Estive vendo aqui no forum que o pessoal tem muito problema com ataques...
Pensando em uma forma de acabar com essas guerras, tomei a liberdade de escrever algumas regras para vocês utilizarem nos MKs.
Abraços a todos.
E se alguém precisar de consultoria (mensal) estamos a disposição.
Regras interessantes:
##### Proteção do router
/ip firewall filter add chain=input connection-state=invalid action=drop \ comment="Drop Invalid connections"
/ip firewall filter add chain=input connection-state=established action=accept \ comment="Allow Established connections"
/ip firewall filter add chain=input protocol=icmp action=accept \ comment="Allow ICMP"
/ip firewall filter add chain=input action=drop comment="Drop everything else"
/ip firewall filter add chain=input src-address=(SEU BLOCO DE IP) action=accept \ in-interface=!ether1
##### Proteção Customizada
/ip firewall filter add chain=forward protocol=tcp connection-state=invalid \ action=drop comment="drop invalid connections"
/ip firewall filter add chain=forward connection-state=established action=accept \ comment="allow already established connections"
/ip firewall filter add chain=forward connection-state=related action=accept \ comment="allow related connections"
##### Bloqueio de "Bogon IP Addresses"
/ip firewall filter add chain=forward src-address=0.0.0.0/8 action=drop
/ip firewall filter add chain=forward dst-address=0.0.0.0/8 action=drop
/ip firewall filter add chain=forward src-address=127.0.0.0/8 action=drop
/ip firewall filter add chain=forward dst-address=127.0.0.0/8 action=drop
/ip firewall filter add chain=forward src-address=224.0.0.0/3 action=drop
/ip firewall filter add chain=forward dst-address=224.0.0.0/3 action=drop
##### Marque "jumps" para novos "chains"
/ip firewall filter add chain=forward protocol=tcp action=jump jump-target=tcp
/ip firewall filter add chain=forward protocol=udp action=jump jump-target=udp
/ip firewall filter add chain=forward protocol=icmp action=jump jump-target=icmp
##### Cria tcp chain e nega tcp portas entrada
/ip firewall filter add chain=tcp protocol=tcp dst-port=69 action=drop \ comment="deny TFTP"
/ip firewall filter add chain=tcp protocol=tcp dst-port=111 action=drop \ comment="deny RPC portmapper"
/ip firewall filter add chain=tcp protocol=tcp dst-port=135 action=drop \ comment="deny RPC portmapper"
/ip firewall filter add chain=tcp protocol=tcp dst-port=137-139 action=drop \ comment="deny NBT"
/ip firewall filter add chain=tcp protocol=tcp dst-port=445 action=drop \ comment="deny cifs"
/ip firewall filter add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
/ip firewall filter add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
/ip firewall filter add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
/ip firewall filter add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"
/ip firewall filter add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"
##### Nega udp portas entrada udp chain:
/ip firewall filter add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
/ip firewall filter add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
/ip firewall filter add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
/ip firewall filter add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
/ip firewall filter add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
/ip firewall filter add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"
##### Permite todos needed icmp codes in icmp chain:
/ip firewall filter add chain=icmp protocol=icmp icmp-options=0:0 action=accept \ comment="echo reply"
/ip firewall filter add chain=icmp protocol=icmp icmp-options=3:0 action=accept \ comment="net unreachable"
/ip firewall filter add chain=icmp protocol=icmp icmp-options=3:1 action=accept \ comment="host unreachable"
/ip firewall filter add chain=icmp protocol=icmp icmp-options=3:4 action=accept \ comment="host unreachable fragmentation required"
/ip firewall filter add chain=icmp protocol=icmp icmp-options=4:0 action=accept \ comment="allow source quench"
/ip firewall filter add chain=icmp protocol=icmp icmp-options=8:0 action=accept \ comment="allow echo request"
/ip firewall filter add chain=icmp protocol=icmp icmp-options=11:0 action=accept \ comment="allow time exceed"
/ip firewall filter add chain=icmp protocol=icmp icmp-options=12:0 action=accept \ comment="allow parameter bad"
/ip firewall filter add chain=icmp action=drop comment="deny all other types"
##### Somente 10 FTP login incorrect
/ip firewall filter add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \ comment="drop ftp brute forcers"
/ip firewall filter add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m
/ip firewall filter add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \ address-list=ftp_blacklist address-list-timeout=3h
##### Somente 10 SSH login incorrect
/ip firewall filter add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \ comment="drop ssh brute forcers" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=10d comment="" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m comment="" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \ action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \ address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
##### Bloqueio downstream access as well
/ip firewall filter add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \ comment="drop ssh brute downstream" disabled=no
##### Protege o Router para portas scanners
/ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"
/ip firewall filter add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
##### Protect DDoS
/tool torch
/ip firewall filter add chain=tcp protocol=tcp dst-port=53 in-interface=(NOME DE SUA INTERFACE DO LINK INTERNET) action=drop \ comment="Bloqueio Porta 53 By Grupo Sistemax"
/ip firewall filter add chain=input protocol=tcp connection-limit=LIMIT,32 \ action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d
/ip firewall filter add chain=input protocol=tcp src-address-list=blocked-addr \ connection-limit=3,32 action=tarpit
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-state=new \ action=jump jump-target=SYN-Protect comment="SYN Flood protect" disabled=yes
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5 connection-state=new \ action=accept comment="" disabled=no
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-state=new \ action=drop comment="" disabled=no
/ip firewall connection tracking set tcp-syncookie=yes
##### Detectar e bloquear Bad Hosts
/ip firewall rules add action=reject chain=forward comment="Reject if in the 24-hour-list" disabled=no reject-with=icmp-network-unreachable src-address-list=24-hour-list
Espero ter ajudado vocês.....
Se precisar de alguma consultoria lembre de contratar o GRUPO SISTEMAX DO BRASIL
Mais informações (somente pelos contatos abaixo):
E-Mail : comercial@gruposistemax.com.br
Fone : 0800-771-9449 (Somente de telefones fixos)
Quer Link Dedicado?
Veja nossa proposta em:
http://mk-auth.com.br/group/anuncios/forum/topics/link-barato-link-full-duplex-dedicado-aproveite-ofertas-v-lida-at
Respostas
Se for o meu 15996213328
mandei um email para vcs porem me responde que ele nao existe teria um zap para contratar os serviços ?
https://youtu.be/_nA8fvIxoDE
O seguinte
Chega de conversa mole pois eu tenho mais o que fazer.
só para você saber, não tenho só uma rede e nem utilizo essas ferramentas de rede restrita até 2000 clientes....
Faça o seguinte, localize, detecte e faça acontecer, quem sabe te contrato como funcionário de defesa para minha rede.....
Isso se você for bom mesmo.... ok?
Abraços parceiro.
Se precisar de manutenção ou algo em sua rede, entre em contato
Ps. Só um detalhe, coloca seu rosto aí na foto parceiro, tira essa mascara de pinguim rssss.....
Uiiiii..... Bonzão...... Tô com um medão...... se quiser, tenho condições o suficiente para te visitar em SC...... hahahaha
jeferson luiz rosa disse:
Por favor, defina o que o Sr. entendeu sobre os 400 de limite na regra ...
Acredito que todos do fórum estão aguardando sua resposta.
Abraços .
jeferson luiz rosa disse:
coloca o ip do seu mikrotik ai te mostro como a rede vai ficar parada!
posso derrubar com 1mb de link ou com 300mb como você achar melhor!!!
Caro Jeferson,
Tá procurando o que fazer... ?????
Me dê um bom motivo para colocar uma regra total no forum ???
Bom, deixa eu pensar.... já sei , para vir pessoas como vários que tem por aí, copiar a regra, salvar num txt e cobrar mixaria dos outros provedores que não sabem fazer....
RRrsssss Sinto muito amigão...... aquele abraço.
Vai procurando aí... blz... t+
a e outra coisa! e a Porta "53" é udp e afirmo novamente o serviço fica totalmente parado!
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5 connection-state=new \ action=accept comment="" disabled=no
com o limite de 400 ou seja se o ataque for maior que 400 rsrs já era neh!! a propria regra já gera um DDOS na rede.
-
1
-
2
-
3
-
4
-
5
de 6 Próximo