16 de Octubre de 2017, 07:05:46 pm
  • WPSdb - Base de Datos de Pines Online

Autor Tema: Seguridad en Mikrotik, Anti-Ataques, Filtros y bloqueos  (Leído 3371 veces)

Desconectado D3M0N

  • Founder
  • Usuario
  • *
  • Mensajes: 3.114
  • Reputación: +247/-3
  • El Mate, La Netbook y Wi-Fi del Vecino!
  • awards Usuario con más de 2000 Posts! Miembro registrado desde 2010 Usuario Registrado
    • Arg-Wireless.com.ar
    • Awards
Seguridad en Mikrotik, Anti-Ataques, Filtros y bloqueos
« en: 19 de Enero de 2015, 01:13:01 am »

Este es un pequeño Script con filtros de seguridad, bloqueos de protocolos en particular, etc. Cada linea con su comentario de operación.

Código: [Seleccionar]
/ip firewall filter
add action=drop chain=forward comment="Block Bogon IP addresses" disabled=no \
src-address=0.0.0.0/8
add action=drop chain=forward disabled=no dst-address=0.0.0.0/8
add action=drop chain=forward disabled=no src-address=127.0.0.0/8
add action=drop chain=forward disabled=no dst-address=127.0.0.0/8
add action=drop chain=forward disabled=no src-address=224.0.0.0/3
add action=drop chain=forward disabled=no dst-address=224.0.0.0/3
add action=jump chain=forward comment="Make jumps to new chains" disabled=no \
jump-target=tcp protocol=tcp
add action=jump chain=forward disabled=no jump-target=udp protocol=udp
add action=jump chain=forward disabled=no jump-target=icmp protocol=icmp
add action=drop chain=tcp comment="deny TFTP" disabled=no dst-port=69 protocol=\
tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=\
111 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=\
135 protocol=tcp
add action=drop chain=tcp comment="deny NBT" disabled=no dst-port=137-139 \
protocol=tcp
add action=drop chain=tcp comment="deny cifs" disabled=no dst-port=445 \
protocol=tcp
add action=drop chain=tcp comment="deny NFS" disabled=no dst-port=2049 \
protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=\
12345-12346 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=20034 \
protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" disabled=no dst-port=\
3133 protocol=tcp
add action=drop chain=tcp disabled=no dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="deny TFTP" disabled=no dst-port=69 protocol=\
udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=\
111 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=\
135 protocol=udp
add action=drop chain=udp comment="deny NBT" disabled=no dst-port=137-139 \
protocol=udp
add action=drop chain=udp comment="deny NFS" disabled=no dst-port=2049 \
protocol=udp
add action=drop chain=udp comment="deny BackOriffice" disabled=no dst-port=3133 \
protocol=udp
add action=accept chain=icmp comment="echo reply" disabled=no icmp-options=0:0 \
protocol=icmp
add action=accept chain=icmp comment="net unreachable" disabled=no \
icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" disabled=no \
icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="allow source quench" disabled=no \
icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment="allow echo request" disabled=no \
icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" disabled=no \
icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" disabled=no \
icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types" disabled=no
add action=drop chain=input comment="drop ftp brute forcers" disabled=no \
dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" disabled=no \
dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
disabled=no protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-port=22 protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no \
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no \
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=no \
protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=no \
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" disabled=no \
src-address-list="port scanners"
add action=drop chain=forward comment="dropping port scanners" disabled=no \
src-address-list="port scanners"
add action=accept chain=forward disabled=no protocol=tcp src-port=80
add action=accept chain=forward disabled=no dst-port=80 protocol=tcp
add action=accept chain=forward disabled=no protocol=tcp src-port=443
add action=accept chain=forward disabled=no dst-port=443 protocol=tcp
add action=accept chain=forward disabled=no protocol=udp src-port=53
add action=accept chain=forward disabled=no dst-port=53 protocol=udp
add action=accept chain=forward disabled=no protocol=tcp src-port=53
add action=accept chain=forward disabled=no dst-port=53 protocol=tcp
add action=accept chain=forward disabled=no protocol=tcp src-port=1433
add action=accept chain=forward disabled=no dst-port=1433 protocol=tcp
add action=accept chain=forward disabled=no protocol=tcp src-port=21
add action=accept chain=forward disabled=no dst-port=21 protocol=tcp
add action=accept chain=forward disabled=no protocol=udp src-port=67
add action=accept chain=forward disabled=no dst-port=67 protocol=udp
add action=accept chain=forward disabled=no protocol=udp src-port=68
add action=accept chain=forward disabled=no dst-port=68 protocol=udp
add action=accept chain=forward comment="Autorizacion de uso del puerto 25" \
disabled=no protocol=tcp src-address-list="Excepcion correo" src-port=25
add action=accept chain=forward comment="Autorizacion de uso del puerto 25" \
disabled=no dst-port=25 protocol=tcp src-address-list="Excepcion correo"
add action=accept chain=forward comment="Autorizacion de uso del puerto 110" \
disabled=no protocol=tcp src-address-list="Excepcion correo" src-port=110
add action=accept chain=forward comment="Autorizacion de uso del puerto 110" \
disabled=no dst-port=110 protocol=tcp src-address-list="Excepcion correo"
add action=drop chain=forward comment="Bloquea spammer o usuarios infectados." \
disabled=no protocol=tcp src-address-list=spammer src-port=25
add action=drop chain=forward comment="Bloquea spammer o usuarios infectados." \
disabled=no dst-port=25 protocol=tcp src-address-list=spammer
add action=drop chain=forward comment="Bloquea spammer o usuarios infectados." \
disabled=no protocol=tcp src-address-list=spammer src-port=110
add action=drop chain=forward comment="Bloquea spammer o usuarios infectados." \
disabled=no dst-port=110 protocol=tcp src-address-list=spammer
add action=drop chain=forward disabled=yes protocol=tcp
add action=add-src-to-address-list address-list=spammer address-list-timeout=2h \
chain=forward comment=spammer connection-limit=5,32 disabled=no dst-port=25 \
limit=10,5 protocol=tcp
add action=drop chain=forward disabled=no dst-port=25 protocol=tcp \
src-address-list=spammer
« Última modificación: 19 de Enero de 2015, 01:19:12 am por D3M0N »
  • Antenas: Antena Komarov (Prototype), Antena Belgrain (MOD), Antenas 4, 5, 9dBi (omnis)
  • Sistemas Operativos: Microsoft Windows 7 Enterprice (x64), Ubuntu 14.10.1 LTS Desktop Edition 64-bit
  • Sistemas Operativos que utilizo para Auditar: Ubuntu 14.10.1 LTS Desktop Edition 64-bit
  • Dispositivos Inalambricos: Alfa AWUS036H 1W (USB); TP-Link TL-WN722N (USB); Ubiquiti Nanostation M2; Mikrotik RB951Ui-2HnD