Ahoj,
uz cca tyden se setkavam s attackem na VPNku a SSH na mikrotiku... i kdyz napr. SSH mam na jinym portu.
tak bych chtel poprosit o rady jestli mam MK dobre nastaveny popripade co by jeste slo lepe udelat... a nevim zda ostatni komunikaci mam zablokovanou. Teprv se s tim seznamuji. Tak za jakekoliv rady jsem rad.
BTW: co se tyce SHH zablokovani - prihlaseni... zkousel sem si to nasimulovat a bez uspechu, nevite kde by mohl byt problem ?
Diky moc za pomoc.
# jul/02/2018 20:24:27 by RouterOS 6.41.3
#
# model = RB760iGS
# serial number = XXXXXXXXXXXX
/interface bridge
add admin-mac=XX-XX-XX-XX-XX-XX auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether3 ] name="PC - ether3"
set [ find default-name=ether4 ] name="TV - ether4"
set [ find default-name=ether1 ] name="WAN - ether1"
set [ find default-name=ether2 ] name="WIFI - ether2"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=XX.XX.XX.XX-XX.XX.XX.XX
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface="WIFI - ether2"
add bridge=bridge comment=defconf interface="PC - ether3"
add bridge=bridge comment=defconf interface="TV - ether4"
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface="WAN - ether1" list=WAN
/ip address
add address=XX.XX.XX.XX/24 comment=defconf interface=bridge network=\
XX.XX.XX.XX
add address=XX.XX.XX.XX/XX interface="WAN - ether1" network=\
XX.XX.XX.XX
/ip arp
add address=XX.XX.XX.XX comment="Dilna - Teplomer" interface=bridge \
mac-address=XX-XX-XX-XX-XX-XX
add address=XX.XX.XX.XX interface=bridge mac-address=XX-XX-XX-XX-XX-XX
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface="WAN - ether1"
/ip dhcp-server network
add address=XX.XX.XX.XX/24 comment=defconf gateway=XX.XX.XX.XX netmask=24
/ip dns
set allow-remote-requests=yes servers=XX.XX.XX.XX,XX.XX.XX.XX
/ip dns static
add address=XX.XX.XX.XX name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=forward dst-address=XX.XX.XX.XX protocol=udp
add action=accept chain=input dst-port=X protocol=udp
add action=accept chain=input dst-port=X protocol=udp
add action=accept chain=input dst-port=X protocol=udp
add action=accept chain=input comment="attack SSH" connection-state=new \
dst-port=9210 protocol=tcp src-address-list=sshaccept
add action=drop chain=input connection-state=new dst-port=X protocol=tcp \
src-address-list=sshdrop
add action=add-src-to-address-list address-list=sshdrop address-list-timeout=\
none-dynamic chain=input connection-state=new dst-port=X protocol=tcp \
src-address-list=stage4
add action=add-src-to-address-list address-list=stage4 address-list-timeout=\
20s chain=input connection-state=new dst-port=X protocol=tcp \
src-address-list=stage3
add action=add-src-to-address-list address-list=stage3 address-list-timeout=\
20s chain=input connection-state=new dst-port=X protocol=tcp \
src-address-list=stage2
add action=add-src-to-address-list address-list=stage2 address-list-timeout=\
20s chain=input connection-state=new dst-port=X protocol=tcp \
src-address-list=stage1
add action=add-src-to-address-list address-list=stage1 address-list-timeout=\
20s chain=input connection-state=new dst-port=X protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=input comment="Drop invalid connections" \
connection-state=invalid
add action=add-src-to-address-list address-list=port_scanners \
address-list-timeout=2w chain=input comment="Port scanners to list" \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=port_scanners \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=port_scanners \
address-list-timeout=2w chain=input comment="SYN/FIN sca" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list=port_scanners \
address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list=port_scanners \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=port_scanners \
address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=port_scanners \
address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" \
src-address-list=port-scanners
add action=tarpit chain=input comment="suppress DoS attack" connection-limit=\
3,32 protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=1d chain=input comment="detect DoS" \
connection-limit=10,32 in-interface="WAN - ether1" log=yes
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=1d chain=input comment=\
"DOS attack protection(50 connections/ip)" connection-limit=50,32 \
protocol=tcp
set time-zone-name=Europe/Prague
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
