux script exactly the same as dst-port in your MikroTik rules?
  • Public IP: Are you using the correct public IP of your MikroTik (or its dynamic DNS hostname) in the Termux script?
  • Network Latency: Increase KNOCK_DELAY in the Termux script. Sometimes, network latency can cause delays that make your knocks fall outside the MikroTik’s timeout window.
• Still Can’t Connect After Knocking:
  • Check /ip firewall address-list print on your MikroTik. Is your client IP showing up in the authorized list?
  • Are the services (SSH, WinBox, HTTP) actually running on your MikroTik and listening on the correct ports?
  • Do you have other firewall rules that might be blocking access even for authorized IPs? Look for implicit or explicit drop rules that override your action=accept rule.

Related Articles

• Mikrocata2Selks – Add IPS/IDS in Mikrotik

Conclusion: Your MikroTik, Now a Fort Knox!

Congratulations! You’ve just transformed your MikroTik router into a much more secure device. By implementing MikroTik Port Knocking with email notifications, you’ve significantly reduced your exposure to automated attacks, adding a robust layer of “security through obscurity.” And with your Android phone now capable of performing the secret knock via Termux, secure access to your network is truly in the palm of your hand.

I’ve found this setup to be incredibly effective and empowering. It gives me peace of mind knowing that my MikroTik isn’t just sitting there, openly exposed. The email alerts are a fantastic bonus, keeping me informed every time the secure gateway is opened. This approach to MikroTik Port Knocking is, in my opinion, a must-have for anyone managing a MikroTik router exposed to the internet.

So, what are you waiting for? Give this setup a try. You’ll be amazed at how much cleaner your MikroTik logs become, and how much more secure you feel. The internet is a wild place, but with MikroTik Port Knocking, your router can truly be a silent sentinel, waiting only for your secret handshake. Secure your network, secure your peace of mind!