Estive vendo aqui no forum que o pessoal tem muito problema com ataques...

 

 

Pensando em uma forma de acabar com essas guerras, tomei a liberdade de escrever algumas regras para vocês utilizarem nos MKs.

 

Abraços a todos.

 

E se alguém precisar de consultoria (mensal) estamos a disposição.

 

Regras interessantes:

 

##### Proteção do router


/ip firewall filter add chain=input connection-state=invalid action=drop \ comment="Drop Invalid connections"


/ip firewall filter add chain=input connection-state=established action=accept \ comment="Allow Established connections"


/ip firewall filter add chain=input protocol=icmp action=accept \ comment="Allow ICMP"

/ip firewall filter add chain=input action=drop comment="Drop everything else"

/ip firewall filter add chain=input src-address=(SEU BLOCO DE IP) action=accept \ in-interface=!ether1


##### Proteção Customizada

/ip firewall filter add chain=forward protocol=tcp connection-state=invalid \ action=drop comment="drop invalid connections"


/ip firewall filter add chain=forward connection-state=established action=accept \ comment="allow already established connections"

/ip firewall filter add chain=forward connection-state=related action=accept \ comment="allow related connections"

 

##### Bloqueio de "Bogon IP Addresses"

/ip firewall filter add chain=forward src-address=0.0.0.0/8 action=drop


/ip firewall filter add chain=forward dst-address=0.0.0.0/8 action=drop

/ip firewall filter add chain=forward src-address=127.0.0.0/8 action=drop

/ip firewall filter add chain=forward dst-address=127.0.0.0/8 action=drop

/ip firewall filter add chain=forward src-address=224.0.0.0/3 action=drop

/ip firewall filter add chain=forward dst-address=224.0.0.0/3 action=drop

 

 

##### Marque "jumps" para novos "chains"

/ip firewall filter add chain=forward protocol=tcp action=jump jump-target=tcp 


/ip firewall filter add chain=forward protocol=udp action=jump jump-target=udp 

/ip firewall filter add chain=forward protocol=icmp action=jump jump-target=icmp

 

 

##### Cria tcp chain e nega tcp portas entrada

/ip firewall filter add chain=tcp protocol=tcp dst-port=69 action=drop \ comment="deny TFTP"

/ip firewall filter add chain=tcp protocol=tcp dst-port=111 action=drop \ comment="deny RPC portmapper" 

/ip firewall filter add chain=tcp protocol=tcp dst-port=135 action=drop \ comment="deny RPC portmapper" 

/ip firewall filter add chain=tcp protocol=tcp dst-port=137-139 action=drop \ comment="deny NBT" 

/ip firewall filter add chain=tcp protocol=tcp dst-port=445 action=drop \ comment="deny cifs" 

/ip firewall filter add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS" 

/ip firewall filter add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus" 

/ip firewall filter add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus" 

/ip firewall filter add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice" 

/ip firewall filter add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"

 

 

##### Nega udp portas entrada udp chain:

 /ip firewall filter add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP" 

/ip firewall filter add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper" 

/ip firewall filter add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper" 

/ip firewall filter add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT" 

/ip firewall filter add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS" 

/ip firewall filter add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"

 

##### Permite todos needed icmp codes in icmp chain:

/ip firewall filter add chain=icmp protocol=icmp icmp-options=0:0 action=accept \ comment="echo reply" 


/ip firewall filter add chain=icmp protocol=icmp icmp-options=3:0 action=accept \ comment="net unreachable" 

/ip firewall filter add chain=icmp protocol=icmp icmp-options=3:1 action=accept \ comment="host unreachable"

/ip firewall filter add chain=icmp protocol=icmp icmp-options=3:4 action=accept \ comment="host unreachable fragmentation required" 

/ip firewall filter add chain=icmp protocol=icmp icmp-options=4:0 action=accept \ comment="allow source quench" 

/ip firewall filter add chain=icmp protocol=icmp icmp-options=8:0 action=accept \ comment="allow echo request" 

/ip firewall filter add chain=icmp protocol=icmp icmp-options=11:0 action=accept \ comment="allow time exceed" 

/ip firewall filter add chain=icmp protocol=icmp icmp-options=12:0 action=accept \ comment="allow parameter bad" 

/ip firewall filter add chain=icmp action=drop comment="deny all other types"

 

##### Somente 10 FTP login incorrect

/ip firewall filter add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \ comment="drop ftp brute forcers"

/ip firewall filter add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m

/ip firewall filter add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \ address-list=ftp_blacklist address-list-timeout=3h


##### Somente 10 SSH login incorrect

/ip firewall filter add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \ comment="drop ssh brute forcers" disabled=no

/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=10d comment="" disabled=no

/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m comment="" disabled=no

/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \ action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no

/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \ address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

 

##### Bloqueio downstream access as well

/ip firewall filter add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \ comment="drop ssh brute downstream" disabled=no


##### Protege o Router para portas scanners

/ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no


/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"

/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan"

/ip firewall filter add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan"

/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"

/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"

/ip firewall filter add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"

/ip firewall filter add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no

##### Protect DDoS

/tool torch

/ip firewall filter add chain=tcp protocol=tcp dst-port=53 in-interface=(NOME DE SUA INTERFACE DO LINK INTERNET) action=drop \ comment="Bloqueio Porta 53 By Grupo Sistemax"

/ip firewall filter add chain=input protocol=tcp connection-limit=LIMIT,32 \ action=add-src-to-address-list  address-list=blocked-addr address-list-timeout=1d

/ip firewall filter add chain=input protocol=tcp src-address-list=blocked-addr \ connection-limit=3,32 action=tarpit

/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-state=new \ action=jump jump-target=SYN-Protect comment="SYN Flood protect" disabled=yes

/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5 connection-state=new \ action=accept comment="" disabled=no

/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-state=new \ action=drop comment="" disabled=no

/ip firewall connection tracking set tcp-syncookie=yes

 

##### Detectar e bloquear Bad Hosts

/ip firewall rules add action=reject chain=forward comment="Reject if in the 24-hour-list" disabled=no reject-with=icmp-network-unreachable src-address-list=24-hour-list

 

Espero ter ajudado vocês.....

 

Se precisar de alguma consultoria lembre de contratar o GRUPO SISTEMAX DO BRASIL

Mais informações (somente pelos contatos abaixo):


E-Mail   :  comercial@gruposistemax.com.br

Fone      :  0800-771-9449 (Somente de telefones fixos)

 

Quer Link Dedicado?
Veja nossa proposta em:
http://mk-auth.com.br/group/anuncios/forum/topics/link-barato-link-full-duplex-dedicado-aproveite-ofertas-v-lida-at

Para adicionar comentários, você deve ser membro de MK-AUTH.

Join MK-AUTH

Enviar-me um email quando as pessoas responderem –

Respostas

  • acompanhando!

  • A vontade para copiar.

  • obrigado Mario...

  • parabens Luigi!

    toda contribuição é bem vinda!

  • Parabens pelo post apesar de não utlizar por hora, mas é um conteudo muito interessante, obrigado por postar.

  • Nota aos usuários com baixo nível de conhecimento.

     

    Atenção! A 4° regra "/ip firewall filter add chain=input action=drop comment="Drop everything else"" serve para bloquear o acesso ao MK via TCP IP, ou seja, se você faz a manutenção remota em seu MK, elimine essa regra, pois ela trava totalmente o acesso via TCP IP ao Mikrotik e só permite via CABO / MAC.

     

    Abraços a todos.

  • estou presisando de ajuda me adciona no msn para combinarmos valores juliocbo@hotmail.com

  • A quem em interesse, presto serviço de consultoria por 1 Sálario minimo mês (ref 10 horas mensais) ou por 1/2 Sálario Minimo mês (ref 4 horas mensais)

     

    MSN: mariodepira@hotmail.com

     

  • Eu tambem, kkkk

    Mario Darruiz Junior disse:

    A quem em interesse, presto serviço de consultoria por 1 Sálario minimo mês (ref 10 horas mensais) ou por 1/2 Sálario Minimo mês (ref 4 horas mensais)

     

    MSN: mariodepira@hotmail.com

     

  • Postagen nota 1000. estava com tentativas de invasão na porta ssh. mudei a porta mas o cara era chato. depois dessas

    Somente 10 SSH login incorrect

    /ip firewall filter add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \ comment="drop ssh brute forcers" disabled=no

    /ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=10d comment="" disabled=no

    /ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m comment="" disabled=no

    /ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \ action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no

    /ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \ address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

     

     . nem vi mais tentativas... rsrs

     

    vlw cara

This reply was deleted.