versi script Port Knocking MikroTik RouterOS yang lebih lengkap, multi-step, dan otomatis reset address-list setelah beberapa menit. Script ini meningkatkan keamanan karena address-list akan otomatis dibersihkan, mencegah penyalahgunaan jika host gagal melakukan knock.
Script Lengkap Port Knocking MikroTik (Multi-Step + Auto Reset)
###########################################################
# Mikrotik Port Knocking Generator Multi-Step
# Dengan Auto Reset Address-List
# Date/Time: 2025-09-07
# https://www.haikalcctvid.zone.id/
###########################################################
# Step 1: Reset address-list setiap 5 menit untuk keamanan
/system scheduler
add name="ResetPortKnocking" interval=5m on-event="/ip firewall address-list remove [find list~\"port-knocking\"]" comment="Auto reset port knocking lists"
# Step 2: Langkah pertama knock
/ip firewall filter
add chain=input protocol=icmp packet-size=72 action=add-src-to-address-list address-list="port-knocking-first" address-list-timeout=00:05:00 comment="First knock - Step 1"
# Step 3: Langkah kedua knock
/ip firewall filter
add chain=input protocol=icmp packet-size=172 src-address-list="port-knocking-first" action=add-src-to-address-list address-list="port-knocking-second" address-list-timeout=00:05:00 comment="Second knock - Step 2"
# Step 4: Langkah ketiga knock (opsional)
/ip firewall filter
add chain=input protocol=icmp packet-size=200 src-address-list="port-knocking-second" action=add-src-to-address-list address-list="port-knocking-third" address-list-timeout=00:05:00 comment="Third knock - Step 3"
# Step 5: Membuka akses port setelah sequence benar
/ip firewall filter
add chain=input src-address-list="port-knocking-third" dst-port=22,80,443 protocol=tcp action=accept comment="Allow SSH, HTTP, HTTPS after correct knock sequence"
# Step 6: Drop port jika knock sequence salah
/ip firewall filter
add chain=input dst-port=22,80,443 protocol=tcp src-address-list="!port-knocking-third" action=drop comment="Drop ports if not knocked correctly"
Cara Kerja Script:
-
Reset otomatis: Scheduler membersihkan address-list setiap 5 menit agar knock sequence harus diulang, meningkatkan keamanan.
-
Multi-step knock:
-
Paket ICMP 72 →
port-knocking-first -
Paket ICMP 172 →
port-knocking-second -
Paket ICMP 200 →
port-knocking-third
-
-
Buka port TCP: Hanya host yang berhasil melakukan urutan knock yang diizinkan mengakses port (SSH/HTTP/HTTPS).
-
Drop host lain: Host yang tidak melakukan knock sequence yang benar akan tetap diblokir.
Cara Manual Knock:
Windows CMD:
ping -l 72 <IP_Router>
ping -l 172 <IP_Router>
ping -l 200 <IP_Router>
Linux / MacOS Terminal:
ping -s 72 <IP_Router>
ping -s 172 <IP_Router>
ping -s 200 <IP_Router>
Pastikan urutannya benar, jika salah sequence maka port tetap tertutup.
Keunggulan Script Versi Lengkap
-
Multi-step sequence → lebih sulit ditebak attacker
-
Auto-reset address-list → mengurangi risiko brute-force knock
Mudah dikustomisasi → bisa menambahkan port lain atau sequence tambahan
.png)
0 Comments
Haikalcctvid | HCID - Home Security Camera One-Stop IT Solution