Cuidadín con la regla que apliqué el otro día, que lo hace demasiado bien y no deja pasar absolutamente ninguna petición de DNS :P
Aquí os dejo 3 protecciones interesantes.
Protección del login ssh
/ip firewall filter add action=drop chain=input comment="BLOQUEJA DURANT 24 hores qui fa 5 intents seguits de login SSH!" dst-port=22 protocol=tcp src-address-list=black_list_ssh add action=add-src-to-address-list address-list=black_list_ssh address-list-timeout=1d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list= ssh_stage4 add action=add-src-to-address-list address-list=ssh_stage4 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list= ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list= ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list= ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
Protege los intentos de login al 8291 (winbox)
/ip firewall filter add action=drop chain=input comment="BLOQUEJA DURANT 24 hores qui fa 5 intents seguits de login winbox!" dst-port=8291 protocol=tcp src-address-list= black_list_winbox add action=add-src-to-address-list address-list=black_list_winbox address-list-timeout=1d chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=winbox_stage4 add action=add-src-to-address-list address-list=winbox_stage4 address-list-timeout=3m chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list= winbox_stage3 add action=add-src-to-address-list address-list=winbox_stage3 address-list-timeout=3m chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list= winbox_stage2 add action=add-src-to-address-list address-list=winbox_stage2 address-list-timeout=3m chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list= winbox_stage1 add action=add-src-to-address-list address-list=winbox_stage1 address-list-timeout=3m chain=input connection-state=new dst-port=8291 protocol=tcp
Proteger de ataques de DoS (denegación de servicio)
add action=jump chain=forward connection-state=new jump-target=detect-ddos add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s add action=return chain=detect-ddos src-address=192.168.0.0/16 add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=detect-ddos add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m chain=detect-ddos add action=drop chain=forward connection-state=new dst-address-list=ddosed src-address-list=ddoser
RT @Blackhold_: Blog] Proteger un router Mikrotik expuesto a internet http://t.co/Um6fbFmCAY
RT @Blackhold_: Blog] Proteger un router Mikrotik expuesto a internet http://t.co/Um6fbFmCAY
from being a very affordable sport, running burns more calories compared to other aerobic sports. In general, a 130-lb person exercising would burn approximately 472 calories running for an
my Mom is a seamstress so one year (can't remember how old) I made got her a wood sewing machine shaped mini shelf and little sewing items and painted the machine and attached a little item on each shelf. this had to have been at least 25 years ago although I don't recall exactly and it's still hanging in her sewing room :) my own little girl draws for me each year i get a beautiful picture and last year her and her Daddy made me a birdhouse which she painted all by herself (she was 3)
Thank you for the sensible critique. Me & my neighbor were just preparing to do a little research about this. We got a book from our area library but I think I learned better from this post. I am very glad to see such great info being shared freely out there..
Las Address Lists se crean automáticamente cuando se cumplan las condiciones de las reglas? o debo crearlas yo mismo previamente?
Hola, Muchas gracias, como evitar que los DNS se bloquean ?