Security Tools

In this section the configuration of:

• Port Knocking

• Send mail

• Sending backup by mail

• Sending log files by Korea

• Layer 7

According to the following diagram we are going to explain how to configure Port Knocking .

We will start from a multiwan router whose ip are static, and a lan network with dhcp service.

Create Interface List

The first thing we can do to facilitate the work when creating the firewall rules is to define all the WAN networks in a list. To do this, while in the Interfaces window, we go to the Interface List tab. We give the button that says List and in the new Interface Lists window we give the symbol of the (+), in the new window called New Interface List we go to the Name section where we will define the name we want in this case WAN , we apply and okay. With this, the name defined in the list of interfaces will appear.

Now we will return to the main window of Interface List and we give the (+), in this new window what we will do is in the List section choose WAN which was the name we defined before, and in the interface section we select one of the different interfaces wan that we have, in this case since I have three I must add the three interfaces to the wan list.

In the end we should have the list as in the following image.

Port Knocking

Now we go on to create the port knocking rules, for this we go to IP → Firewall and then we add a rule by giving the (+). In this example we will make the necessary ports hits to be able to enter the router either through (WinBox, SSH, Telenet, etc.) to be three, as seen in the first image of the network topography. The first in the General tab we go to the Chain section and assign Input , then we go to the Protocol section and select 6 (tcp) . By assigning a protocol we can define the Source and Destiny ports in this case we will go to Ds. Ports and we write 2000. The next thing will be to define the input wan interface in the In Interface section, the problem is that since in this example we have three wan interfaces, we should create three equal rules for each interface, therefore to simplify it and not create So many rules, we previously defined a wan list for all interfaces that go by wan. With which we go to the In Interface List section and select our previously created WAN list, with this we have only created a rule defining the input of all the wan interfaces that we have assigned to that list, instead of having to create one rule for each input interface per wan.

Now we go to the Action tab, and select the option add src to address list in the Action section. Then in Address List we define the name that we want, in this example it has been used temporary . And in the Timeout section we define the time that the IP will be in this list, in this example a duration of 5 minutes (00:05:00) has been used. We apply and OK.

We are going to explain what this rule that we have just defined does. What we have done is define that everything that enters the router through any wan interface that is in the defined list, and uses the tcp protocol and the destination port 2000, adds it to a list of addresses that we have called temporary, with a duration of 5 minutes, after that time it will be removed from the list.

Now we will create the following rule that will correspond to the second touch or port strike.

As seen in the previous image for now, the only thing that has been changed in the General tab has been the Destination port, which is now 4000 . Now we go to the Advanced tab, once here we go to the Src section. Address List and select temporary .

Now we go to the Action tab and define in the Action section add src to address list in Timeout we can leave it again in 5 minutes that is to the taste of each one, and in Address List we define a new name, in this case it has been used allowed . We apply and ok.

With this second rule, what we have defined is that all the IPs that are in the temporary list will have to make a connection to port 4000, and they will be for 5 minutes in another IP list that we have called allowed.

Now we go on to define the third touch or port hit as it came in the network diagram. The steps will be very similar to those applied to the second rule, so in the general tab we only change the Dst. Port for 8000.

Next we go to the Advanced tab and in the Src section. Address List we define the list of IPs that are allowed, which are the ones that have successfully carried out the first and second touch or port hit.

Then we go to the Action tab where we select again add src to address list in the Action section, in Address List _ we name the new list as safe, and in Timeout this time we will give it much more time than previously used in this case 1 hour (01:00:00) or 60 minutes (00:60:00) both are valid.

The reason for adding more time to this list of ips is because this will be the last port hit to access the router and therefore this IP will have access to the router while it is in this list, after that time it will be deleted and It will deny access to the router, this means that after 1 hour, the IP that has been able to access the router will be eliminated from the list and therefore it will be kicked out of the router, having to connect again by calling the three touches or port strokes that we have defined. The two previous touches had a shorter time because it is the time that we define for it to call the next port, this helps a cracker to have little time to find out which is the next protocol and port to use in order to pass the next barrier protection, since after that time it will have to start again by calling the first port that was defined in the first rule.

Now we go on to define the acceptance rule. In the General {/ em0} tab, we only define the Input {/ em2} mode in Chain {/ em1} and in In. Interface List {/ em3} WAN {/ strong4}.

Then we go to the Advanced tab where in Src. address List we define the IPs that are in the safe list since these IPs have previously had to pass the two previous rules that we defined.

Then we go to the Action tab, where we leave the Action section in accept . We apply and OK.

With this rule we have defined that all those IPs that have passed the three previous rules will have permission to enter the router.

Finally we will create a rule which prevents any IP that does not meet these conditions from entering the router. To do this we create a new rule, where in the General tab we define Input in the Chain section and our WAN list in the In Interface List section

Then we go to the Action tab and define drop in the Action section. We apply and OK.

In the end we should have the five rules created as in the following image. Complying with what is defined in the network diagram.

Create Address List

Apart from the Port Knocking, we can create the address lists manually defining which IP we consider safe to be able to enter the router. To do this, we just have to go to the Address Lists tab within the Firewall window and once here click on the (+) symbol. In the window that appears, we give a name to the list of addresses, we add the IP that we are going to allow access to the router and also if we want we can define or not the time that will be within this list. With this we can add all the IPs that we want in a specific address list or create an address list by IP, as it suits us.

Once we have defined our address lists, we just have to create a firewall rule in which we allow access to these lists, defining it in the advanced tab and selecting the addres list that we want from those created before in the Src section. Address List .

Set up Gmail in Mikrotik

The first thing is to know the ip of our gmail mail service, and the port, for that we can go to the following link SMTP gmail . And we look at the next section shown in the image.

The most interesting here are the ports (465 and 587) and the address of the smtp server smtp.gmail.com . Now we go to our mikotik router, we open a terminal and we ping that smtp address, to know the ip of it

We write down the IP that appears to us because it will serve us later. With this we already have the port and the IP. Now to give more security we will go to the next page Application password and follow the steps to create application passwords.

Once inside the application password section, we go to the section that says Select Application , we mark another, and we write for example Mikortik Router or what each one sees better, and then we click Generate .

We write down the 16-digit password they give us after hitting the generate button.

Now we have everything we need. So we move on to our Mikrotik router. Once in the router we go to the left menu where it says Tools → Email and in the window that appears we write the following in each section.

• Server: ip of our smtp service

• Port: the port that we are going to use

• Start Tls: refers to the security cryptographic transport

• From: our email

• User: the user to whom it is addressed, it works better if we leave our mail as in from

• Password: the password that Google gave us in the applications password section. Although you can also use your own email password, but in this way it is not as safe or reliable. We apply and ok.

One thing to keep in mind for the sending of emails to work correctly is to have our SNTP (Server Network Time Protocol) service activated, for this we go to System → SNTP client . In the window that appears, we mark the Enabled box, and in Primary NTP Server we write time.google.com , then we click the Apply button and it will automatically recognize the IP of this service (as long as we have our DNS configured well), automatically filling in what is necessary, so we click OK.

Configure errors and dhcp by mail

Once we have configured our mail service in Mikrotik, we are going to define what we want it to send us by email, for them we go to System → Logging. Once here we go first to the Actions tab, and we click the (+) symbol.

In the little window that appears, we define the name of the action in Name, for example email , we define what type it will be in Type , which will be email , we activate the Start TLS box and in the Email section we define the email to which it will be sent, we apply and ok.

Our created action should appear to us.

Then we go to the Rules tab and we give the symbol of the (+)

In the window that appears where it says Action we select the action that we previously created as email , and in Topics we will get a drop-down with a large number of options where we can choose the one we want, in this case we will select error , then we give it to apply and ok.

With this rule every time an error occurs in the router, we will be notified to the mail that we define in the Action , in this way we can create all the rules that we want defining what aspects we want to be communicated to us by mail. In this example, apart from the errors, another rule was created for the dhcp as shown below.

Configure backup files to reach us by mail

We can also configure the Mikrotik router to automatically send us a backup file of the router configuration from time to time. For this we will use the following scripts.

Binary Backup

/system script add name=respaldo_binario source={/system backup save name=([/system identity get name] . "-" . \
[:pick [/system clock get date] 7 11] . [:pick [/system clock get date] 0 3] . [:pick [/system clock get date] 4 6]); \
/tool e-mail send to="youremail@yourdomain.com" subject=([/system identity get name] . " Backup " . \
[/system clock get date]) file=([/system identity get name] . "-" . [:pick [/system clock get date] 7 11] . \
[:pick [/system clock get date] 0 3] . [:pick [/system clock get date] 4 6] . ".backup"); :delay 10; \
/file rem [/file find name=([/system identity get name] . "-" . [:pick [/system clock get date] 7 11] . \
[:pick [/system clock get date] 0 3] . [:pick [/system clock get date] 4 6] . ".backup")]; \
:log info ("System Backup emailed at " . [/sys cl get time] . " " . [/sys cl get date])}

Backup Export

/system script add name=respaldo_export source={/export file=([/system identity get name] . "-" . \
[:pick [/system clock get date] 7 11] . [:pick [/system clock get date] 0 3] . [:pick [/system clock get date] 4 6]); \
/tool e-mail send to="backup@YOURDOMAIN.com" subject=([/system identity get name] . " Backup " . \
[/system clock get date]) file=([/system identity get name] . "-" . [:pick [/system clock get date] 7 11] . \
[:pick [/system clock get date] 0 3] . [:pick [/system clock get date] 4 6] . ".rsc"); :delay 10; \
/file rem [/file find name=([/system identity get name] . "-" . [:pick [/system clock get date] 7 11] . \
[:pick [/system clock get date] 0 3] . [:pick [/system clock get date] 4 6] . ".rsc")]; \
:log info ("System Backup emailed at " . [/sys cl get time] . " " . [/sys cl get date])}

Each script corresponds to one of the two types of backup that Mikrotik can create.

• The Binary is a total backup of the router configuration, which saves both the users and the passwords of the same, it is intended to be used in the same router when there is some type of error, the type of text is in binary with which if We try to open it, it is all encrypted, being unreadable and only recognizable by mikrotik devices.

• The Export can be a total or partial backup of the router configuration, which is a plain text script that does not save users or passwords.

Well, once that is explained, we open a terminal from the router and copy one of the two scripts, paste it in the terminal and hit Enter to execute it, then we carry out the same procedure with the other script.

Once both scripts are executed in the terminal we go to the left menu and then to System → Script , in the Script List window we should see two files which correspond to the two scripts executed before.

Now we will have to make some modifications to the two scripts, for example we double click on the binary backup and look for the following line (/ tool e-mail send to = "youremail@yourdomain.com") in the text box below the window, in that line we must modify what is in quotation marks and add the email to which we want the backup to arrive. We can also look at the following line (subject = ([/ system identity get name]), this line refers to the name that we have defined for the router in System Identity , therefore it is good to define a name for each router, not only to identify it, but by the time this email reaches us we know which router it refers to.

Once the mail has been changed in both scripts we go on to configure the scheduled sending of them, for them we go to the left menu, System → Scheduler and then to the (+) symbol.

In the new window that appears we will define when it starts and how often the script is executed. Therefore in each section we will configure the following:

• Name: We give the name we want to define it

• Start Date: It is the date on which this task will start executing

• Start Time: It is the start time in which the task will begin to run.

• Interval: It is the time interval, so that the task is executed again, in this example it has been defined that it is once a day that is, every 24 hours

• Owner: Refers to the owner of the creation of the task, this appears automatically when clicking the Apply button

• The Policies can be left by default all marked In the text box below we write the name of one of the scripts that we previously created, to define what it will be that must be executed in the defined time The other fields are filled in by themselves when giving the Apply button we click OK to finish. Then we create another rule with the same or different depending tiemppo prefer for the other backup script of respaldoexport.

In the end we will have both rules created as in the following image.

Layer 7

We are going to configure our mikrotik router with layer 7 to filter certain packets and thus block access to certain web pages.

Our first step will be to go to IP → Firewall and then to the Layer 7 Protocols tab, once here we give the symbol (+) and in the window that appears we define the name that we want in the Name section and in the section Regexp will be where we insert a regular expression. In this case the following regular expression was inserted:

^.+(youporn.com|pornhub.com|xvideos.com|xvideos|pornstars|youtube.com|youtu.be|googlevideo.com|facebook).*$

The idea will be to block the pages that are defined in the regular expression. We apply and Ok.

Our next step will be to be in the Firewall window, go to the Mangle tab. Once here we will create two rules. The first rule will be to mark the connections that go through DNS and that comply with the L7 protocol defined above. To do this, we will do the following, in the window that appears when creating a new rule being in the General tab we select prerouting in the chain section, in the Protocol section we select UDP , in the Dst.Port section we write 53 and in the section From Connection Mark we select no-mark . Now we go to the Advanced tab, here we only have to go to the Layer 7 Protocol section and select the protocol that we defined previously in Layer7, if we have several then we select the one that interests us, since we can create all the layer7 protocols that we want according to our needs. Then we go to the Action tab, in it we select mark connection in the Action section, in New Connection Mark we define a name that we want and the Passthough we leave it marked so that it passes to the next rule. We apply and OK.

Now we will create the other rule to mark the packets that come from the connections marked from the previous rule. While in the General tab, we only select prerouting in the chain section and in Connection Mark we select the name that we defined in the previous rule for marked connections. Then we go to the Action tab, in this we select mark packet in the Action section, we define a name that we want in the New Packet Mark section and we mark the Passthrough. We apply and ok.

Now we go on to create the Firewall rules, then in the Firewall window we go to the Filter Rules tab and create two rules whose Action will be drop , and in the General tab in the Packet Market section we select the name that we define in the second mangrove rule that we use to define the marked packages. The only difference between these two rules will be in the Chain section where one will refer to the forward chain to prohibit requests that match the definition of L7 indicated, and the other rule refers to the Input chain because in normal cases the router does times DNS for the network.