Scribd
Upload
1K views

Port Flooding Mikrotik

The document provides instructions for configuring a firewall to block common virus ports and protocols, detect and block port scanners, and prevent brute force attacks on FTP and SSH logins. Specific firewall rules are listed to drop traffic on ports associated with viruses, add port scanners and brute forcers to address lists for blocking, and implement multi-stage blocking of SSH login attempts. The document also includes recommendations for limiting MikroTik discovery protocols and restricting Winbox access.

Uploaded by

Maulana Kurniantoro
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
1K views

Port Flooding Mikrotik

The document provides instructions for configuring a firewall to block common virus ports and protocols, detect and block port scanners, and prevent brute force attacks on FTP and SSH logins. Specific firewall rules are listed to drop traffic on ports associated with viruses, add port scanners and brute forcers to address lists for blocking, and implement multi-stage blocking of SSH login attempts. The document also includes recommendations for limiting MikroTik discovery protocols and restricting Winbox access.

Uploaded by

Maulana Kurniantoro
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 3

=====PREVENT VIRUS / PORTS FLOODING===== ======================================== /ip firewall filter add chain=input connection-state=established comment="Accept established connect ions"

add chain=input connection-state=related comment="Accept related connections" add chain=input connection-state=invalid action=drop comment="Drop invalid conne ctions" add chain=input protocol=udp action=accept comment="UDP" disabled=no add chain=forward connection-state=invalid action=drop comment="drop invalid con nections" add chain=input protocol=icmp limit=50/5s,2 comment="Allow limited pings" add chain=input protocol=icmp action=drop comment="Drop excess pings" # Blocking ICMP Traffic, saves you from many headaches add action=drop chain=input comment="DROP PING REPLY" disabled=no protocol=icmp src-address=!10.10.0.4 # Blocking Common Virus Ports add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop Blaster Worm" 18 add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop Messenger Worm" 19 add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blas ter Worm" 20 add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blas ter Worm" 21 add chain=virus protocol=tcp dst-port=593 action=drop comment="________" 22 add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="___ _____" 23 add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyD oom" 24 add chain=virus protocol=tcp dst-port=1214 action=drop comment="________ " 25 add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requ ester" 26 add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm serv er" 27 add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen c ast" 28 add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgraf x" 29 add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid" 30 add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Wor m" 31 add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Vi rus" 32 add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dum aru.Y" 33 add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Bea gle" 34 add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop Bea gle.C-K" 35 add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Dro p MyDoom" 36 add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Bac

kdoor OptixPro" 37 add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm" 38 add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm" 39 add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sas ser" 40 add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Bea gle.B" 41 add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop Dab ber.A-B" 42 add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop Du maru.Y" 43 add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop My Doom.B" 44 add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop Ne tBus" 45 add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Ku ang2" 46 add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop Su bSeven" 47 add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop Ph atBot, Agobot, Gaobot" 48 add chain=forward action=jump jump-target=virus comment="jump to the vir us chain" 49 #Drop port scanners 50 add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-lis t address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no 51 add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg acti on=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan" 52 add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address -list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan " 53 add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address -list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan " 54 add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action =add-src-to-address-list address-list="port scanners" address-list-timeout=2w co mment="FIN/PSH/URG scan" 55 add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=ad d-src-to-address-list address-list="port scanners" address-list-timeout=2w comme nt="ALL/ALL scan" 56 add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg act ion=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan" 57 add chain=input src-address-list="port scanners" action=drop comment="dr opping port scanners" disabled=no 58 59 #Bruteforce login prevention 60 61 add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop comment="drop ftp brute forcers" 62 add chain=output action=accept protocol=tcp content="530 Login incorrect " dst-limit=1/1m,9,dst-address/1m 63 add chain=output action=add-dst-to-address-list protocol=tcp content="53 0 Login incorrect" address-list=ftp_blacklist address-list-timeout=3h 64 65 #This will prevent a SSH brute forcer to be banned for 10 days after rep etitive attempts. 66

67 add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="drop ssh brute forcers" disabled=no 68 add chain=input protocol=tcp dst-port=22 connection-state=new src-addres s-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist addr ess-list-timeout=3d comment="" disabled=no 69 add chain=input protocol=tcp dst-port=22 connection-state=new src-addres s-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address -list-timeout=1m comment="" disabled=no 70 add chain=input protocol=tcp dst-port=22 connection-state=new src-addres s-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address -list-timeout=1m comment="" disabled=no 71 add chain=input protocol=tcp dst-port=22 connection-state=new action=add -src-to-address-list address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no 72 73 #If you want to block downstream access as well, you need to block the w ith the forward chain: 74 add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklis t action=drop comment="drop ssh brute downstream" disabled=no =====A BETTER APPROACH ON BLOCKING PORTS===== ============================================= /ip firewall mangle 2 add action=add-src-to-address-list address-list=Worm-Infected-p445 addre ss-list-timeout=1h chain=prerouting connection-state=new disabled=no dst-port=44 5 limit=5,10 protocol=tcp 3 4 /ip firewall filter 5 add action=drop chain=forward disabled=no dst-port=445 protocol=tcp srcaddress-list=Worm-Infected-p445 6 add action=drop chain=forward disabled=no dst-port=445 protocol=tcp srcaddress-list=Worm-Infected-p445 =====block Winbox Discovery + Limit Winbox Access===== ====================================================== /tool mac-server 2 add disabled=yes interface=all 3 /tool mac-server ping 4 set enabled=no 5 6 /ip firewall filter 7 add action=drop chain=input comment="block mikrotik discovery" disabled= no dst-port=5678 protocol=udp 8 add action=drop chain=input comment="DROP ALL WINBOX REQUEST By MAC Addr ess" disabled=no dst-port=20561 protocol=udp 9 add action=drop chain=input comment="DROP ALL WINBOX REQUEST EXCEPT FROM MY PC" disabled=no dst-port=8291 protocol=tcp src-address=!192.168.2.6 ==================================================== ====================================================

You might also like