In connection with the pandemic of the covid-19 virus and universal quarantine in many countries, the only way out of many companies to continue working is remote access to jobs via the Internet. There are many relatively safe methods for remote work - but given the scale of the problem, you need a simple method for any user to remotely connect to the office and without the need for additional settings, explanations, tedious consultations and long instructions. This method is the favorite of many admins RDP (Remote Desktop Protocol). Connecting directly to the workplace via RDP ideally solves our problem, except for one big fly in the ointment - keeping the RDP port open for the Internet is very unsafe. Therefore, below I propose a simple but reliable method of protection.
Since I often come across small organizations where Mikrotik devices are used as Internet access, it will be shown below how to implement this on Mikrotik, but the Port Knocking protection method is easily implemented on other higher-class devices with the same settings for the input router and firewallBriefly about Port Knocking . An ideal external protection for a network connected to the Internet is when all resources and ports are closed externally by a firewall. And although a router with such a configured firewall does not react in any way to packets coming from outside, it listens for them. Therefore, you can configure the router so that when you receive a certain (code) sequence of network packets on different ports, it (the router) for IP from where the packets came from opens access to certain resources (ports, protocols, etc.).Now to the point. I will not do a detailed description of the firewall settings on Mikrotik - the Internet is full of high-quality sources for this. Ideally, a firewall blocks all incoming packets, but/ip firewall filter
add action=accept chain=input comment="established and related accept" connection-state=established,related
Allows incoming traffic from established (related) connections.Now configure Port Knocking on Mikrotik:/ip firewall filter
add action=drop chain=input dst-port=19000 protocol=tcp src-address-list="Black_scanners" comment=RemoteRules
add action=drop chain=input dst-port=16000 protocol=tcp src-address-list="Black_scanners" comment=RemoteRules
add action=add-src-to-address-list address-list="remote_port_1" address-list-timeout=1m chain=input dst-port=19000 protocol=tcp comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=19001 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=18999 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=16001 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=15999 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="allow_remote_users" address-list-timeout=1m chain=input dst-port=16000 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
move [/ip firewall filter find comment=RemoteRules] 1
/ip firewall nat
add action=dst-nat chain=dstnat comment="remote_rdp" src-address-list="allow_remote_users" dst-port=33890 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.33 to-ports=3389
Now more: thefirst two rules/ip firewall filter
add action=drop chain=input dst-port=19000 protocol=tcp src-address-list="Black_scanners" comment=RemoteRules
add action=drop chain=input dst-port=16000 protocol=tcp src-address-list="Black_scanners" comment=RemoteRules
prohibit incoming packets from IP addresses that are blacklisted when scanning ports;The third rule:add action=add-src-to-address-list address-list="remote_port_1" address-list-timeout=1m chain=input dst-port=19000 protocol=tcp comment=RemoteRules
Adds ip to the list of hosts that made the correct first knock on the desired port (19000);The following four rules:add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=19001 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=18999 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=16001 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=15999 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
create trap ports for those who want to scan your ports, and when such attempts are detected, put their ip on the black list for 60 minutes, during which the first two rules will prevent such hosts from knocking on the correct ports;The following rule:add action=add-src-to-address-list address-list="allow_remote_users" address-list-timeout=1m chain=input dst-port=16000 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
puts ip in the list of allowed for 1 minute (enough to establish a connection), since the second correct knock is made to the desired port (16000);Next command:move [/ip firewall filter find comment=RemoteRules] 1
moves our rules up the firewall processing chain, since most likely we will already have different prohibition rules configured that will prevent our newly created ones from working. The very first rule in Mikrotik starts from zero, but on my device zero was occupied by the built-in rule and it was impossible to move - I moved to 1. Therefore, we look at our settings - where you can move and specify the desired number.The following setting:/ip firewall nat
add action=dst-nat chain=dstnat comment="remote_rdp_to_33" src-address-list="allow_remote_users" dst-port=33890 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.33 to-ports=3389
forwards randomly selected port 33890 to a regular RDP port 3389 and ip of the computer or terminal server we need. We create such rules for all necessary internal resources, preferably exposing non-standard (and different) external ports. Naturally, the ip of internal resources must be either static or secured to a DHCP server.Now our Mikrotik is configured and we need a simple procedure for the user to connect to our internal RDP. Since we have mainly Windows users, we create a simple bat file and call it StartRDP.bat:1.htm
1.rdp
accordingly 1.htm contains the following code:<img src="http://my_router.sn.mynetname.net:19000/1.jpg">
RDP
<img src="http://my_router.sn.mynetname.net:16000/2.jpg">
it contains two links to imaginary pictures that are located at the address my_router.sn.mynetname.net - we take this address from the DDNS system of Mikrotik by pre-enabling this in our Mikrotik: go to the IP-> Cloud menu - check the DDNS Enabled checkbox, click Apply and copy the dns name of our router. But this is only necessary when the external ip of the router is dynamic or a configuration with several Internet providers is used.The port in the first link: 19000 corresponds to the first port on which you need to knock, in the second, respectively, the second. Between the links there is a short instruction that shows what to do if suddenly our connection is disconnected due to short network problems - we refresh the page, the RDP port opens for us again for 1 minute and our session is restored. Also, the text between the img tags forms a micro delay for the browser, which reduces the likelihood of the first package being delivered to the second port (16000) - so far there have been no such cases in two weeks of use (30 people).Next is the 1.rdp file, which we can configure one for all or separately for each user (I did so - itβs easier to spend an additional 15 minutes than several hours to consult those who could not figure it out)screen mode id:i:2
use multimon:i:1
.....
connection type:i:6
networkautodetect:i:0
.....
disable wallpaper:i:1
.....
full address:s:my_router.sn.mynetname.net:33890
.....
username:s:myuserlogin
domain:s:mydomain
of the interesting settings here use multimon: i: 1 - this includes the use of multiple monitors - some need it, but theyβll not think of turning it on themselves.connection type: i: 6 and networkautodetect: i: 0 - since the majority of the Internet is higher than 10 Mbps, then turn on connection type 6 (local network 10 Mbps and higher) and disable networkautodetect, because if it is (auto) by default, then itβs even rare network delay automatically permanently sets an underestimated speed for our session, which can create noticeable delays in work, especially in graphics programs.disable wallpaper: i: 1 - disable the desktop imageusername: s: myuserlogin - specify the username, since a significant part of our users do not know their usernamedomain: s: mydomain - specify the domain or computer nameBut if we want to simplify the task of creating a connection procedure, we can also use PowerShell - StartRDP.ps1Test-NetConnection -ComputerName my_router.sn.mynetname.net -Port 19000
Test-NetConnection -ComputerName my_router.sn.mynetname.net -Port 16000
mstsc /v:my_router.sn.mynetname.net:33890
Also a little about the RDP client in Windows: MS has come a long way to optimizing the protocol and its server and client side, has implemented many useful features - such as working with hardware 3D, optimizing the screen resolution for your monitor, multi-screen, and more. But of course, everything is implemented in backward compatibility mode and if the client is Windows 7 and the remote PC is Windows 10, then RDP will work using the protocol version 7.0. But the benefit is that you can upgrade RDP versions to more recent versions - for example, you can upgrade the protocol version from 7.0 (Windows 7) to 8.1. Therefore, for the convenience of clients, it is necessary to maximize the version of the server side, as well as throw off links to upgrade to new versions of RDP protocol clients.As a result, we have a simple and relatively safe technology for remote connection to a working PC or terminal server. But for a more secure connection, our Port Knocking method can be complicated for attacks by several orders of magnitude, by adding ports for checking - you can add 3,4,5,6 ... the same logic and in this case a direct intrusion into your network will be almost impossible .File blanks for creating a remote connection to RDP .