Internet & Telecommunications (IP-NOC): 2017

Saturday, 9 December 2017

Mikrotik:Bandwidth scheduling

The Limit of Different Bandwidth In Day and Night will be manged by Mikrotik according to your
requirement .As you have seen there are most of the person are configuring their bandwidth
scheduling on various types .

There are lot many ways to limit bandwidth for day and Night, but personally I found this is the easiest way, Here it is.

I have used Simple Queue, Script and Scheduler.

Suppose we have one network 192.168.20.0/24 and want to limit Bandwidth for day and Night Time.

My LAN Network 192.168.20.0/24

Bandwidth = 06:00am – 18:00pm – 1Mbps. <Max-Limit>
Bandwidth = 18:00pm – 06:00am – 2Mbps. <Max-Limit>

Create two simple queues for the same network with different Bandwidth Limit.

/queue simple
#name=”Day” target-addresses=192.168.20.0/24 dst-address=0.0.0.0/0
interface=<ether-x> parent=none direction=both priority=8
queue=default-small/default-small limit-at=512k/512k
max-limit=1M/1M total-queue=default-small

#name=”Night” target-addresses=192.168.20.0/24 dst-address=0.0.0.0/0
interface=<ether-x> parent=none direction=both priority=8
queue=default-small/default-small limit-at=1M/1M
max-limit=2M/2M total-queue=default-small
Now, write scripts

/system script
#name=”Day” source=/queue simple enable Day; /queue simple disable Night
#name=”Night” source=/queue simple enable Night; /queue simple disable Day
Finally, Schedule it

/system scheduler
#name=”Day” on-event=Day start-date=oct/13/2007 start-time=06:00:00 interval=1d
#name=”Night” on-event=Night start-date=oct/13/2007 start-time=18:00:00 interval=1d

The configuration is simple and based on your requirement you can make change the rule little bit .But here I am not making it different any way and the way of configuration will be same as above .

Monday, 4 December 2017

Mikrotik:-EoIP in Mikrotik

Eoip is a layer 2 mechanism which is called as Ethernet over IP.

At this time I will share again about the material mikrotik, and still the same as before, this time we will still discuss about tunneling. The tunneling we will be using at this time, is the EoIP tunnel. EoIP itself, is a tunneling that works on layer2 that connects a network with other networks

For your own security, EoIP has very low security, because EoIP does not encrypt the packets sent via EoIP. But for its benefit, EoIP can connect the same network even in different areas.

Configuration

For configuration, of course, first configure ip address for the interface that will be used. For the ip address itself, make the local network R1 and R2 are in the same network because we will create an EoIP tunnel that works based on Layer 2. Next, configure EoIP on the router.

[admin @ R1]> / eoip interface
add local-address = 12.12.12.1 name = eoip1 remote-address = 12.12.12.2 tunnel-id = 10
[admin @ R2]> / interface eoip
add local-address = 12.12.12.2 name = eoip1 remote-address = 12.12.12.1 tunnel-id = 10

Based on the above configuration, we only need to define the local address and remote address of the router that wants to make tunneling. Then for the tunnel id, it will provide an identity for the tunneling made that the tunneling used is only for those using tunnel id 10. Next, configure the bridge.

[admin @ R1]> / interface bridge
add name = eoip
[admin @ R1]> / interface bridge port
add bridge = eoip interface = ether1
add bridge = eoip interface = eoip1

[admin @ R2]> / interface bridge
add name = eoip
[admin @ R2]> / interface bridge port
add bridge = eoip interface = ether1
add bridge = eoip interface = eoip1

Based on the above configuration, we create the eoip interface that has been dbuat earlier, "ter-bridge" with the interface to the local network that we have. This is because EoIP works on layer 2. So that the client router can connect with other routers, we only need to do the bridge configuration with the existing eoip interface on the router. If so, verify.

Thursday, 9 November 2017

Mikroitk:MTU Issue in mikroitk for open up the specific websites !!

As I have experienced ,Most of the PPPoE users are facing the problem to open up some specific
websites when they are dialing the PPPoE from wireless modem/Wifi router. But when they are dialing from their PC directly then there is no problem with these kind of issues .

You may notice , The users will not be able to open up the certain banking websites and also some government websites as well .

Let me show you to find the problems easily and also you just have to play with the TCP Mss in your mikroitk NAS or Mikrotik Router .

lets start ...

TCP options string = 02040564010303020402080a0048792c00000000

MTU = 1420
MTU is not fully optimized for broadband. Consider increasing your MTU to 1500 for better throughput. If you are using a router, it could be limiting your MTU regardless of Registry settings.

MSS = 1380
MSS is not optimized for broadband. Consider increasing your MTU value.

Default TCP Receive Window (RWIN) = 16416
RWIN Scaling (RFC1323) = 2 bits (scale factor: 2^2=4)
Unscaled TCP Receive Window = 4104

In Windows 7, unless "TCP/IP Auto-Tuning" is disabled, only the Current TCP Window is displayed. Use the latest TCP Optimizer for tweaking.
You seem to be using Google Chrome. Note that Chrome can modify the TCP Window for sockets it creates under some OSes, and therefore servers may not get your OS-assigned RWIN value. FAQ
RWIN is not multiple of MSS. If your OS supports setting RWIN directly, consider changing it to a multiple of MSS for optimum performance.
Other RWIN values that might work well with your current MTU/MSS:
63480 (up to 2 Mbit lines, depending on latency. MSS * 46)
126960 (1-5 Mbit lines, depending on latency. MSS * 46 * 2)
253920 (2-14 Mbit lines, depending on latency. MSS * 46 * 2^2)
507840 (8-30 Mbit lines, depending on latency. MSS * 46 * 2^3)
1015680 (25-60 Mbit lines depending on latency. MSS * 46 * 2^4)

bandwidth * delay product (Note this is not a speed test):

Your current TCP Window limits you to: 657 kbps (82 KBytes/s) @ 200ms latency
Your current TCP Window limits you to: 263 kbps (33 KBytes/s) @ 500ms latency
Consider increasing your RWIN value to optimize TCP/IP for broadband.

MTU Discovery (RFC1191) = ON

Time to live left = 113 hops
TTL value is ok.

Timestamps (RFC1323) = ON
Note: Timestamps add 12 bytes to the TCP header of each packet, reducing the space available for useful data.

The above report I have captured from my TCP Analyzer to verify that what exactly the problem is being happening .

Lets create the TCP Mss rules for that and will try once .

Rule-1

/ip firewall mangle
add action=change-mss chain=forward comment="Internet MSS Changing" disabled=\
no new-mss=1452 out-interface=Internet protocol=tcp tcp-flags=syn \
tcp-mss=1453-65535
add action=change-mss chain=forward disabled=no in-interface=\
Internet new-mss=1452 protocol=tcp tcp-flags=syn tcp-mss=\
1453-65535

Rule-2

/ ip firewall mangle add chain=forward protocol=tcp tcp-flags=syn tcp-mss=1361-65535 action=change-mss new-mss=1360  disabled=no

Note-Don't run and Don't try to this both rules at a time .

Monday, 4 September 2017

All ISP Networking Technologies: Mikrotik:Conflicker virus port block in mikrotik

All ISP Networking Technologies: Mikrotik:Conflicker virus port block in mikrotik: This is something very important rules for mikrotik because sometimes you may see there are much traffic which is generated from your netw...

Tuesday, 29 August 2017

Mikrotik:Conflicker virus port block in mikrotik

This is something very important rules for mikrotik because sometimes you may see there are much traffic which is generated from your network using this port . So there are the ports which can be considered as Virus port .So you have to block these ports in your mikrotik .

this rules are tested and working successfully so you just have to make it copy and past in your
winbox terminal .

/ip firewall filter
add chain=forward action=drop protocol=tcp dst-port=135 comment="conficker virus block"

add chain=forward action=drop protocol=tcp dst-port=139 comment="conficker virus block"

add chain=forward action=drop protocol=tcp dst-port=5933 comment="conficker virus block"

add chain=forward action=drop protocol=tcp dst-port=5933 comment="conficker virus block"

add chain=forward action=drop protocol=udp dst-port=135 comment="conficker virus block"

add chain=forward action=drop protocol=udp dst-port=137 comment="conficker virus block"

add chain=forward action=drop protocol=udp dst-port=138 comment="conficker virus block"

add chain=forward action=drop protocol=udp dst-port=445 comment="conficker virus block"

add chain=forward action=drop protocol=tcp dst-port=445 comment="conficker virus block"

MIKROITK: How To stop SSH Brute force

Sometimes you may see there are many SSH connection has been established in your router and due to this problem The routers CPU process will be high and the bandwidth utilisation will be high . So in that case you can consider it as SSH Brute force attack in your network .

/ ip firewall filter
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="Drop SSH Brute Forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1d comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

MIKROITK: How To stop TELNET Brute force

If there are many TELNET request is forwarding through your router and if it's from out side the network
randomly and if it's consuming more and more bandwidth then you can consider it as TELNET brute
force attack .

In such case if you will use the torch in your WAN interface or any other interface where the clients are connected in that case you can consider it as telnet attack.

Let start the configuration .

/ ip firewall filter
add chain=input protocol=tcp dst-port=23 src-address-list=telnet_blacklist action=drop comment="Drop Telnet Brute Forcers" disabled=no
add chain=input protocol=tcp dst-port=23 connection-state=new src-address-list=telnet_stage3 action=add-src-to-address-list address-list=telnet_blacklist address-list-timeout=1d comment="" disabled=no
add chain=input protocol=tcp dst-port=23 connection-state=new src-address-list=telnet_stage2 action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=23 connection-state=new src-address-list=telnet_stage1 action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=23 connection-state=new action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m comment="" disabled=no

NOTE:-Sometimes you have to modify the rules little bit .

MIKROITK:How To stop FTP Brute force

If there are many FTP request is forwarding through your router and if it's from out side the network
randomly and if it's consuming more and more bandwidth then you can consider it as FTP brute
force attack .

/ ip firewall filter
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop comment="Drop FTP Brute Forcers" disabled=no
add chain=input protocol=tcp dst-port=21 connection-state=new src-address-list=ftp_stage3 action=add-src-to-address-list address-list=ftp_blacklist address-list-timeout=1d comment="" disabled=no
add chain=input protocol=tcp dst-port=21 connection-state=new src-address-list=ftp_stage2 action=add-src-to-address-list address-list=ftp_stage3 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=21 connection-state=new src-address-list=ftp_stage1 action=add-src-to-address-list address-list=ftp_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=21 connection-state=new action=add-src-to-address-list address-list=ftp_stage1 address-list-timeout=1m comment="" disabled=no

MIKROTIK:- DDOS Protection

If there is any attack is coming to your network and if there are many unnecessary connection has been established then enable some enhanced security features of mikrotik .Like

1-Drop the DNS request from your WAN interface
2-Drop all the invalid TCP sessions in your mirkotik .
3-Remove the check option from "Allow Remote Request inside your IP>DNS"

DoS (Denial of Service) attack can cause overloading of a router. Which means that the CPU usage goes to 100% and router can become unreachable with timeouts. All operations on packets which can take significant CPU power like firewalling (filter, NAT, mangle), logging, queues can cause overloading if too many packets per second arrives at the router.

Generally there is no perfect solution to protect against DoS attacks. Every service can become overloaded by too many requests. But there are some methods for minimising the impact of an attack.

Get a more powerful router or server
Get a more faster uplink
Reduce the number of firewall rules, queues and other packet handling actions
Track attack path and block it closer to source (by upstream provider)
Entire Network bandwidth will be chocked .
The routers CPU utilisation would be high .

When ever there is any above mentioned issues in your mikrotik then you can consider it as
DDoS attack .

DoS (Denial of Service) attack can cause overloading of router. Which means what CPU usage goes to 100% and router could be unreachable with timeouts. Every operations on packets which can take significant CPU power like firewalling(filter, nat, mangle), logging, queues can cause overloading if too much packets per second arrives to router.

Generally there is no perfect solution to protect against DoS attacks. Every service could be overloaded by too much requests. So there are only some methods for minimization impact of attack.

Get more powerfull router or server

>Get more faster up link
>Reduce number of firewall rules, queues and other packet handling actions
>Track attack path and block it closer to source (by upstream provider)
>TCP SYN flood
>More info: SYN flood.
>Diagnose

Lets start the configuration .

Here, I will show you the most important 3 rules on Ddos attack but you have to configure only one rule in your mikrotik at a time. Because the purpose of all the rules are same so no need to configure these below 3 rules at a time in router . Anyone of these below rules you can configure .

Rule-1

/ip firewall filter
add action=jump chain=forward connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m chain=detect-ddos
add action=drop chain=forward connection-state=new dst-address-list=ddosed src-address-list=ddoser

Rule-2

/ip firewall filter
add chain=forward connection-state=new action=jump jump-target=block-ddos
add chain=forward connection-state=new src-address-list=ddoser dst-address-list=ddosed action=drop
add chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s action=return
add chain=block-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m
add chain=block-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m

Rule-3

/ip firewall filter
add chain=forward connection-state=new action=jump jump-target=detect-ddos
add chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s action=return
add chain=detect-ddos src-address=192.168.0.1 action=return
add chain=detect-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m
add chain=detect-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m
add chain=forward connection-state=new src-address-list=ddoser dst-address-list=ddosed action=drop

Monday, 28 August 2017

MIKROITK:-Preventing the SSH brute force attack for 10 days .

Prevent a SSH brute forcer to be banned for 10 days after repetitive attempts.

/ip firewall filter
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \ comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=10d comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \ action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \ address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \ comment="drop ssh brute downstream" disabled=no

MIKROTIK:-How to stop SSH Brute-force attack in mirkotik

/ip firewall filter
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \ comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=10d comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \ action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \ address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \ comment="drop ssh brute downstream" disabled=no

MIKROITK:-FTP Brute force Attack

Sometimes you may see there are many FTP connection has been established in your router and due to this problem The routers CPU process will be high and the bandwidth utilisation will be high . So in that case you can consider it as FTP Brute force attack in your network .

/ip firewall filter
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \ comment="drop ftp brute forcers"
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \ address-list=ftp_blacklist address-list-timeout=3h

Mikrotik:ICMP security and ICMP Flooding .

Configure this below rules to minimise the ICMP request to your devices .

/ip firewall filter
add chain=icmp protocol=icmp icmp-options=0:0 action=accept \ comment="echo reply"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept \ comment="net unreachable"
add chain=icmp protocol=icmp icmp-options=3:1 action=accept \ comment="host unreachable"
add chain=icmp protocol=icmp icmp-options=4:0 action=accept \ comment="allow source quench"
add chain=icmp protocol=icmp icmp-options=8:0 action=accept \ comment="allow echo request"
add chain=icmp protocol=icmp icmp-options=11:0 action=accept \ comment="allow time exceed"
add chain=icmp protocol=icmp icmp-options=12:0 action=accept \ comment="allow parameter bad"
add chain=icmp action=drop comment="deny all other types"

MIKROITK SECURITY:-How To find and block the Port Scanner in mikrotik

A port scan or portscan is a process that sends client requests to a range of server port addresses on a host, with the goal of finding an active port; this is not a nefarious process in and of itself.[1] The majority of uses of a port scan are not attacks, but rather simple probes to determine services available on a remote machine.

Configure this below rules to drop the port scanner.

Rule-1

/ip firewall filter

add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no

add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"

add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan"

add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan"

add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"

add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"

add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"

Rule-2

/ip firewall filter

add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no

add chain=forward src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no

MIKROTIK: How to block TCP invalid state connection in your mikrotik device

In this blog , Lets There are many TCP invalid session have been created and and you want to block those TCP connections . Lets configure the below command to block the invalid states and i will allow only Established TCP state .

/ip firewall filter
add chain=forward connection-state=invalid \ action=drop comment="drop invalid connections"
add chain=forward connection-state=established action=accept \ comment="allow already established connections"
add chain=forward connection-state=related action=accept \ comment="allow related connections"

MIKROTIK: How to Block these BOGON IP's in your mikrotik.

If you want to provide more and more security to your mikrotik you have to block these IP lists in your mirkotik because some time you may see that there are many more connection will have present in your mirkotik .

I recommend you to block these ip pool which is necessary .

/ip firewall filter
add chain=forward src-address=0.0.0.0/8 action=drop \ comment="Block Bogon IP addresses"
add chain=forward dst-address=0.0.0.0/8 action=drop
add chain=forward src-address=127.0.0.0/8 action=drop
add chain=forward dst-address=127.0.0.0/8 action=drop
add chain=forward src-address=224.0.0.0/3 action=drop
add chain=forward dst-address=224.0.0.0/3 action=drop

MIKROTIK:-Recommended TCP ports to block in the mikrotik .

I recommend you to block these TCP ports in mirkotik if there is any attack is coming .

/ip firewall filter
add chain=tcp protocol=tcp dst-port=69 action=drop \ comment="deny TFTP"
add chain=tcp protocol=tcp dst-port=111 action=drop \ comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=135 action=drop \ comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=137-139 action=drop \ comment="deny NBT"
add chain=tcp protocol=tcp dst-port=445 action=drop \ comment="deny cifs"
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"

Mikroitk: How to block these virus related UDP ports in your mikrotik .

In this blog i am going to discuss about mikrotik Security because as we all know that it's very difficult protect the mikrotik .

Here, I am going to block some UDP ports .

/ip firewall filter
add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"

MIKROITK:BLOCK Virus Port

Sometimes you may see in your corporate network there are huge bandwidth utilisation and also

the CPU utilisation would be high .So in those kind of scenario you have to give your mikrotik

higher security .

Please block these virus ports .

/ip firewall filter

add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop Blaster Worm"

add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop Messenger Worm"

add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster Worm & WannaCrypt"

add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster Worm"

add chain=virus protocol=tcp dst-port=593 action=drop comment="________"

add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________"

add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom"

add chain=virus protocol=tcp dst-port=1214 action=drop comment="________"

add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester"

add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server"

add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast"

add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx"

add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid"

add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm"

add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus"

add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y"

add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle"

add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop Beagle.C-K"

add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop MyDoom"

add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor OptixPro"

add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm"

add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm"

add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser"

add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B"

add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop Dabber.A-B"

add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop Dumaru.Y"

add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop MyDoom.B"

add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus"

add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2"

add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop SubSeven"

add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, Agobot, Gaobot"

add chain=forward action=jump jump-target=virus comment="jump to the virus chain"

add chain=virus protocol=tcp dst-port=139 action=drop comment="Drop WannaCrypt"

Friday, 25 August 2017

CISCO:-What are the configuration required for SNMP in cisco Switches .

As we all know that we are using the SNMP to monitor the network .In my case I am using the PRTG
as monitoring software but you can use the other monitoring software as per your requirement .

After completion of your PRTG server installation you have to enable the SNMP services in
cisco other devices in your network .In this blog I am not going to show you the Installation
process of PRTG and it's very easy installation process and also you can the reference from
PRTG official websites .

Lets Enable the SNMP services in pour devices buut before that we need to make it sure
there should be reachability from PRTG server to your network devices .

Please find the below diagram How and where my PRTG server is existed in the network .

Here , I have the reachability from my PRTG server to all the switches and also i have a PRTG server
pre-configured .

Take the Telnet to the router/switch
-----------------------------

sw-1#telnet 172.17.10.1
Go to the enable mode by specifying the password what you have given :

sw-1>enable
Password:
sw-1#
Go into configuration mode:

sw-1(config)#
Use the command below to add a Read-Only community string:

First of all you have to configure the SNMp community for read and read write .

sw-1(config)#snmp-server community public RO

Note:-where "public" is the Read-only community string.

To add a Read-Write Community string, use the command below:

sw-1(config)#snmp-server community private RW

Note:-where "private" is the Read-write community string.

Exit the configuration mode and save the settings:

sw-1(config)#exit
sw-1#write memory
Building configuration...
[OK]
sw-1#

The above configurations are just enabling the snmp community .but this below configuration are
very important .plese look on to this .

To enable SNMP traps, follow the steps below in the Configuration mode of the Router/Switch:

First, set the host to which the traps have to be sent using the folowing command:

snmp-server host <IP Address> version <v1 or 2c> <RO community string>

<IP Address> refers to the IP Address of the device to which the traps have to be sent
<v1 or 2c> refers to the SNMP version
<RO community string> refers to the Read-Only community string

In my case ,

sw-1(config)#snmp-server host 172.17.10.4 version 3 RO

Step-2

Then, enable SNMP Traps using the command below:

snmp-server enable traps [notification-type] [notification-option]

Note:This trap means , snmp-server enable traps config [this will send all configurationnotifications as traps]

Note-Sometimes this configuration may not sufficent becaue according to my experinece
sometimes needed the Authentication and authentication type etc. etc.

Thursday, 17 August 2017

MIKROTIK:How to block all the virus ports in mikrotik

You can stop all the virus attacks in the mikrotik using this below rules .

/ ip firewall filter
add chain=Virus protocol=tcp dst-port=1434 action=drop comment="port block \
warning" disabled=no
add chain=Virus protocol=udp dst-port=1434 action=drop comment="" disabled=no
add chain=Virus protocol=udp dst-port=2745 action=drop comment="" disabled=no
add chain=Virus protocol=tcp dst-port=6344-6381 action=drop comment="" \
disabled=no
add chain=Virus protocol=udp dst-port=6344-6381 action=drop comment="" \
disabled=no
add chain=Virus protocol=tcp dst-port=1080 action=drop comment="MyDoom" \
disabled=no
add chain=Virus protocol=tcp dst-port=1214 action=drop comment="" disabled=no
add chain=Virus protocol=tcp dst-port=593 action=drop comment="" disabled=no
add chain=Virus protocol=tcp dst-port=1024-1030 action=drop comment="" \
disabled=no
add chain=Virus protocol=tcp dst-port=135-139 action=drop comment="Blaster \
Worm" disabled=no
add chain=Virus protocol=udp dst-port=135-139 action=drop comment="Messenger \
Worm" disabled=no
add chain=Virus protocol=tcp dst-port=445 action=drop comment="Blaster Worm" \
disabled=no
add chain=Virus protocol=udp dst-port=445 action=drop comment="Blaster Worm" \
disabled=no
add chain=Virus protocol=tcp dst-port=1363 action=drop comment="ndm requester" \
disabled=no
add chain=Virus protocol=tcp dst-port=1364 action=drop comment="ndm server" \
disabled=no
add chain=Virus protocol=tcp dst-port=1368 action=drop comment="screen cast" \
disabled=no
add chain=Virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx" \
disabled=no
add chain=Virus protocol=tcp dst-port=1377 action=drop comment="cichlid" \
disabled=no
add chain=Virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm" \
disabled=no
add chain=Virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus" \
disabled=no
add chain=Virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y" \
disabled=no
add chain=Virus protocol=tcp dst-port=2235 action=drop comment="Drop Beagle" \
disabled=no
add chain=Virus protocol=tcp dst-port=2745 action=drop comment="Drop \
Beagle.C-K" disabled=no
add chain=Virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop \
MyDoom" disabled=no
add chain=Virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor \
OptixPro" disabled=no
add chain=Virus protocol=tcp dst-port=4444 action=drop comment="Worm" \
disabled=no
add chain=Virus protocol=udp dst-port=4444 action=drop comment="Worm" \
disabled=no
add chain=Virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser" \
disabled=no
add chain=Virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B" \
disabled=no
add chain=Virus protocol=tcp dst-port=9898 action=drop comment="Drop \
Dabber.A-B" disabled=no
add chain=Virus protocol=tcp dst-port=10000 action=drop comment="Drop \
Dumaru.Y" disabled=no
add chain=Virus protocol=tcp dst-port=10080 action=drop comment="Drop \
MyDoom.B" disabled=no
add chain=Virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus" \
disabled=no
add chain=Virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2" \
disabled=no
add chain=Virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, \
Agobot, Gaobot" disabled=no
add chain=Virus protocol=tcp dst-port=27374 action=drop comment="Drop \
SubSeven" disabled=no

# forward
add chain=forward connection-state=invalid action=drop comment="" disabled=no
add chain=forward connection-state=related action=accept comment="" \
disabled=no
add chain=forward connection-state=established action=accept comment="" \
disabled=no
add chain=forward action=jump jump-target=Virus comment="" disabled=no

# input
add chain=input connection-state=invalid action=drop comment="" disabled=no
add chain=input connection-state=related action=accept comment="" disabled=no
add chain=input connection-state=established action=accept comment="" \
disabled=no
add chain=input action=jump jump-target=Virus comment="" disabled=no

MIKROTIK: How to provide more security to your mikrotik router !!

If you want to Secure your MikroTik Firewall then please use this below created rules .

You must have very good idea and You should thoroughly test this configuration before deploying in a live environment.

/ip firewall address-list
add address=x.x.x.x/x comment=My Server Subnet list=safe

Lets say our private network is 192.168.1.0/24 and public (WAN) interface is ether1.
We will set up firewall to allow connections to router itself only from our local network and drop the rest.
Also we will allow ICMP protocol on any interface so that anyone can ping your router from internet.

/ip firewall filter
add chain=input in-interface=ether10-WAN src-address-list=safe action=accept comment="Allow connections from safe list"
add chain=input connection-state=invalid action=drop comment="Drop Invalid connections"
add action=drop chain=input comment="Drop external DNS requests" dst-port=53 in-interface=ether10-WAN protocol=tcp
add action=drop chain=input comment="Drop external DNS requests" dst-port=53 in-interface=ether10-WAN protocol=udp
add chain=input connection-state=established action=accept comment="Allow Established connections"
add chain=input protocol=icmp action=accept comment="Allow ICMP"
add chain=input src-address=192.168.10.0/24 action=accept in-interface=!ether10-WAN comment="Allow LAN connections"
add chain=input src-address=192.168.11.0/24 action=accept in-interface=!ether10-WAN comment="Allow LAN connections"
add chain=input action=drop comment="Drop everything else"

#Optional

add action=log chain=input comment="Log any other inbound traffic" log-prefix="Inbound Alert"

#For icmp, tcp, udp traffic we will create chains, where we will drop all unwanted packets:

/ip firewall filter
add chain=forward protocol=tcp connection-state=invalid action=drop comment="drop invalid connections"
add chain=forward connection-state=established action=accept comment="allow already established connections"
add chain=forward connection-state=related action=accept comment="allow related connections"
add chain=forward comment="Allow all new outbound LAN connections" connection-state=new out-interface=ether1-WAN

#Block "bogon" IP Addresses:

add chain=forward src-address=0.0.0.0/8 action=drop comment="block bogon ip addresses"
add chain=forward dst-address=0.0.0.0/8 action=drop comment="block bogon ip addresses"
add chain=forward src-address=127.0.0.0/8 action=drop comment="block bogon ip addresses"
add chain=forward dst-address=127.0.0.0/8 action=drop comment="block bogon ip addresses"
add chain=forward src-address=224.0.0.0/3 action=drop comment="block bogon ip addresses"
add chain=forward dst-address=224.0.0.0/3 action=drop comment="block bogon ip addresses"

#Make jumps to new chains:

add chain=forward protocol=tcp action=jump jump-target=tcp comment="make jumps to new chains"
add chain=forward protocol=udp action=jump jump-target=udp comment="make jumps to new chains"
add chain=forward protocol=icmp action=jump jump-target=icmp comment="make jumps to new chains"

#Create TCP chain and deny some TCP ports in it:

add chain=tcp protocol=tcp dst-port=69 action=drop comment="deny TFTP"
add chain=tcp protocol=tcp dst-port=111 action=drop comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=135 action=drop comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment="deny NBT"
add chain=tcp protocol=tcp dst-port=445 action=drop comment="deny cifs"
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"

#Deny UDP ports in UDP chain:

add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"

#Allow only needed ICMP codes in ICMP chain:

add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="echo reply"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment="net unreachable"
add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment="host unreachable"
add chain=icmp protocol=icmp icmp-options=3:4 action=accept comment="host unreachable fragmentation required"
add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment="allow source quench"
add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment="allow echo request"
add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="allow time exceed"
add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="allow parameter bad"
add chain=icmp action=drop comment="deny all other types"