Mikrotik Filter Protect

Spread the love

/interface list
add name=Internet

/interface list member
add interface=PPPoE-01 list=Internet
add interface=PPPoE-02 list=Internet

/ip firewall mangle
add action=add-src-to-address-list address-list=Worm-Infected-p445 address-list-timeout=1d chain=prerouting comment=”Find Drop Worm Infected add llist” connection-state=new dst-port=445 limit=5,10 protocol=tcp

/ip firewall filter
add action=accept chain=input comment=”Allow rate-limited icmp” limit=10,32:packet protocol=icmp
add action=add-src-to-address-list address-list=icmp-attack address-list-timeout=1d chain=input protocol=icmp
add action=drop chain=input protocol=icmp src-address-list=icmp-attack
add action=drop chain=forward protocol=icmp src-address-list=icmp-attack
add action=accept chain=input comment=”Allow input established related” connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input comment=”Allow local service ports” disabled=yes dst-port=53,80-82,90-99,8099,554,8099,8291,34567 protocol=tcp
add action=accept chain=input disabled=yes dst-port=53,90-99,554,8099,34567 protocol=udp
add action=drop chain=input comment=”Drop invalid input” connection-state=invalid
add action=accept chain=forward comment=”Allow forward established related” connection-state=established
add action=accept chain=forward connection-state=related
add action=drop chain=forward comment=”Drop invalid forward” connection-state=invalid
add action=accept chain=output comment=”Allow output established related” connection-state=established
add action=accept chain=output connection-state=related
add action=drop chain=output comment=”Drop invalid output” connection-state=invalid
add action=add-src-to-address-list address-list=Port-knocking-first address-list-timeout=1m chain=input comment=”Port knocking security” disabled=yes dst-port=1234 protocol=tcp
add action=add-src-to-address-list address-list=Port-nocking-second address-list-timeout=1d chain=input disabled=yes dst-port=4321 protocol=tcp src-address-list=Port-knocking-first
add action=accept chain=input disabled=yes src-address-list=Port-knocking-second
add action=drop chain=input disabled=yes
add action=drop chain=input comment=”Prevent DNS amplification attack” src-address-list=Block-dns-attack
add action=add-src-to-address-list address-list=Block-dns-attack address-list-timeout=1d chain=input dst-port=53 protocol=udp src-address-list=!All-Network
add action=add-src-to-address-list address-list=Block-dns-attack address-list-timeout=1d chain=input dst-port=53 protocol=tcp src-address-list=!All-Network
add action=drop chain=input src-address-list=Block-dns-attack
add action=add-src-to-address-list address-list=”port scanners” address-list-timeout=1d chain=input comment=”Port scanners to list ” protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=”port scanners” address-list-timeout=1d chain=input comment=”NMAP FIN Stealth scan” protocol=tcp tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=”port scanners” address-list-timeout=1d chain=input comment=”SYN/FIN scan” protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=”port scanners” address-list-timeout=1d chain=input comment=”SYN/RST scan” protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=”port scanners” address-list-timeout=1d chain=input comment=”FIN/PSH/URG scan” protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=”port scanners” address-list-timeout=1d chain=input comment=”ALL/ALL scan” protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=”port scanners” address-list-timeout=1d chain=input comment=”NMAP NULL scan” protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment=”Dropping port scanners” src-address-list=”port scanners”
add action=drop chain=input comment=”Drop scan port” src-address-list=hack_blacklist
add action=add-src-to-address-list address-list=hack_blacklist address-list-timeout=1d chain=input connection-state=new dst-port=21,22,23,80,81,2000,8291,8728 in-interface-list=\
Internet protocol=tcp src-address-list=hack_scan3
add action=add-src-to-address-list address-list=hack_scan3 address-list-timeout=1m chain=input connection-state=new dst-port=21,22,23,80,81,2000,8291,8728 in-interface-list=\
Internet protocol=tcp src-address-list=hack_scan2
add action=add-src-to-address-list address-list=hack_scan2 address-list-timeout=1m chain=input connection-state=new dst-port=21,22,23,80,81,2000,8291,8728 in-interface-list=\
Internet protocol=tcp src-address-list=hack_scan1
add action=add-src-to-address-list address-list=hack_scan1 address-list-timeout=1m chain=input connection-state=new dst-port=21,22,23,80,81,2000,8291,8728 in-interface-list=\
Internet protocol=tcp
add action=drop chain=input comment=”Drop Bruteforce login prevention” dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content=”530 Login incorrect” dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=1d chain=output content=”530 Login incorrect” protocol=tcp
add action=drop chain=input comment=”Drop ssh brute forcers” dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=10m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=10m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add action=drop chain=forward comment=”Drop ssh brute downstream” dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input comment=”Drop telnet brute forcers” dst-port=23 protocol=tcp src-address-list=telnet_blacklist
add action=add-src-to-address-list address-list=telnet_blacklist address-list-timeout=1d chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp
add action=drop chain=input comment=”Drop http brute forcers” dst-port=80,81 protocol=tcp src-address-list=http_blacklist
add action=add-src-to-address-list address-list=http_blacklist address-list-timeout=1d chain=input connection-state=new dst-port=80,81 in-interface-list=Internet protocol=tcp \
src-address-list=http_stage3
add action=add-src-to-address-list address-list=http_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=80,81 in-interface-list=Internet protocol=tcp \
src-address-list=http_stage2
add action=add-src-to-address-list address-list=http_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=80,81 in-interface-list=Internet protocol=tcp \
src-address-list=http_stage1
add action=add-src-to-address-list address-list=http_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=80,81 in-interface-list=Internet protocol=tcp
add action=drop chain=input comment=”Drop bandwidth-test brute forcers” dst-port=2000 protocol=tcp src-address-list=bttest_blacklist
add action=add-src-to-address-list address-list=bttest_blacklist address-list-timeout=1d chain=input connection-state=new dst-port=2000 protocol=tcp src-address-list=bttest_stage3
add action=add-src-to-address-list address-list=bttest_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=2000 protocol=tcp src-address-list=bttest_stage2
add action=add-src-to-address-list address-list=bttest_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=2000 protocol=tcp src-address-list=bttest_stage1
add action=add-src-to-address-list address-list=bttest_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=2000 protocol=tcp
add action=drop chain=input comment=”Drop winbox brute forcers” dst-port=8291 protocol=tcp src-address-list=winbox_blacklist
add action=add-src-to-address-list address-list=winbox_blacklist address-list-timeout=1d chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=winbox_stage3
add action=add-src-to-address-list address-list=winbox_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=winbox_stage2
add action=add-src-to-address-list address-list=winbox_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=winbox_stage1
add action=add-src-to-address-list address-list=winbox_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=8291 protocol=tcp
add action=drop chain=input comment=”Drop api brute forcers” dst-port=8728 protocol=tcp src-address-list=http_blacklist
add action=add-src-to-address-list address-list=api_blacklist address-list-timeout=1d chain=input connection-state=new dst-port=8728 protocol=tcp src-address-list=api_stage3
add action=add-src-to-address-list address-list=api_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=8728 protocol=tcp src-address-list=api_stage2
add action=add-src-to-address-list address-list=api_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=8728 protocol=tcp src-address-list=api_stage1
add action=add-src-to-address-list address-list=api_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=8728 protocol=tcp
add action=drop chain=forward comment=”Drop Infected or Spammers” dst-port=25 protocol=tcp src-address-list=spamm-user
add action=add-src-to-address-list address-list=spamm-user address-list-timeout=1d chain=forward connection-limit=50,32 dst-port=25 protocol=tcp
add action=drop chain=forward comment=”Drop better approach on blocking port” dst-port=445 protocol=tcp src-address-list=Worm-Infected-p445
add action=drop chain=forward dst-port=445 protocol=tcp src-address-list=Worm-Infected-p445

ใส่ความเห็น