Blackhold

Proteger un router Mikrotik expuesto a internet

Posted on juliol 18th, 2015 by admin

Cuidadín con la regla que apliqué el otro día, que lo hace demasiado bien y no deja pasar absolutamente ninguna petición de DNS :P

Aquí os dejo 3 protecciones interesantes.

Protección del login ssh

/ip firewall filter
add action=drop chain=input comment="BLOQUEJA DURANT 24 hores qui fa 5 intents seguits de login SSH!" dst-port=22 protocol=tcp src-address-list=black_list_ssh
add action=add-src-to-address-list address-list=black_list_ssh address-list-timeout=1d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=
    ssh_stage4
add action=add-src-to-address-list address-list=ssh_stage4 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=
    ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=
    ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=
    ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp

Protege los intentos de login al 8291 (winbox)

/ip firewall filter
add action=drop chain=input comment="BLOQUEJA DURANT 24 hores qui fa 5 intents seguits de login winbox!" dst-port=8291 protocol=tcp src-address-list=
    black_list_winbox
add action=add-src-to-address-list address-list=black_list_winbox address-list-timeout=1d chain=input connection-state=new dst-port=8291 protocol=tcp 
    src-address-list=winbox_stage4
add action=add-src-to-address-list address-list=winbox_stage4 address-list-timeout=3m chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=
    winbox_stage3
add action=add-src-to-address-list address-list=winbox_stage3 address-list-timeout=3m chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=
    winbox_stage2
add action=add-src-to-address-list address-list=winbox_stage2 address-list-timeout=3m chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=
    winbox_stage1
add action=add-src-to-address-list address-list=winbox_stage1 address-list-timeout=3m chain=input connection-state=new dst-port=8291 protocol=tcp

Proteger de ataques de DoS (denegación de servicio)

add action=jump chain=forward connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=return chain=detect-ddos src-address=192.168.0.0/16
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m chain=detect-ddos
add action=drop chain=forward connection-state=new dst-address-list=ddosed src-address-list=ddoser

5 Responses to “Proteger un router Mikrotik expuesto a internet”

http://www.plans.imahillbilly.com/juliol 20th, 2016 at 17:17

my Mom is a seamstress so one year (can't remember how old) I made got her a wood sewing machine shaped mini shelf and little sewing items and painted the machine and attached a little item on each shelf. this had to have been at least 25 years ago although I don't recall exactly and it's still hanging in her sewing room :) my own little girl draws for me each year i get a beautiful picture and last year her and her Daddy made me a birdhouse which she painted all by herself (she was 3)

http://pilulesenligne.men/agost 9th, 2016 at 13:17

Thank you for the sensible critique. Me & my neighbor were just preparing to do a little research about this. We got a book from our area library but I think I learned better from this post. I am very glad to see such great info being shared freely out there..

Leave a Response

« »

guy fawkes