Sometimes, in MT logs, you will see that some ips from WAN/LAN try to login to your MT box using SSH,Winbox
etc. To secure your router , the best solution would be to come up with
a list of networks that should be allowed to access the router
administratively, and block everything else. Following code might help
you in this situation.
[Most rules are copied from Mikrotik Wiki's Articles]
The following rules will create a address list which will have your
management PC ip address. an then it will allow all ports like WINBOX,
FTP, SSH, TELNET from this address list only, and rest of ips wont be
able to access these ports.
1
2
3
4
5
6
7
| /ip firewall address-list add list=management-servers address=10.10.0.1/24/ip firewall filter add chain=input src-address-list=management-servers protocol=tcp dst-port=21,22,23,80,443,8291 action=acceptadd chain=input protocol=tcp dst-port=21,22,23,80,443,8291 action=drop |
↓
It is strongly advised to DISABLE all Unnecessary Services on the MikroTik Router specially SSH/FTP which is highly used for brute force attacks.
↑
This reduces the attack surface of your router the less services there are to attack the less likely your router could be compromised or overloaded
Remotely Accessible Router Services should be limited to few addresses
This is a simple and very effective way of controlling who can attempt to access the MikroTik router. One could check from which addresses or networks the MikroTik Router would be administered. Then one could create firewall rules that only allow access to the router services from the management netwokrs.
Deny all un wanted inbound Traffic and allow only related traffic (***The best approach***)
By restricting inbound traffic to the router, you can prevent the accidental opening up of services on the router. Also by restricting all types of services except for the services you know about & you want, you prevent any services (that you may not be aware of ) being accessible remotely on the MikroTik router.
↓
↓
HOWTO PREVENT VIRUS / PORTS FLOODING ?
↓A basic Mikrotik Firewall Script to secure MT box from virus and flooding. First copy all contents of below script to notepad, then carefully read it, add remove any un necessary rules. Also some rules are commented, modify them as per your requirements.***
↓
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
| ############################################################################## Remove HASH # sign if you want to apply the required rule ##### Syed Jahanzaib / aacable@hotmail.com / http://aacabel.wordpress.com ###########################################################################/ip firewall filteradd chain=input connection-state=established comment="Accept established connections"add chain=input connection-state=related comment="Accept related connections"add chain=input connection-state=invalid action=drop comment="Drop invalid connections"add chain=input protocol=udp action=accept comment="UDP" disabled=noadd chain=forward connection-state=invalid action=drop comment="drop invalid connections"#### ALLOW VPN (PPTP) CONNECTIONS TO MIKROTIK VPN SERVER#add action=accept chain=input disabled=no dst-port=1723 protocol=tcp#add action=accept chain=input disabled=no protocol=gre#### TO BLOCK DNS ATTACK on WAN INTERFACE#/ip firewall filter#add chain=input action=drop dst-port=53 protocol=udp in-interface=ether1 # WAN INTERFACE#add chain=input action=drop dst-port=53 protocol=tcp in-interface=ether1 # WAN INTERFACE#### TO BLOCK PROXY ACCESS PORT 8080 / ATTACK on WAN INTERFACE#add chain=input action=drop dst-port=8080 protocol=tcp in-interface=ether1 # WAN INTERFACE#### TO BLOCK ICMP TRAFFIC EXCEPT FROM THE Management PC IP# Blocking ICMP Traffic, saves you from many headaches# add action=drop chain=input comment="DROP PING REPLY" disabled=no protocol=icmp src-address=!10.10.0.4#### TO BLOCK TRACEROUTE TRAFFIC#/ip firewall add action=drop chain=forward comment="Drop Traceroute" disabled=no \# icmp-options=11:0 protocol=icmp# add action=drop chain=forward comment="" disabled=no icmp-options=3:3 \# protocol=icmp# add action=drop chain=input comment="Disable ICMP ping" disabled=no protocol=\# icmp#### TO BLOCK COMMON VIRUS PORTSadd chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop Blaster Worm"add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop Messenger Worm"add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster Worm"add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster Worm"add chain=virus protocol=tcp dst-port=593 action=drop comment="________"add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________"add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom"add chain=virus protocol=tcp dst-port=1214 action=drop comment="________"add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester"add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server"add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast"add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx"add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid"add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm"add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus"add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y"add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle"add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop Beagle.C-K"add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop MyDoom"add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor OptixPro"add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm"add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm"add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser"add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B"add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop Dabber.A-B"add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop Dumaru.Y"add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop MyDoom.B"add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus"add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2"add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop SubSeven"add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, Agobot, Gaobot"add chain=forward action=jump jump-target=virus comment="jump to the virus chain"#Drop port scannersadd
chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list
address-list="port scanners" address-list-timeout=2w comment="Port
scanners to list " disabled=noadd
chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="NMAP FIN Stealth scan"add
chain=input protocol=tcp tcp-flags=fin,syn
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="SYN/FIN scan"add
chain=input protocol=tcp tcp-flags=syn,rst
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="SYN/RST scan"add
chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="FIN/PSH/URG scan"add
chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="ALL/ALL scan"add
chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="NMAP NULL scan"add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no#Bruteforce login preventionadd chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop comment="drop ftp brute forcers"add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1madd
chain=output action=add-dst-to-address-list protocol=tcp content="530
Login incorrect" address-list=ftp_blacklist address-list-timeout=3h#This will prevent a SSH brute forcer to be banned for 10 days after repetitive attempts.add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="drop ssh brute forcers" disabled=noadd
chain=input protocol=tcp dst-port=22 connection-state=new
src-address-list=ssh_stage3 action=add-src-to-address-list
address-list=ssh_blacklist address-list-timeout=10d comment=""
disabled=noadd
chain=input protocol=tcp dst-port=22 connection-state=new
src-address-list=ssh_stage2 action=add-src-to-address-list
address-list=ssh_stage3 address-list-timeout=10m comment="" disabled=noadd
chain=input protocol=tcp dst-port=22 connection-state=new
src-address-list=ssh_stage1 action=add-src-to-address-list
address-list=ssh_stage2 address-list-timeout=10m comment="" disabled=noadd
chain=input protocol=tcp dst-port=22 connection-state=new
action=add-src-to-address-list address-list=ssh_stage1
address-list-timeout=1m comment="" disabled=no#If you want to block downstream access as well, you need to block the with the forward chain:add
chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist
action=drop comment="drop ssh brute downstream" disabled=no |
↓
↓A BETTER APPROACH ON BLOCKING PORTS !
↓
1
2
3
4
5
6
| /ip firewall mangleadd
action=add-src-to-address-list address-list=Worm-Infected-p445
address-list-timeout=1h chain=prerouting connection-state=new
disabled=no dst-port=445 limit=5,10 protocol=tcp/ip firewall filteradd action=drop chain=forward disabled=no dst-port=445 protocol=tcp src-address-list=Worm-Infected-p445add action=drop chain=forward disabled=no dst-port=445 protocol=tcp src-address-list=Worm-Infected-p445 |
The above Rules allows 5 packets per second with a burst of 10 specific to new connections. The mangle rule will put addresses on a list when it exceeds that limit. That way legitimate use isn’t blocked but something like a virus or worm sending out mass amounts will be detected and stopped. It’s a much more elegant solution than blocking a bunch of ports for all users. It also gives you a list of user IPs that need to clean up their pc.
↓
↓Mikrotik How to block Winbox Discovery + Limit Winbox Access
To hide your mikrotik from being appearing in WINBOX scan negibour list, & to limit WINBOX access from your admin PC only,Use the Following.
1
2
3
4
5
6
7
8
9
| /tool mac-serveradd disabled=yes interface=all/tool mac-server pingset enabled=no/ip firewall filteradd action=drop chain=input comment="block mikrotik discovery" disabled=no dst-port=5678 protocol=udpadd action=drop chain=input comment="DROP ALL WINBOX REQUEST By MAC Address" disabled=no dst-port=20561 protocol=udpadd
action=drop chain=input comment="DROP ALL WINBOX REQUEST EXCEPT FROM MY
PC" disabled=no dst-port=8291 protocol=tcp src-address=!192.168.2.6 |
↓
You can Also Disable Network Neighbor Discovery on the interface to which your network users are connected
Example:
1
| /ip neighbor discovery set ether1 discover=no |
Always disable un-necessary Like FTP / SSH / TELNET etc. or if its necessary to enable services, at least Limit
there access to specific pcs only.
Allow only WINBOX.
↓
↓How-to Allow VPN (PPTP) Connections for Mikrotik VPN Server
PPTP uses the GRE protocol, You have to allow ip PROTOCOL 47 (GRE), not TCP port.TCP port 1723 is the control connection, while the actual tunnel is GRE (protocol 47).
Example:
1
2
3
| /ip firewall filteradd action=accept chain=input disabled=no dst-port=1723 protocol=tcpadd action=accept chain=input disabled=no protocol=gre |
Howto Block Torrent / P2P
Blockin 100% torrent is impossible as nowadays new torrents
application are using encrypted method and its nearly impossible to
inspect the SSL traffic. I used Forefront TMG 2010 is capable to inspect
SSL traffic at some extents.However you can block basic torrents access by using following.
{Modified for easy copy pasting, as we all love copy pasting don’t we ? :p)
1
| W A i T |
Naveed ahmad
0 comments:
Post a Comment