Estive vendo aqui no forum que o pessoal tem muito problema com ataques...
Pensando em uma forma de acabar com essas guerras, tomei a liberdade de escrever algumas regras para vocês utilizarem nos MKs.
Abraços a todos.
E se alguém precisar de consultoria (mensal) estamos a disposição.
Regras interessantes:
##### Proteção do router
/ip firewall filter add chain=input connection-state=invalid action=drop \ comment="Drop Invalid connections"
/ip firewall filter add chain=input connection-state=established action=accept \ comment="Allow Established connections"
/ip firewall filter add chain=input protocol=icmp action=accept \ comment="Allow ICMP"
/ip firewall filter add chain=input action=drop comment="Drop everything else"
/ip firewall filter add chain=input src-address=(SEU BLOCO DE IP) action=accept \ in-interface=!ether1
##### Proteção Customizada
/ip firewall filter add chain=forward protocol=tcp connection-state=invalid \ action=drop comment="drop invalid connections"
/ip firewall filter add chain=forward connection-state=established action=accept \ comment="allow already established connections"
/ip firewall filter add chain=forward connection-state=related action=accept \ comment="allow related connections"
##### Bloqueio de "Bogon IP Addresses"
/ip firewall filter add chain=forward src-address=0.0.0.0/8 action=drop
/ip firewall filter add chain=forward dst-address=0.0.0.0/8 action=drop
/ip firewall filter add chain=forward src-address=127.0.0.0/8 action=drop
/ip firewall filter add chain=forward dst-address=127.0.0.0/8 action=drop
/ip firewall filter add chain=forward src-address=224.0.0.0/3 action=drop
/ip firewall filter add chain=forward dst-address=224.0.0.0/3 action=drop
##### Marque "jumps" para novos "chains"
/ip firewall filter add chain=forward protocol=tcp action=jump jump-target=tcp
/ip firewall filter add chain=forward protocol=udp action=jump jump-target=udp
/ip firewall filter add chain=forward protocol=icmp action=jump jump-target=icmp
##### Cria tcp chain e nega tcp portas entrada
/ip firewall filter add chain=tcp protocol=tcp dst-port=69 action=drop \ comment="deny TFTP"
/ip firewall filter add chain=tcp protocol=tcp dst-port=111 action=drop \ comment="deny RPC portmapper"
/ip firewall filter add chain=tcp protocol=tcp dst-port=135 action=drop \ comment="deny RPC portmapper"
/ip firewall filter add chain=tcp protocol=tcp dst-port=137-139 action=drop \ comment="deny NBT"
/ip firewall filter add chain=tcp protocol=tcp dst-port=445 action=drop \ comment="deny cifs"
/ip firewall filter add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
/ip firewall filter add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
/ip firewall filter add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
/ip firewall filter add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"
/ip firewall filter add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"
##### Nega udp portas entrada udp chain:
/ip firewall filter add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
/ip firewall filter add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
/ip firewall filter add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
/ip firewall filter add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
/ip firewall filter add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
/ip firewall filter add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"
##### Permite todos needed icmp codes in icmp chain:
/ip firewall filter add chain=icmp protocol=icmp icmp-options=0:0 action=accept \ comment="echo reply"
/ip firewall filter add chain=icmp protocol=icmp icmp-options=3:0 action=accept \ comment="net unreachable"
/ip firewall filter add chain=icmp protocol=icmp icmp-options=3:1 action=accept \ comment="host unreachable"
/ip firewall filter add chain=icmp protocol=icmp icmp-options=3:4 action=accept \ comment="host unreachable fragmentation required"
/ip firewall filter add chain=icmp protocol=icmp icmp-options=4:0 action=accept \ comment="allow source quench"
/ip firewall filter add chain=icmp protocol=icmp icmp-options=8:0 action=accept \ comment="allow echo request"
/ip firewall filter add chain=icmp protocol=icmp icmp-options=11:0 action=accept \ comment="allow time exceed"
/ip firewall filter add chain=icmp protocol=icmp icmp-options=12:0 action=accept \ comment="allow parameter bad"
/ip firewall filter add chain=icmp action=drop comment="deny all other types"
##### Somente 10 FTP login incorrect
/ip firewall filter add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \ comment="drop ftp brute forcers"
/ip firewall filter add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m
/ip firewall filter add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \ address-list=ftp_blacklist address-list-timeout=3h
##### Somente 10 SSH login incorrect
/ip firewall filter add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \ comment="drop ssh brute forcers" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=10d comment="" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m comment="" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \ action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \ address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
##### Bloqueio downstream access as well
/ip firewall filter add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \ comment="drop ssh brute downstream" disabled=no
##### Protege o Router para portas scanners
/ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"
/ip firewall filter add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
##### Protect DDoS
/tool torch
/ip firewall filter add chain=tcp protocol=tcp dst-port=53 in-interface=(NOME DE SUA INTERFACE DO LINK INTERNET) action=drop \ comment="Bloqueio Porta 53 By Grupo Sistemax"
/ip firewall filter add chain=input protocol=tcp connection-limit=LIMIT,32 \ action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d
/ip firewall filter add chain=input protocol=tcp src-address-list=blocked-addr \ connection-limit=3,32 action=tarpit
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-state=new \ action=jump jump-target=SYN-Protect comment="SYN Flood protect" disabled=yes
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5 connection-state=new \ action=accept comment="" disabled=no
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-state=new \ action=drop comment="" disabled=no
/ip firewall connection tracking set tcp-syncookie=yes
##### Detectar e bloquear Bad Hosts
/ip firewall rules add action=reject chain=forward comment="Reject if in the 24-hour-list" disabled=no reject-with=icmp-network-unreachable src-address-list=24-hour-list
Espero ter ajudado vocês.....
Se precisar de alguma consultoria lembre de contratar o GRUPO SISTEMAX DO BRASIL
Mais informações (somente pelos contatos abaixo):
E-Mail : comercial@gruposistemax.com.br
Fone : 0800-771-9449 (Somente de telefones fixos)
Quer Link Dedicado?
Veja nossa proposta em:
http://mk-auth.com.br/group/anuncios/forum/topics/link-barato-link-full-duplex-dedicado-aproveite-ofertas-v-lida-at
Respostas
acompanhando!
A vontade para copiar.
obrigado Mario...
parabens Luigi!
toda contribuição é bem vinda!
Parabens pelo post apesar de não utlizar por hora, mas é um conteudo muito interessante, obrigado por postar.
Nota aos usuários com baixo nível de conhecimento.
Atenção! A 4° regra "/ip firewall filter add chain=input action=drop comment="Drop everything else"" serve para bloquear o acesso ao MK via TCP IP, ou seja, se você faz a manutenção remota em seu MK, elimine essa regra, pois ela trava totalmente o acesso via TCP IP ao Mikrotik e só permite via CABO / MAC.
Abraços a todos.
estou presisando de ajuda me adciona no msn para combinarmos valores juliocbo@hotmail.com
A quem em interesse, presto serviço de consultoria por 1 Sálario minimo mês (ref 10 horas mensais) ou por 1/2 Sálario Minimo mês (ref 4 horas mensais)
MSN: mariodepira@hotmail.com
Eu tambem, kkkk
Mario Darruiz Junior disse:
Postagen nota 1000. estava com tentativas de invasão na porta ssh. mudei a porta mas o cara era chato. depois dessas
Somente 10 SSH login incorrect
/ip firewall filter add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \ comment="drop ssh brute forcers" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=10d comment="" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m comment="" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \ action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \ address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
. nem vi mais tentativas... rsrs
vlw cara
-
1
-
2
-
3
-
4
-
5
de 6 Próximo