In a world where cyberattacks are becoming increasingly sophisticated, protecting remote access to servers and network equipment is of paramount importance. Simply opening ports for SSH, RDP, or web interfaces makes them targets for constant scanning and brute-force attacks.

Today, we’ll explore a powerful yet lesser-known technique that significantly improves the security of your MikroTik (and not only): Port Knocking. It’s not just about “closing ports,” but a smart system that makes your services invisible to most scanners and bots.

What is Port Knocking?

Port Knocking is an authentication method where a remote user must “knock” on a predefined sequence of closed ports (e.g., 1234 → 5678 → 9012) in the correct order. Only after that will access to the desired service (e.g., SSH on port 22) be granted.

Before the correct sequence is performed, the ports remain closed and invisible—like a secret door that appears only for those who know how to knock.

Why Use Port Knocking?

• 🔒 Service invisibility — SSH, Winbox, web interfaces won’t be visible to regular scanning.
• 🛡 Protection from brute-force and scanners — most bots won’t even know the ports exist.
• 🔑 Additional authentication layer — a “secret sequence” is required even if the password is known.
• 🌐 Simplified VPN alternative — doesn’t replace a VPN, but can be used for occasional access.

Configuring Port Knocking on MikroTik (RouterOS)

Goal: allow access to SSH (22) and Winbox (8291) only after sequential access to ports 1234 → 5678 → 9012.

After the correct “knock,” the sender’s IP address is added to a list, and the desired ports are opened for 60 seconds.

1. Preparation

Ensure you have access to your MikroTik:

• via Winbox (by MAC address),
• or local console (e.g., via serial or within the local network).

2. Firewall Setup: Address Lists

Let’s create lists to track “knocks”:

/ip firewall address-list
add list=knock_1 address=0.0.0.0/32 disabled=yes comment="Init list for knock 1"
add list=knock_2 address=0.0.0.0/32 disabled=yes comment="Init list for knock 2"
add list=knock_open_port address=0.0.0.0/32 disabled=yes comment="Knock success list"

❗ These are dummy entries so the lists “exist” — MikroTik won’t apply rules to a non-existent list.

3. Port Knocking Rules

/ip firewall filter

# Step 1: First knock
add chain=input protocol=tcp dst-port=1234 action=add-src-to-address-list \
    address-list=knock_1 address-list-timeout=5s comment="Knock 1"

# Step 2: Second knock, if the first was successful
add chain=input protocol=tcp dst-port=5678 src-address-list=knock_1 \
    action=add-src-to-address-list address-list=knock_2 address-list-timeout=5s comment="Knock 2"

# Step 3: Third knock, if the second was successful — grant access
add chain=input protocol=tcp dst-port=9012 src-address-list=knock_2 \
    action=add-src-to-address-list address-list=knock_open_port address-list-timeout=1m comment="Knock 3 (grant access)"

# Drop all access attempts to knock ports
add chain=input protocol=tcp dst-port=1234,5678,9012 action=drop comment="Drop knock ports"

4. Opening SSH and Winbox

# Allow access if IP is in knock_open_port list
add chain=input protocol=tcp dst-port=22,8291 src-address-list=knock_open_port action=accept comment="Allow knocked IPs"

# Block access for everyone else
add chain=input protocol=tcp dst-port=22,8291 action=drop comment="Block SSH/Winbox for others"

# (Optional) General drop at the end of the input chain
# add chain=input action=drop comment="Drop all other input"

🔥 Important: rule order is critical — allow and knock rules must come above the general drop.

5. How to “Knock”?

💻 Using netcat:

# Knock 1
nc -nvz YOUR_MIKROTIK_IP 1234 -w 1

# Knock 2
nc -nvz YOUR_MIKROTIK_IP 5678 -w 1

# Knock 3
nc -nvz YOUR_MIKROTIK_IP 9012 -w 1

-z: SYN only, no TCP session -w 1: short timeout for faster knocking YOUR_MIKROTIK_IP: public IP address of your MikroTik

🧪 Alternative for macOS (if nc misbehaves):

nmap -Pn -p 1234,5678,9012 YOUR_MIKROTIK_IP --data-length 0

6. Testing

1. Make sure SSH and Winbox are blocked by default.
2. Try to connect — you should be denied.
3. Perform the knock sequence.
4. Try again — access will be granted for 60 seconds.
5. After timeout, access will be denied again.

You can check the list with:

/ip firewall address-list print

Recommendations and Best Practices

• ✅ TCP SYN — MikroTik adds IP to the list on SYN packet, not full session.
• ✅ Avoid obvious sequences: 1, 2, 3 or 2222 → 3333 → 4444.
• ✅ Increase entropy: use 4–5 steps and mix TCP/UDP.
• ✅ Protect the client — don’t store the sequence in plain text.
• ✅ Automate the knocking — use a bash script or alias.
• ✅ Combine with other methods: GeoIP, fail2ban, VPN, IP restrictions.

Limitations of Port Knocking

Port Knocking is not a silver bullet, but a supplement:

• 🔸 Doesn’t protect against 0-day in SSH/Winbox
• 🔸 Doesn’t prevent MITM (if there’s no TLS/key verification)
• 🔸 Doesn’t help during DDoS (addresses are still known)
• 🔸 Inconvenient under NAT or unstable networks
• 🔸 Timing errors = user frustration

Conclusion

Port Knocking on MikroTik is an elegant way to hide services and complicate attacks without relying on complex VPNs or external authorization systems.

It doesn’t replace fundamental security but makes you a less visible target and improves your system’s overall resilience.

Use it wisely, combine with other practices — and you’ll be a step ahead of most admins.