Blackhold

Proteger un router Mikrotik expuesto a internet

Posted on juliol 18th, 2015 by admin

Cuidadín con la regla que apliqué el otro día, que lo hace demasiado bien y no deja pasar absolutamente ninguna petición de DNS :P

Aquí os dejo 3 protecciones interesantes.

Protección del login ssh

/ip firewall filter
add action=drop chain=input comment="BLOQUEJA DURANT 24 hores qui fa 5 intents seguits de login SSH!" dst-port=22 protocol=tcp src-address-list=black_list_ssh
add action=add-src-to-address-list address-list=black_list_ssh address-list-timeout=1d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=
    ssh_stage4
add action=add-src-to-address-list address-list=ssh_stage4 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=
    ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=
    ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=
    ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp

Protege los intentos de login al 8291 (winbox)

/ip firewall filter
add action=drop chain=input comment="BLOQUEJA DURANT 24 hores qui fa 5 intents seguits de login winbox!" dst-port=8291 protocol=tcp src-address-list=
    black_list_winbox
add action=add-src-to-address-list address-list=black_list_winbox address-list-timeout=1d chain=input connection-state=new dst-port=8291 protocol=tcp 
    src-address-list=winbox_stage4
add action=add-src-to-address-list address-list=winbox_stage4 address-list-timeout=3m chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=
    winbox_stage3
add action=add-src-to-address-list address-list=winbox_stage3 address-list-timeout=3m chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=
    winbox_stage2
add action=add-src-to-address-list address-list=winbox_stage2 address-list-timeout=3m chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=
    winbox_stage1
add action=add-src-to-address-list address-list=winbox_stage1 address-list-timeout=3m chain=input connection-state=new dst-port=8291 protocol=tcp

Proteger de ataques de DoS (denegación de servicio)

add action=jump chain=forward connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=return chain=detect-ddos src-address=192.168.0.0/16
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m chain=detect-ddos
add action=drop chain=forward connection-state=new dst-address-list=ddosed src-address-list=ddoser

« »

guy fawkes