segunda-feira, 8 de julho de 2013

Regras Mikrotik

##### Proteção do router


/ip firewall filter add chain=input connection-state=invalid action=drop \ comment="Drop Invalid connections"


/ip firewall filter add chain=input connection-state=established action=accept \ comment="Allow Established connections"


/ip firewall filter add chain=input protocol=icmp action=accept \ comment="Allow ICMP"

/ip firewall filter add chain=input action=drop comment="Drop everything else"

/ip firewall filter add chain=input src-address=(SEU BLOCO DE IP) action=accept \ in-interface=!ether1


##### Proteção Customizada

/ip firewall filter add chain=forward protocol=tcp connection-state=invalid \ action=drop comment="drop invalid connections"


/ip firewall filter add chain=forward connection-state=established action=accept \ comment="allow already established connections"

/ip firewall filter add chain=forward connection-state=related action=accept \ comment="allow related connections"



##### Bloqueio de "Bogon IP Addresses"

/ip firewall filter add chain=forward src-address=0.0.0.0/8 action=drop


/ip firewall filter add chain=forward dst-address=0.0.0.0/8 action=drop

/ip firewall filter add chain=forward src-address=127.0.0.0/8 action=drop

/ip firewall filter add chain=forward dst-address=127.0.0.0/8 action=drop

/ip firewall filter add chain=forward src-address=224.0.0.0/3 action=drop

/ip firewall filter add chain=forward dst-address=224.0.0.0/3 action=drop





##### Marque "jumps" para novos "chains"

/ip firewall filter add chain=forward protocol=tcp action=jump jump-target=tcp


/ip firewall filter add chain=forward protocol=udp action=jump jump-target=udp

/ip firewall filter add chain=forward protocol=icmp action=jump jump-target=icmp





##### Cria tcp chain e nega tcp portas entrada

/ip firewall filter add chain=tcp protocol=tcp dst-port=69 action=drop \ comment="deny TFTP"


/ip firewall filter add chain=tcp protocol=tcp dst-port=111 action=drop \ comment="deny RPC portmapper"

/ip firewall filter add chain=tcp protocol=tcp dst-port=135 action=drop \ comment="deny RPC portmapper"

/ip firewall filter add chain=tcp protocol=tcp dst-port=137-139 action=drop \ comment="deny NBT"

/ip firewall filter add chain=tcp protocol=tcp dst-port=445 action=drop \ comment="deny cifs"

/ip firewall filter add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"

/ip firewall filter add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"

/ip firewall filter add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"

/ip firewall filter add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"

/ip firewall filter add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"





##### Nega udp portas entrada udp chain:



/ip firewall filter add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"

/ip firewall filter add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"

/ip firewall filter add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"

/ip firewall filter add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"

/ip firewall filter add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"

/ip firewall filter add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"



##### Permite todos needed icmp codes in icmp chain:

/ip firewall filter add chain=icmp protocol=icmp icmp-options=0:0 action=accept \ comment="echo reply"


/ip firewall filter add chain=icmp protocol=icmp icmp-options=3:0 action=accept \ comment="net unreachable"

/ip firewall filter add chain=icmp protocol=icmp icmp-options=3:1 action=accept \ comment="host unreachable"

/ip firewall filter add chain=icmp protocol=icmp icmp-options=3:4 action=accept \ comment="host unreachable fragmentation required"

/ip firewall filter add chain=icmp protocol=icmp icmp-options=4:0 action=accept \ comment="allow source quench"

/ip firewall filter add chain=icmp protocol=icmp icmp-options=8:0 action=accept \ comment="allow echo request"

/ip firewall filter add chain=icmp protocol=icmp icmp-options=11:0 action=accept \ comment="allow time exceed"

/ip firewall filter add chain=icmp protocol=icmp icmp-options=12:0 action=accept \ comment="allow parameter bad"

/ip firewall filter add chain=icmp action=drop comment="deny all other types"



##### Somente 10 FTP login incorrect

/ip firewall filter add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \ comment="drop ftp brute forcers"

/ip firewall filter add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m

/ip firewall filter add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \ address-list=ftp_blacklist address-list-timeout=3h


##### Somente 10 SSH login incorrect

/ip firewall filter add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \ comment="drop ssh brute forcers" disabled=no

/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=10d comment="" disabled=no

/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m comment="" disabled=no

/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \ action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no

/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \ address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no



##### Bloqueio downstream access as well

/ip firewall filter add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \ comment="drop ssh brute downstream" disabled=no


##### Protege o Router para portas scanners

/ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no


/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"

/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan"

/ip firewall filter add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan"

/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"

/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"

/ip firewall filter add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"

/ip firewall filter add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no

##### Protect DDoS

/tool torch

/ip firewall filter add chain=tcp protocol=tcp dst-port=53 in-interface=(NOME DE SUA INTERFACE DO LINK INTERNET) action=drop \ comment="Bloqueio Porta 53 By Grupo Sistemax"

/ip firewall filter add chain=input protocol=tcp connection-limit=LIMIT,32 \ action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d

/ip firewall filter add chain=input protocol=tcp src-address-list=blocked-addr \ connection-limit=3,32 action=tarpit

/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-state=new \ action=jump jump-target=SYN-Protect comment="SYN Flood protect" disabled=yes

/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5 connection-state=new \ action=accept comment="" disabled=no

/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-state=new \ action=drop comment="" disabled=no

/ip firewall connection tracking set tcp-syncookie=yes



##### Detectar e bloquear Bad Hosts

/ip firewall rules add action=reject chain=forward comment="Reject if in the 24-hour-list" disabled=no reject-with=icmp-network-unreachable src-address-list=24-hour-list

Nenhum comentário:

Postar um comentário