The following rules will create a address list which will have
your management PC ip address. an then it will allow all ports like WINBOX,
FTP, SSH, TELNET from this address list only, and rest of ips wont be able to
access these ports.
|
1.
/ip firewall address-list
2.
add list=management-servers address=10.10.0.1/24
3.
/ip firewall filter
4.
add chain=input src-address-list=management-servers
protocol=tcp dst-port=21,22,23,80,443,8291 action=accept
5.
add chain=input protocol=tcp dst-port=21,22,23,80,443,8291
action=drop
|
A basic Mikrotik Firewall Script to secure MT box from virus and
flooding. First copy all contents of below script to notepad, then carefully
read it, add remove any un necessary rules. Also some rules are commented,
modify them as per your requirements.***
|
1.
/ip firewall
filter
2.
add chain=input connection-state=established
comment="Accept established connections"
3.
add chain=input connection-state=related comment="Accept
related connections"
4.
add chain=input connection-state=invalid action=drop
comment="Drop invalid connections"
5.
add chain=input protocol=udp action=accept
comment="UDP" disabled=no
6.
add chain=forward connection-state=invalid action=drop
comment="drop invalid connections"
7.
#### ALLOW VPN (PPTP) CONNECTIONS TO MIKROTIK VPN SERVER
8.
#add action=accept chain=input disabled=no dst-port=1723
protocol=tcp
9.
#add action=accept chain=input disabled=no protocol=gre
10. ####
TO BLOCK DNS ATTACK on WAN INTERFACE
11. #/ip
firewall filter
12. #add
chain=input action=drop dst-port=53 protocol=udp in-interface=ether1 # WAN
INTERFACE
13. #add
chain=input action=drop dst-port=53 protocol=tcp in-interface=ether1 # WAN
INTERFACE
14. ####
TO BLOCK PROXY ACCESS PORT 8080 / ATTACK on WAN INTERFACE
15. #add
chain=input action=drop dst-port=8080 protocol=tcp in-interface=ether1 # WAN
INTERFACE
16. ####
TO BLOCK ICMP TRAFFIC EXCEPT FROM THE Management PC IP
17. #
Blocking ICMP Traffic, saves you from many headaches
18. #
add action=drop chain=input comment="DROP PING REPLY"
disabled=no protocol=icmp src-address=!10.10.0.4
19. ####
TO BLOCK TRACEROUTE TRAFFIC
20. #/ip
firewall add action=drop chain=forward comment="Drop Traceroute"
disabled=no \
21. #
icmp-options=11:0 protocol=icmp
22. #
add action=drop chain=forward comment="" disabled=no
icmp-options=3:3 \
23. #
protocol=icmp
24. #
add action=drop chain=input comment="Disable ICMP ping" disabled=no
protocol=\
25. #
icmp
26. ####
TO BLOCK COMMON VIRUS PORTS
27. add
chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop
Blaster Worm"
28. add
chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop
Messenger Worm"
29. add
chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster
Worm"
30. add
chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster
Worm"
31. add
chain=virus protocol=tcp dst-port=593 action=drop
comment="________"
32. add
chain=virus protocol=tcp dst-port=1024-1030 action=drop
comment="________"
33. add
chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop
MyDoom"
34. add
chain=virus protocol=tcp dst-port=1214 action=drop
comment="________"
35. add
chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm
requester"
36. add
chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm
server"
37. add
chain=virus protocol=tcp dst-port=1368 action=drop comment="screen
cast"
38. add
chain=virus protocol=tcp dst-port=1373 action=drop
comment="hromgrafx"
39. add
chain=virus protocol=tcp dst-port=1377 action=drop
comment="cichlid"
40. add
chain=virus protocol=tcp dst-port=1433-1434 action=drop
comment="Worm"
41. add
chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle
Virus"
42. add
chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop
Dumaru.Y"
43. add
chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop
Beagle"
44. add
chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop
Beagle.C-K"
45. add
chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop
MyDoom"
46. add
chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor
OptixPro"
47. add
chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm"
48. add
chain=virus protocol=udp dst-port=4444 action=drop comment="Worm"
49. add
chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop
Sasser"
50. add
chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop
Beagle.B"
51. add
chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop
Dabber.A-B"
52. add
chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop
Dumaru.Y"
53. add
chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop
MyDoom.B"
54. add
chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop
NetBus"
55. add
chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop
Kuang2"
56. add
chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop
SubSeven"
57. add
chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop
PhatBot, Agobot, Gaobot"
58. add
chain=forward action=jump jump-target=virus comment="jump to the virus
chain"
59. #Drop
port scanners
60. add
chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list
address-list="port scanners" address-list-timeout=2w
comment="Port scanners to list " disabled=no
61. add
chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="NMAP FIN Stealth scan"
62. add
chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list
address-list="port scanners" address-list-timeout=2w comment="SYN/FIN
scan"
63. add
chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list
address-list="port scanners" address-list-timeout=2w
comment="SYN/RST scan"
64. add
chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list
address-list="port scanners" address-list-timeout=2w
comment="FIN/PSH/URG scan"
65. add
chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="ALL/ALL scan"
66. add
chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="NMAP NULL scan"
67. add
chain=input src-address-list="port scanners" action=drop comment="dropping
port scanners" disabled=no
68. #Bruteforce
login prevention
69. add
chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist
action=drop comment="drop ftp brute forcers"
70. add
chain=output action=accept protocol=tcp content="530 Login incorrect"
dst-limit=1/1m,9,dst-address/1m
71. add
chain=output action=add-dst-to-address-list protocol=tcp content="530
Login incorrect" address-list=ftp_blacklist address-list-timeout=3h
72. #This
will prevent a SSH brute forcer to be banned for 10 days after repetitive
attempts.
73. add
chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist
action=drop comment="drop ssh brute forcers" disabled=no
74. add
chain=input protocol=tcp dst-port=22 connection-state=new
src-address-list=ssh_stage3 action=add-src-to-address-list
address-list=ssh_blacklist address-list-timeout=10d comment=""
disabled=no
75. add
chain=input protocol=tcp dst-port=22 connection-state=new
src-address-list=ssh_stage2 action=add-src-to-address-list
address-list=ssh_stage3 address-list-timeout=10m comment=""
disabled=no
76. add
chain=input protocol=tcp dst-port=22 connection-state=new
src-address-list=ssh_stage1 action=add-src-to-address-list
address-list=ssh_stage2 address-list-timeout=10m comment=""
disabled=no
77. add
chain=input protocol=tcp dst-port=22 connection-state=new
action=add-src-to-address-list address-list=ssh_stage1
address-list-timeout=1m comment="" disabled=no
78. #If
you want to block downstream access as well, you need to block the with the
forward chain:
79. add
chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist
action=drop comment="drop ssh brute downstream" disabled=no
|
A BETTER APPROACH ON BLOCKING PORTS !
|
1.
/ip firewall mangle
2.
add action=add-src-to-address-list
address-list=Worm-Infected-p445 address-list-timeout=1h chain=prerouting
connection-state=new disabled=no dst-port=445 limit=5,10 protocol=tcp
3.
/ip firewall filter
4.
add action=drop chain=forward disabled=no dst-port=445 protocol=tcp
src-address-list=Worm-Infected-p445
5.
add action=drop chain=forward disabled=no dst-port=445
protocol=tcp src-address-list=Worm-Infected-p445
|
The above Rules allows 5 packets per second with
a burst of 10 specific to new connections. The mangle rule will put addresses
on a list when it exceeds that limit. That way legitimate use isn’t blocked but
something like a virus or worm sending out mass amounts will be detected and
stopped. It’s a much more elegant solution than blocking a bunch of ports for
all users. It also gives you a list of user IPs that need to clean up their pc.
Mikrotik How to block Winbox
Discovery + Limit Winbox Access
To hide your mikrotik from being appearing in WINBOX scan
negibour list, & to limit WINBOX access from your admin PC only,
Use the Following.
Use the Following.
|
1.
/tool mac-server
2.
add disabled=yes interface=all
3.
/tool mac-server ping
4.
set enabled=no
5.
/ip firewall filter
6.
add action=drop chain=input comment="block mikrotik
discovery" disabled=no dst-port=5678 protocol=udp
7.
add action=drop chain=input comment="DROP ALL WINBOX
REQUEST By MAC Address" disabled=no dst-port=20561 protocol=udp
8.
add action=drop chain=input comment="DROP ALL WINBOX
REQUEST EXCEPT FROM MY PC" disabled=no dst-port=8291 protocol=tcp
src-address=!192.168.2.6
|
You can Also Disable Network Neighbor Discovery on
the interface to which your network users are connected
Example:
|
1.
/ip neighbor discovery set ether1 discover=no
|
Personnel Recommendation:
Always disable un-necessary Like FTP / SSH / TELNET etc. or if its necessary to enable services, at least Limit
there access to specific pcs only.
Allow only WINBOX.
Always disable un-necessary Like FTP / SSH / TELNET etc. or if its necessary to enable services, at least Limit
there access to specific pcs only.
Allow only WINBOX.
How-to Allow VPN (PPTP) Connections for Mikrotik VPN Server
PPTP uses the GRE protocol,
You have to allow ip PROTOCOL 47 (GRE), not TCP port.
TCP port 1723 is the control connection, while the actual tunnel is GRE (protocol 47).
TCP port 1723 is the control connection, while the actual tunnel is GRE (protocol 47).
Example:
|
1.
/ip firewall filter
2.
add action=accept chain=input disabled=no dst-port=1723
protocol=tcp
3.
add action=accept chain=input disabled=no protocol=gre
|
Make sure these rules are above any general DENY rule.
How to Block User MAC address
|
1.
/ip fir fi
2.
add chain=input action=drop src-mac-address=74:EA:3A:F2:AF:90
3.
add chain=input action=drop src-mac-address=74:EA:3A:F2:AF:90
|
Script to reboot router daily at 1:00am
First add script which ahve command to reboto router, then simply
schedule it to run daily in night 1:00am or whatever you like
|
1.
/system script
2.
add name=sysreboot
policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api
source="/system reboot"
3.
/system scheduler add name="rebootat1am"
start-date="dec/04/2013" start-time="01:00:00"
interval="1d" on-event="/system reboot"
4.
# OR
5.
/system scheduler add name="rebootat1am"
start-date="dec/04/2013" start-time="01:00:00"
interval="1d" on-event="sysreboot"
|
Tidak ada komentar:
Posting Komentar