Преглед на тема
Mrejata.net » Мрежи и Комуникации » Мрежи и Комуникации
 Принтиране на темата
Защитна стена за микротик
admin
Drop port scanners
Свали сорса  Код
/ip firewall filter

add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no

add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"

add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan"

add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan"

add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"

add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"

add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"

add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no





Bruteforce login prevention (FTP & SSH)

Свали сорса  Код
/ip firewall filter

add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \
comment="drop ftp brute forcers"

add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m

add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \
address-list=ftp_blacklist address-list-timeout=3h

add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute downstream" disabled=no




TCP SYN flood

Свали сорса  Код
/ip firewall filter add chain=input protocol=tcp connection-limit=LIMIT,32  \
action=add-src-to-address-list  address-list=blocked-addr address-list-timeout=1d
/ip firewall filter add chain=input protocol=tcp src-address-list=blocked-addr \
connection-limit=3,32 action=tarpit
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-state=new \
action=jump jump-target=SYN-Protect comment="SYN Flood protect" disabled=yes
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5 connection-state=new \
action=accept comment="" disabled=no
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-state=new \
action=drop comment="" disabled=no
/ip firewall connection tracking set tcp-syncookie=yes





Protecting your customers
Virus filter


Свали сорса  Код
/ip firewall filter
add chain=forward connection-state=established comment="allow established connections" 
add chain=forward connection-state=related comment="allow related connections"
add chain=forward connection-state=invalid action=drop comment="drop invalid connections"

add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop Blaster Worm"
add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop Messenger Worm"   
add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster Worm"
add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster Worm"
add chain=virus protocol=tcp dst-port=593 action=drop comment="________"
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________"
add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom"
add chain=virus protocol=tcp dst-port=1214 action=drop comment="________"
add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester"
add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server"
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast"
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx"
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid"
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm"
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus"
add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y"
add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle"
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop Beagle.C-K"
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop MyDoom"
add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor OptixPro"
add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm"
add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm"
add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser"
add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B"
add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop Dabber.A-B"
add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop Dumaru.Y"
add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop MyDoom.B"
add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus"
add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2"
add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop SubSeven"
add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, Agobot, Gaobot"
add chain=forward action=jump jump-target=virus comment="jump to the virus chain"
add chain=forward action=accept protocol=tcp dst-port=80 comment="Allow HTTP"
add chain=forward action=accept protocol=tcp dst-port=25 comment="Allow SMTP"
add chain=forward protocol=tcp comment="allow TCP"
add chain=forward protocol=icmp comment="allow ping"
add chain=forward protocol=udp comment="allow udp"
add chain=forward action=drop comment="drop everything else"





Set up packet filtering

Свали сорса  Код
/ ip firewall filter
add chain=input connection-state=established comment="Accept established connections"
add chain=input connection-state=related comment="Accept related connections"
add chain=input connection-state=invalid action=drop comment="Drop invalid connections"
add chain=input protocol=udp action=accept comment="UDP" disabled=no
add chain=input protocol=icmp limit=50/5s,2 comment="Allow limited pings"
add chain=input protocol=icmp action=drop comment="Drop excess pings"
add chain=input protocol=tcp dst-port=22 comment="SSH for secure shell"
add chain=input protocol=tcp dst-port=8291 comment="winbox"




[color=red]Edit these rules to reflect your actual IP addresses![/color]

Свали сорса  Код
add chain=input src-address=159.148.172.192/28 comment="From Mikrotikls network"
add chain=input src-address=10.0.0.0/8 comment="From our private LAN"




[color=red]End of Edit [/color]
Свали сорса  Код
add chain=input action=log log-prefix="DROP INPUT" comment="Log everything else"
add chain=input action=drop comment="Drop everything else"





Redirect mail traffic to a specified server

Свали сорса  Код
ip firewall nat add chain=dstnat protocol=tcp dst-port=25 action=dst-nat to-addresses=10.0.0.1 to-ports=25




FIREWALL

Свали сорса  Код
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s


/ip firewall filter
add action=accept chain=accept_list comment="Forward HTTP to webserver" dst-address=192.168.11.10 dst-port=80 protocol=tcp
add action=accept chain=accept_list comment="Forward HTTPS to webserver" dst-address=192.168.11.10 dst-port=443 \
    protocol=tcp
add action=accept chain=accept_list comment="Forward FTP to Server" dst-address=192.168.11.10 dst-port=21 protocol=tcp
add action=accept chain=accept_list comment="Forward RDP to Server" dst-address=192.168.11.10 dst-port=3389 protocol=tcp \
    src-port=3389
add action=drop chain=known_viruses comment="windows - not EXACTLY a virus" dst-port=135-139 protocol=tcp
add action=drop chain=known_viruses comment="windows - not EXACTLY a virus" dst-port=135-139 protocol=udp
add action=drop chain=known_viruses comment="winXP netbios not EXACTLY a virus" dst-port=445 protocol=udp
add action=drop chain=known_viruses comment="winXP netbios not EXACTLY a virus" dst-port=445 protocol=tcp
add action=drop chain=known_viruses comment="msblast worm" dst-port=593 protocol=tcp
add action=drop chain=known_viruses comment="msblast worm" dst-port=4444 protocol=tcp
add action=drop chain=known_viruses comment="WITTY worm" dst-port=4000 protocol=tcp
add action=drop chain=known_viruses comment="SoBig.f worm" dst-port=995-999 protocol=tcp
add action=drop chain=known_viruses comment="SoBig.f worm" dst-port=8998 protocol=tcp
add action=drop chain=known_viruses comment="beagle worm" dst-port=2745 protocol=tcp
add action=drop chain=known_viruses comment="beagle worm" dst-port=4751 protocol=tcp
add action=drop chain=known_viruses comment="SQL Slammer" dst-port=1434 protocol=tcp
add action=drop chain=bad_people comment="Known Spammer" src-address=81.180.98.3
add action=drop chain=bad_people comment="Known Spammer" src-address=24.73.97.226
add action=drop chain=bad_people comment="http://isc.incidents.org/top10.html listed" src-address=67.75.20.112
add action=drop chain=bad_people src-address=218.104.138.166
add action=drop chain=bad_people src-address=212.3.250.194
add action=drop chain=bad_people src-address=203.94.243.191
add action=drop chain=bad_people src-address=202.101.235.100
add action=drop chain=bad_people src-address=58.16.228.42
add action=drop chain=bad_people src-address=58.248.8.2
add action=drop chain=bad_people src-address=202.99.11.99
add action=drop chain=bad_people src-address=218.52.237.219
add action=drop chain=bad_people src-address=222.173.101.157
add action=drop chain=bad_people src-address=58.242.34.235
add action=drop chain=bad_people src-address=222.80.184.23
add action=accept chain=forward comment="Allow WIFI access to ALL" src-address=192.168.22.0/24
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new \
    dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new \
    dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new \
    dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new \
    dst-port=22 protocol=tcp
add action=drop chain=input comment="allows only 10 FTP login incorrect answers per minute" dst-port=21 protocol=tcp \
    src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login \
    incorrect" protocol=tcp
add action=drop chain=forward comment="drop invalid connections DELETE" connection-state=invalid
add action=drop chain=forward comment="Blocks SSH" dst-port=22 protocol=tcp
add action=jump chain=forward comment="Known virus ports DELETE" jump-target=known_viruses
add action=jump chain=forward comment="kill known bad source addresses DELETE" jump-target=bad_people
add action=jump chain=forward comment="Jump to Accepted List" jump-target=accept_list
add action=accept chain=forward comment="allow established connections DELETE" connection-state=established
add action=accept chain=forward comment="allow related connections DELETE" connection-state=related
add action=accept chain=forward comment="Allow All"

/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.11.0/24
add action=dst-nat chain=dstnat dst-address=24.16.119.193 dst-port=3389 protocol=tcp to-addresses=192.168.11.10
add action=dst-nat chain=dstnat dst-address=24.16.119.193 dst-port=80 protocol=tcp to-addresses=192.168.11.10
add action=dst-nat chain=dstnat dst-address=24.16.119.193 dst-port=21 protocol=tcp to-addresses=192.168.11.10
add action=dst-nat chain=dstnat dst-address=24.16.119.193 dst-port=443 protocol=tcp to-addresses=192.168.11.10





END :)
 
http://mrejata.us
pafkata86
браво това е много добър урок Smile
 
Отидете до форум
Вход
Потребител

Парола



Не сте потребител?
Натиснете тук за да се регистрирате.

Забравихте паролата си?
Поискате си нова тук.
Downloads

New Downloads

NAVIGON-Europe ...
NAVIGON Europe ...
NAVIGON Europe ...
NAVIGON Europe ...
µTorrent 3.4.1 ...
BitTorrent 7.9....
ProgDVB 7.04.2 ...
ProgDVB 7.04.2 ...
Wine 1.7.17
sakis3g
Wise Disk Clean...
DAEMON Tools Li...
opam
TurboFTP 6.30 B...
Skype 6.3.73.10...
FileZilla 3.7.0...
ChrisTV 5.75
BSPlayer Pro 2....
Rotativki
SquirrelMail + ...

Top 10 Downloads

n-Track Studio ... [8287]
Super MP3 Downl... [8100]
Registry Mechan... [8082]
Microsoft Secur... [8019]
Hiren`s v10.0.9 [7288]
Rotativki [7129]
K-Lite Mega Cod... [6824]
BitComet 1.21 F... [6736]
Slax + Hiren's ... [4798]
WinSetup From USB [4469]
Ново от Калдата