Seguridad en Mikrotik, Anti-Ataques, Filtros y bloqueos

Publicado por D3M0N, 19 de Enero de 2015, 01:13:01 AM

Tema anterior - Siguiente tema

0 Miembros y 1 Visitante están viendo este tema.

D3M0N


Este es un pequeño Script con filtros de seguridad, bloqueos de protocolos en particular, etc. Cada linea con su comentario de operación.

/ip firewall filter
add action=drop chain=forward comment="Block Bogon IP addresses" disabled=no \
src-address=0.0.0.0/8
add action=drop chain=forward disabled=no dst-address=0.0.0.0/8
add action=drop chain=forward disabled=no src-address=127.0.0.0/8
add action=drop chain=forward disabled=no dst-address=127.0.0.0/8
add action=drop chain=forward disabled=no src-address=224.0.0.0/3
add action=drop chain=forward disabled=no dst-address=224.0.0.0/3
add action=jump chain=forward comment="Make jumps to new chains" disabled=no \
jump-target=tcp protocol=tcp
add action=jump chain=forward disabled=no jump-target=udp protocol=udp
add action=jump chain=forward disabled=no jump-target=icmp protocol=icmp
add action=drop chain=tcp comment="deny TFTP" disabled=no dst-port=69 protocol=\
tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=\
111 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=\
135 protocol=tcp
add action=drop chain=tcp comment="deny NBT" disabled=no dst-port=137-139 \
protocol=tcp
add action=drop chain=tcp comment="deny cifs" disabled=no dst-port=445 \
protocol=tcp
add action=drop chain=tcp comment="deny NFS" disabled=no dst-port=2049 \
protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=\
12345-12346 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=20034 \
protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" disabled=no dst-port=\
3133 protocol=tcp
add action=drop chain=tcp disabled=no dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="deny TFTP" disabled=no dst-port=69 protocol=\
udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=\
111 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=\
135 protocol=udp
add action=drop chain=udp comment="deny NBT" disabled=no dst-port=137-139 \
protocol=udp
add action=drop chain=udp comment="deny NFS" disabled=no dst-port=2049 \
protocol=udp
add action=drop chain=udp comment="deny BackOriffice" disabled=no dst-port=3133 \
protocol=udp
add action=accept chain=icmp comment="echo reply" disabled=no icmp-options=0:0 \
protocol=icmp
add action=accept chain=icmp comment="net unreachable" disabled=no \
icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" disabled=no \
icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="allow source quench" disabled=no \
icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment="allow echo request" disabled=no \
icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" disabled=no \
icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" disabled=no \
icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types" disabled=no
add action=drop chain=input comment="drop ftp brute forcers" disabled=no \
dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" disabled=no \
dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
disabled=no protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-port=22 protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no \
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no \
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=no \
protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=no \
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" disabled=no \
src-address-list="port scanners"
add action=drop chain=forward comment="dropping port scanners" disabled=no \
src-address-list="port scanners"
add action=accept chain=forward disabled=no protocol=tcp src-port=80
add action=accept chain=forward disabled=no dst-port=80 protocol=tcp
add action=accept chain=forward disabled=no protocol=tcp src-port=443
add action=accept chain=forward disabled=no dst-port=443 protocol=tcp
add action=accept chain=forward disabled=no protocol=udp src-port=53
add action=accept chain=forward disabled=no dst-port=53 protocol=udp
add action=accept chain=forward disabled=no protocol=tcp src-port=53
add action=accept chain=forward disabled=no dst-port=53 protocol=tcp
add action=accept chain=forward disabled=no protocol=tcp src-port=1433
add action=accept chain=forward disabled=no dst-port=1433 protocol=tcp
add action=accept chain=forward disabled=no protocol=tcp src-port=21
add action=accept chain=forward disabled=no dst-port=21 protocol=tcp
add action=accept chain=forward disabled=no protocol=udp src-port=67
add action=accept chain=forward disabled=no dst-port=67 protocol=udp
add action=accept chain=forward disabled=no protocol=udp src-port=68
add action=accept chain=forward disabled=no dst-port=68 protocol=udp
add action=accept chain=forward comment="Autorizacion de uso del puerto 25" \
disabled=no protocol=tcp src-address-list="Excepcion correo" src-port=25
add action=accept chain=forward comment="Autorizacion de uso del puerto 25" \
disabled=no dst-port=25 protocol=tcp src-address-list="Excepcion correo"
add action=accept chain=forward comment="Autorizacion de uso del puerto 110" \
disabled=no protocol=tcp src-address-list="Excepcion correo" src-port=110
add action=accept chain=forward comment="Autorizacion de uso del puerto 110" \
disabled=no dst-port=110 protocol=tcp src-address-list="Excepcion correo"
add action=drop chain=forward comment="Bloquea spammer o usuarios infectados." \
disabled=no protocol=tcp src-address-list=spammer src-port=25
add action=drop chain=forward comment="Bloquea spammer o usuarios infectados." \
disabled=no dst-port=25 protocol=tcp src-address-list=spammer
add action=drop chain=forward comment="Bloquea spammer o usuarios infectados." \
disabled=no protocol=tcp src-address-list=spammer src-port=110
add action=drop chain=forward comment="Bloquea spammer o usuarios infectados." \
disabled=no dst-port=110 protocol=tcp src-address-list=spammer
add action=drop chain=forward disabled=yes protocol=tcp
add action=add-src-to-address-list address-list=spammer address-list-timeout=2h \
chain=forward comment=spammer connection-limit=5,32 disabled=no dst-port=25 \
limit=10,5 protocol=tcp
add action=drop chain=forward disabled=no dst-port=25 protocol=tcp \
src-address-list=spammer