MIkroTik - spravne nastaveni FW

[Androy]

Ahoj,

uz cca tyden se setkavam s attackem na VPNku a SSH na mikrotiku... i kdyz napr. SSH mam na jinym portu.
tak bych chtel poprosit o rady jestli mam MK dobre nastaveny popripade co by jeste slo lepe udelat... a nevim zda ostatni komunikaci mam zablokovanou. Teprv se s tim seznamuji. Tak za jakekoliv rady jsem rad.

BTW: co se tyce SHH zablokovani - prihlaseni... zkousel sem si to nasimulovat a bez uspechu, nevite kde by mohl byt problem ?

Diky moc za pomoc.

Kód: Vybrat vše

# jul/02/2018 20:24:27 by RouterOS 6.41.3
#
# model = RB760iGS
# serial number = XXXXXXXXXXXX
/interface bridge
add admin-mac=XX-XX-XX-XX-XX-XX auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether3 ] name="PC - ether3"
set [ find default-name=ether4 ] name="TV - ether4"
set [ find default-name=ether1 ] name="WAN - ether1"
set [ find default-name=ether2 ] name="WIFI - ether2"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=XX.XX.XX.XX-XX.XX.XX.XX
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf

/interface bridge port
add bridge=bridge comment=defconf interface="WIFI - ether2"
add bridge=bridge comment=defconf interface="PC - ether3"
add bridge=bridge comment=defconf interface="TV - ether4"
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface="WAN - ether1" list=WAN
/ip address
add address=XX.XX.XX.XX/24 comment=defconf interface=bridge network=\
    XX.XX.XX.XX
add address=XX.XX.XX.XX/XX interface="WAN - ether1" network=\
    XX.XX.XX.XX
/ip arp
add address=XX.XX.XX.XX comment="Dilna - Teplomer" interface=bridge \
    mac-address=XX-XX-XX-XX-XX-XX
add address=XX.XX.XX.XX interface=bridge mac-address=XX-XX-XX-XX-XX-XX
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface="WAN - ether1"
/ip dhcp-server network
add address=XX.XX.XX.XX/24 comment=defconf gateway=XX.XX.XX.XX netmask=24
/ip dns
set allow-remote-requests=yes servers=XX.XX.XX.XX,XX.XX.XX.XX
/ip dns static
add address=XX.XX.XX.XX name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward dst-address=XX.XX.XX.XX protocol=udp
add action=accept chain=input dst-port=X protocol=udp
add action=accept chain=input dst-port=X protocol=udp
add action=accept chain=input dst-port=X protocol=udp

add action=accept chain=input comment="attack SSH" connection-state=new \
    dst-port=9210 protocol=tcp src-address-list=sshaccept
add action=drop chain=input connection-state=new dst-port=X protocol=tcp \
    src-address-list=sshdrop
add action=add-src-to-address-list address-list=sshdrop address-list-timeout=\
    none-dynamic chain=input connection-state=new dst-port=X protocol=tcp \
    src-address-list=stage4
add action=add-src-to-address-list address-list=stage4 address-list-timeout=\
    20s chain=input connection-state=new dst-port=X protocol=tcp \
    src-address-list=stage3
add action=add-src-to-address-list address-list=stage3 address-list-timeout=\
    20s chain=input connection-state=new dst-port=X protocol=tcp \
    src-address-list=stage2
add action=add-src-to-address-list address-list=stage2 address-list-timeout=\
    20s chain=input connection-state=new dst-port=X protocol=tcp \
    src-address-list=stage1
add action=add-src-to-address-list address-list=stage1 address-list-timeout=\
    20s chain=input connection-state=new dst-port=X protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment="Drop invalid connections" \
    connection-state=invalid
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=2w chain=input comment="Port scanners to list" \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=2w chain=input comment="SYN/FIN sca" protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
    tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" \
    src-address-list=port-scanners
add action=tarpit chain=input comment="suppress DoS attack" connection-limit=\
    3,32 protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
    address-list-timeout=1d chain=input comment="detect DoS" \
    connection-limit=10,32 in-interface="WAN - ether1" log=yes
add action=add-src-to-address-list address-list=black_list \
    address-list-timeout=1d chain=input comment=\
    "DOS attack protection(50 connections/ip)" connection-limit=50,32 \
    protocol=tcp
set time-zone-name=Europe/Prague
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN


[/quote]

[Androy]

nikdo nepomuze ?

[iTomB]

Prohledej si forum, daval jsem sem script na SSH blokaci.

[Dacesilian]

Projít všechna pravidla takhle v textu, na to jsou potřeba jiní borci.
Zkuste ale ta FW pravidla udělat prostě od začátku - vše zakázat (drop INPUT, drop FORWARD z internetu) a povolit jen to opravdu potřebné (FORWARD ven a případně nějaký ten PREROUTING/FORWARD z internetu + INPUT zevnitř sítě).
Tady je obrázek - http://cooker.wbitt.com/index.php/File: ... ains-1.png . Prerouting přepíše cílovou adresu/port podle pravidla, pak se porovnává, zda je paket pro router /aplikuje se INPUT pravidlo/ nebo má jít někam jinam /aplikuje se FORWARD pravidlo/. Takhle je to jednoduché.

[voodoovood]

Ja na routeroch co maju Verejnu IP pouzivam metodu PortKnocking..
Vsetok input je drop, a pokial potrebujem zo sveta prist ja, poznam cisla 2,3 portov ktore musim skusit otvorit, a potom sa mi povoli pristup z danej IP.
Jednoduche a krasne..

[_piggy_]

Já mám firewall například takto, nevím jestli 100% správně, ale zatím jsem neřešil žádný problém.

Kód: Vybrat vše

/ip firewall filter
add action=drop chain=input comment="Drop Invalid Connections" \
    connection-state=invalid
add action=drop chain=forward comment="Drop Invalid Connections" \
    connection-state=invalid
add action=accept chain=input comment="Accept established and related packets" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "Accept established and related packets" connection-state=\
    established,related
add action=accept chain=input comment="Accept Exempt IP Addresses" \
    src-address-list=Vyjimky
add action=accept chain=forward comment="Accept Exempt IP Addresses" \
    src-address-list=Vyjimky
add action=drop chain=input comment=\
    "Drop Anyone in the Black List (Sync Flood)" disabled=yes src-address-list=\
    Syn_Flooder
add action=drop chain=forward comment=\
    "Drop Anyone in the Black List (Sync Flood)" disabled=yes src-address-list=\
    Syn_Flooder
add action=drop chain=input comment="Drop Anyone in the Black List (Telnet)" \
    src-address-list=Telnet_blacklist
add action=drop chain=forward comment="Drop Anyone in the Black List (Telnet)" \
    src-address-list=Telnet_blacklist
add action=drop chain=input comment="Drop Anyone in the Black List (FTP)" \
    src-address-list=FTP_blacklist
add action=drop chain=forward comment="Drop Anyone in the Black List (FTP)" \
    src-address-list=FTP_blacklist
add action=drop chain=input comment="Drop Anyone in the Black List (SSH)" \
    src-address-list=ssh_blacklist
add action=drop chain=forward comment="Drop Anyone in the Black List (SSH)" \
    src-address-list=ssh_blacklist
add action=drop chain=input comment="Drop Anyone in the Black List (API)" \
    src-address-list=api_blacklist
add action=drop chain=forward comment="Drop Anyone in the Black List (API)" \
    src-address-list=api_blacklist
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=1d chain=input comment=\
    "Pridat Syn Flood IP na  Address List" connection-limit=30,32 disabled=yes \
    protocol=tcp tcp-flags=syn
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=1d chain=forward comment=\
    "Pridat Syn Flood IP na  Address List" connection-limit=30,32 disabled=yes \
    protocol=tcp tcp-flags=syn
add action=add-src-to-address-list address-list=Telnet_blacklist \
    address-list-timeout=1w chain=input comment=\
    "Telnet pridat na blacklist na tyden" connection-state=new dst-port=23 \
    protocol=tcp
add action=add-src-to-address-list address-list=Telnet_blacklist \
    address-list-timeout=1w chain=forward comment=\
    "Telnet pridat na blacklist na tyden" connection-state=new dst-port=23 \
    protocol=tcp
add action=add-src-to-address-list address-list=FTP_blacklist \
    address-list-timeout=3h chain=input comment=\
    "FTP pridat na blacklist na 3 hodiny" content="530 Login incorrect" \
    dst-port=21 protocol=tcp
add action=add-src-to-address-list address-list=FTP_blacklist \
    address-list-timeout=3h chain=forward comment=\
    "FTP pridat na blacklist na 3 hodiny" content="530 Login incorrect" \
    dst-port=21 protocol=tcp
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input comment=\
    "SSH p\F8idat na blacklist ssh_stage1 na 1 hodinu" connection-state=new \
    dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=forward comment=\
    "SSH p\F8idat na blacklist ssh_stage1 na 1 hodinu" connection-state=new \
    dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input comment=\
    "SSH p\F8idat na blacklist ssh_stage2 na 1 hodinu" connection-state=new \
    dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=forward comment=\
    "SSH p\F8idat na blacklist ssh_stage2 na 1 hodinu" connection-state=new \
    dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input comment=\
    "SSH p\F8idat na blacklist ssh_stage3 na 1 hodinu" connection-state=new \
    dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=forward comment=\
    "SSH p\F8idat na blacklist ssh_stage3 na 1 hodinu" connection-state=new \
    dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w chain=input comment=\
    "SSH pridat na blacklist na tyden" connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w chain=forward comment=\
    "SSH pridat na blacklist na tyden" connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=api_stage1 \
    address-list-timeout=1m chain=input comment=\
    "API p\F8idat na blacklist api_stage1 na 1 hodinu" connection-state=new \
    dst-port=8728 protocol=tcp
add action=add-src-to-address-list address-list=api_stage1 \
    address-list-timeout=1m chain=forward comment=\
    "API p\F8idat na blacklist api_stage1 na 1 hodinu" connection-state=new \
    dst-port=8728 protocol=tcp
add action=add-src-to-address-list address-list=api_stage2 \
    address-list-timeout=1m chain=input comment=\
    "API p\F8idat na blacklist api_stage2 na 1 hodinu" connection-state=new \
    dst-port=8728 protocol=tcp src-address-list=api_stage1
add action=add-src-to-address-list address-list=api_stage2 \
    address-list-timeout=1m chain=forward comment=\
    "API p\F8idat na blacklist api_stage2 na 1 hodinu" connection-state=new \
    dst-port=8728 protocol=tcp src-address-list=api_stage1
add action=add-src-to-address-list address-list=api_stage3 \
    address-list-timeout=1m chain=input comment=\
    "API p\F8idat na blacklist api_stage3 na 1 hodinu" connection-state=new \
    dst-port=8728 protocol=tcp src-address-list=api_stage2
add action=add-src-to-address-list address-list=api_stage3 \
    address-list-timeout=1m chain=forward comment=\
    "API p\F8idat na blacklist api_stage3 na 1 hodinu" connection-state=new \
    dst-port=8728 protocol=tcp src-address-list=api_stage2
add action=add-src-to-address-list address-list=api_blacklist \
    address-list-timeout=1w chain=input comment=\
    "API pridat na blacklist na tyden" connection-state=new dst-port=8728 \
    protocol=tcp src-address-list=api_stage3
add action=drop chain=input comment="Drop Everything" log=yes log-prefix=DROP_

[sutrus]

blokni port 53.

Kód: Vybrat vše

add action=reject chain=input in-interface=ether1 comment="Reject DNS from WAN" dst-port=53 protocol=tcp reject-with=icmp-port-unreachable
add action=reject chain=input in-interface=ether1 comment="Reject DNS from WAN" dst-port=53 protocol=udp reject-with=icmp-port-unreachable

[Pelirob]

To je domácí router, nebo nějaká větší síť? Není zbytečné detekovat SSH na forwardu? Nestačí to jen na inputu? Konkrétně tohle pravidlo:

Kód: Vybrat vše

/ip firewall filter add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=forward comment="SSH pridat na blacklist ssh_stage1 na 1 hodinu" connection-state=new dst-port=22 protocol=tcp

Já mám firewall například takto, nevím jestli 100% správně, ale zatím jsem neřešil žádný problém.

Kód: Vybrat vše

/ip firewall filter
add action=drop chain=input comment="Drop Invalid Connections" \
    connection-state=invalid
... atd.



[_piggy_]

To je domácí router, nebo nějaká větší síť? Není zbytečné detekovat SSH na forwardu? Nestačí to jen na inputu? Konkrétně tohle pravidlo:

Kód: Vybrat vše

/ip firewall filter add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=forward comment="SSH pridat na blacklist ssh_stage1 na 1 hodinu" connection-state=new dst-port=22 protocol=tcp

Já mám firewall například takto, nevím jestli 100% správně, ale zatím jsem neřešil žádný problém.

Kód: Vybrat vše

/ip firewall filter
add action=drop chain=input comment="Drop Invalid Connections" \
    connection-state=invalid
... atd.



Domácí router. Na inputu by stačilo, ale zatím jsem nezaznamenal problém když je i na forwardu. Ono napsat dneska dobrý firewall to je umění.

[puchnar]

To je domácí router, nebo nějaká větší síť? Není zbytečné detekovat SSH na forwardu? Nestačí to jen na inputu? Konkrétně tohle pravidlo:

Kód: Vybrat vše

/ip firewall filter add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=forward comment="SSH pridat na blacklist ssh_stage1 na 1 hodinu" connection-state=new dst-port=22 protocol=tcp

Já mám firewall například takto, nevím jestli 100% správně, ale zatím jsem neřešil žádný problém.

Kód: Vybrat vše

/ip firewall filter
add action=drop chain=input comment="Drop Invalid Connections" \
    connection-state=invalid
... atd.



Domácí router. Na inputu by stačilo, ale zatím jsem nezaznamenal problém když je i na forwardu. Ono napsat dneska dobrý firewall to je umění.

Piggy, není (vtip)
1. accept established
2. Allow output
3. Allow forwad ven
4. Allow vyjimky
5. Drop all

[basty]

Jak by mel byt spravne v principu nastaveny firewall na brane site?

Brana na ktere je klasicky verejna /30 spojovacka + naroutovane dalsi verejne rozsahy.
Provadi se zde nat pro klinety jak verejne IP, tak porty. Tak i NAT pro komunikaci ven src.
Staci mi jen obecne optimalizovane postupy, aby vse fungovalo.

Diky