Tuesday, 29 August 2017

Mikrotik:Conflicker virus port block in mikrotik

This is something  very important rules for mikrotik because sometimes you may see there are much traffic which is generated from your network using this port . So there are the ports which can be considered as Virus port .So you have to block these ports in your mikrotik .


this rules are tested and working successfully so you just have to make it copy and past in your
winbox terminal .


/ip firewall filter
add chain=forward action=drop protocol=tcp dst-port=135 comment="conficker virus block"


    add chain=forward action=drop protocol=tcp dst-port=139  comment="conficker virus block"


    add chain=forward action=drop protocol=tcp dst-port=5933 comment="conficker virus block"


    add chain=forward action=drop protocol=tcp dst-port=5933 comment="conficker virus block"


    add chain=forward action=drop protocol=udp dst-port=135 comment="conficker virus block"


    add chain=forward action=drop protocol=udp dst-port=137 comment="conficker virus block"


    add chain=forward action=drop protocol=udp dst-port=138 comment="conficker virus block"


    add chain=forward action=drop protocol=udp dst-port=445 comment="conficker virus block"


    add chain=forward action=drop protocol=tcp dst-port=445 comment="conficker virus block"
Posted by at 1 comment:

MIKROITK: How To stop SSH Brute force

Sometimes you may see there are many SSH connection has been established in your router and due to this problem The routers CPU process will be high and the bandwidth utilisation will be high . So in that case you  can consider it as SSH Brute force attack in your network .



/ ip firewall filter
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="Drop SSH Brute Forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1d comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
Posted by at No comments:
Labels:

MIKROITK: How To stop TELNET Brute force

If there are many TELNET request is forwarding through your router and if it's from out side the network
randomly and if it's consuming more and more bandwidth then you can consider it as TELNET brute
force attack .

 In such case if you will use the torch in your WAN interface or any other interface where the clients are connected in that case you can consider it as telnet attack.
Let start the configuration .
/ ip firewall filter
add chain=input protocol=tcp dst-port=23 src-address-list=telnet_blacklist action=drop comment="Drop Telnet Brute Forcers" disabled=no
add chain=input protocol=tcp dst-port=23 connection-state=new src-address-list=telnet_stage3 action=add-src-to-address-list address-list=telnet_blacklist address-list-timeout=1d comment="" disabled=no
add chain=input protocol=tcp dst-port=23 connection-state=new src-address-list=telnet_stage2 action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=23 connection-state=new src-address-list=telnet_stage1 action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=23 connection-state=new action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m comment="" disabled=no

 NOTE:-Sometimes you have to modify the rules little bit .
Posted by at No comments:

MIKROITK:How To stop FTP Brute force

If there are many FTP request is forwarding through your router and if it's from out side the network
randomly and if it's consuming more and more bandwidth then you can consider it as FTP brute
force attack .










/ ip firewall filter
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop comment="Drop FTP Brute Forcers" disabled=no
add chain=input protocol=tcp dst-port=21 connection-state=new src-address-list=ftp_stage3 action=add-src-to-address-list address-list=ftp_blacklist address-list-timeout=1d comment="" disabled=no
add chain=input protocol=tcp dst-port=21 connection-state=new src-address-list=ftp_stage2 action=add-src-to-address-list address-list=ftp_stage3 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=21 connection-state=new src-address-list=ftp_stage1 action=add-src-to-address-list address-list=ftp_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=21 connection-state=new action=add-src-to-address-list address-list=ftp_stage1 address-list-timeout=1m comment="" disabled=no
Posted by at No comments:

MIKROTIK:- DDOS Protection

If there is any attack is coming to your network and if there are many unnecessary connection has been established then enable some enhanced security  features of mikrotik .Like


1-Drop the DNS request from your  WAN interface
2-Drop all the invalid TCP sessions in your mirkotik .
3-Remove the check option from "Allow Remote Request inside your IP>DNS"


DoS (Denial of Service) attack can cause overloading of a router. Which means that the CPU usage goes to 100% and router can become unreachable with timeouts. All operations on packets which can take significant CPU power like firewalling (filter, NAT, mangle), logging, queues can cause overloading if too many packets per second arrives at the router.

Generally there is no perfect solution to protect against DoS attacks. Every service can become overloaded by too many requests. But there are some methods for minimising the impact of an attack.

Get a more powerful router or server
Get a more faster uplink
Reduce the number of firewall rules, queues and other packet handling actions
Track attack path and block it closer to source (by upstream provider)
Entire Network bandwidth will be chocked .
The routers CPU utilisation would be high .



When ever there is any above mentioned issues in your mikrotik then  you can consider it as
DDoS attack .


DoS (Denial of Service) attack can cause overloading of router. Which means what CPU usage goes to 100% and router could be unreachable with timeouts. Every operations on packets which can take significant CPU power like firewalling(filter, nat, mangle), logging, queues can cause overloading if too much packets per second arrives to router.

Generally there is no perfect solution to protect against DoS attacks. Every service could be overloaded by too much requests. So there are only some methods for minimization impact of attack.

Get more powerfull router or server

>Get more faster up link
>Reduce number of firewall rules, queues and other packet handling actions
>Track attack path and block it closer to source (by upstream provider)
>TCP SYN flood
>More info: SYN flood.
>Diagnose



Lets start the configuration .


Here, I will show you the most important 3 rules on Ddos attack but you have to configure only one rule in your mikrotik at a time. Because the purpose of all the rules are same so no need to configure these below 3 rules at a time in router . Anyone  of these below rules you can configure .


Rule-1

/ip firewall filter
add action=jump chain=forward connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m chain=detect-ddos
add action=drop chain=forward connection-state=new dst-address-list=ddosed src-address-list=ddoser


Rule-2

/ip firewall filter
add chain=forward connection-state=new action=jump jump-target=block-ddos
add chain=forward connection-state=new src-address-list=ddoser dst-address-list=ddosed action=drop
add chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s action=return
add chain=block-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m
add chain=block-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m


Rule-3

/ip firewall filter
add chain=forward connection-state=new action=jump jump-target=detect-ddos
add chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s action=return
add chain=detect-ddos src-address=192.168.0.1 action=return
add chain=detect-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m
add chain=detect-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m
add chain=forward connection-state=new src-address-list=ddoser dst-address-list=ddosed action=drop

Posted by at 2 comments:

Monday, 28 August 2017

MIKROITK:-Preventing the SSH brute force attack for 10 days .

Prevent a SSH brute forcer to be banned for 10 days after repetitive attempts.



/ip firewall filter
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \ comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=10d comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \ action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \ address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \ comment="drop ssh brute downstream" disabled=no
Posted by at No comments:

MIKROTIK:-How to stop SSH Brute-force attack in mirkotik


Sometimes you may see there are many SSH connection has been established in your router and due to this problem The routers CPU process will be high and the bandwidth utilisation will be high . So in that case you  can consider it as SSH Brute force attack in your network .









/ip firewall filter
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \ comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=10d comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \ action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \ address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \ comment="drop ssh brute downstream" disabled=no
Posted by at No comments:

MIKROITK:-FTP Brute force Attack

Sometimes you may see there are many FTP connection has been established in your router and due to this problem The routers CPU process will be high and the bandwidth utilisation will be high . So in that case you  can consider it as FTP Brute force attack in your network .


/ip firewall filter
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \ comment="drop ftp brute forcers"
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \ address-list=ftp_blacklist address-list-timeout=3h
Posted by at 1 comment:

Mikrotik:ICMP security and ICMP Flooding .

Configure this below rules to minimise the ICMP request to your devices .




/ip firewall filter
add chain=icmp protocol=icmp icmp-options=0:0 action=accept \ comment="echo reply"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept \ comment="net unreachable"
add chain=icmp protocol=icmp icmp-options=3:1 action=accept \ comment="host unreachable"
add chain=icmp protocol=icmp icmp-options=4:0 action=accept \ comment="allow source quench"
add chain=icmp protocol=icmp icmp-options=8:0 action=accept \ comment="allow echo request"
add chain=icmp protocol=icmp icmp-options=11:0 action=accept \ comment="allow time exceed"
add chain=icmp protocol=icmp icmp-options=12:0 action=accept \ comment="allow parameter bad"
add chain=icmp action=drop comment="deny all other types"
Posted by at 2 comments:

MIKROITK SECURITY:-How To find and block the Port Scanner in mikrotik



A port scan or portscan is a process that sends client requests to a range of server port addresses on a host, with the goal of finding an active port; this is not a nefarious process in and of itself.[1] The majority of uses of a port scan are not attacks, but rather simple probes to determine services available on a remote machine.


Configure this below rules to drop the port scanner.



Rule-1

/ip firewall filter
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan"
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan"
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"


Rule-2

/ip firewall filter
add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
add chain=forward src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no




Posted by at No comments:

MIKROTIK: How to block TCP invalid state connection in your mikrotik device

In this blog , Lets There are many TCP invalid session have been created and and you want to block those TCP connections . Lets configure the below command to block the invalid states and i will allow only Established TCP state .


/ip firewall filter
add chain=forward connection-state=invalid \ action=drop comment="drop invalid connections"
add chain=forward connection-state=established action=accept \ comment="allow already established connections"
add chain=forward connection-state=related action=accept \ comment="allow related connections"

Posted by at No comments:

MIKROTIK: How to Block these BOGON IP's in your mikrotik.

If you want to provide more and more security to your mikrotik you have to block these IP lists in your mirkotik because some time you may see that there are many more connection will have present in your mirkotik .

I recommend you to block these ip pool which is necessary .


/ip firewall filter
add chain=forward src-address=0.0.0.0/8 action=drop \ comment="Block Bogon IP addresses"
add chain=forward dst-address=0.0.0.0/8 action=drop
add chain=forward src-address=127.0.0.0/8 action=drop
add chain=forward dst-address=127.0.0.0/8 action=drop
add chain=forward src-address=224.0.0.0/3 action=drop
add chain=forward dst-address=224.0.0.0/3 action=drop

Posted by at No comments:

MIKROTIK:-Recommended TCP ports to block in the mikrotik .

I recommend you to block these TCP ports in mirkotik if there is any attack is coming .




/ip firewall filter
add chain=tcp protocol=tcp dst-port=69 action=drop \ comment="deny TFTP"
add chain=tcp protocol=tcp dst-port=111 action=drop \ comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=135 action=drop \ comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=137-139 action=drop \ comment="deny NBT"
add chain=tcp protocol=tcp dst-port=445 action=drop \ comment="deny cifs"
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny  BackOriffice"
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"
Posted by at No comments:

Mikroitk: How to block these virus related UDP ports in your mikrotik .

In this blog i am going to discuss about mikrotik Security because as we all know that it's very difficult  protect the mikrotik .


Here, I am going to block some UDP ports .


/ip firewall filter
add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"

Posted by at No comments:

MIKROITK:BLOCK Virus Port

Sometimes you may see in your corporate network there are huge bandwidth utilisation and also
the CPU utilisation would be high .So in those kind of scenario you have to give your mikrotik
higher security .


Please block these virus ports .



/ip firewall filter

add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop Blaster Worm" 
add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop Messenger Worm"    
add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster Worm & WannaCrypt" 
add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster Worm" 
add chain=virus protocol=tcp dst-port=593 action=drop comment="________" 
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________" 
add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom" 
add chain=virus protocol=tcp dst-port=1214 action=drop comment="________" 
add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester" 
add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server" 
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast" 
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx" 
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid" 
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm" 
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus" 
add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y" 
add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle" 
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop Beagle.C-K" 
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop MyDoom" 
add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor OptixPro"
add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm" 
add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm" 
add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser" 
add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B" 
add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop Dabber.A-B" 
add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop Dumaru.Y" 
add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop MyDoom.B" 
add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus" 
add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2" 
add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop SubSeven" 
add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, Agobot, Gaobot"
add chain=forward action=jump jump-target=virus comment="jump to the virus chain"

add chain=virus protocol=tcp dst-port=139 action=drop comment="Drop WannaCrypt"
Posted by at No comments:

Friday, 25 August 2017

CISCO:-What are the configuration required for SNMP in cisco Switches .

As we all know that we are using the SNMP to monitor the network .In my case I am using the PRTG
as monitoring software but you can use the other monitoring software as per your requirement .


After completion of your PRTG server installation you have to enable the SNMP services in
cisco other devices in your network .In this blog I am not going to show you the Installation
process of PRTG and it's very easy installation process and also you can the reference from
PRTG official websites .



Lets Enable the SNMP services in pour devices buut before that we need to make it sure
there should be reachability from PRTG server to your network devices .



Please find the below diagram How and where my PRTG server is existed in the network .




Here , I have the reachability from my PRTG server to all the switches and also i have a PRTG server
pre-configured .



Take the Telnet to the router/switch
-----------------------------

sw-1#telnet 172.17.10.1
Go to the enable mode by specifying the password what you have given :

 sw-1>enable
Password:
sw-1#
Go into configuration mode:


 sw-1(config)#
Use the command below to add a Read-Only community string:

First of all you have to configure the SNMp community for read and read write .

sw-1(config)#snmp-server community public RO


Note:-where "public" is the Read-only community string.

To add a Read-Write Community string, use the command below:

 sw-1(config)#snmp-server community private RW


Note:-where "private" is the Read-write community string.

Exit the configuration mode and save the settings:

sw-1(config)#exit 
sw-1#write memory 
Building configuration...
[OK]
sw-1#

The above configurations are just enabling the snmp community .but this below configuration are
very important .plese look on to this .


To enable SNMP traps, follow the steps below in the Configuration mode of the Router/Switch:

First, set the host to which the traps have to be sent using the folowing command:


snmp-server host <IP Address> version <v1 or 2c> <RO community string>
<IP Address> refers to the IP Address of the device to which the traps have to be sent
<v1 or 2c> refers to the SNMP version
<RO community string> refers to the Read-Only community string

In my case  ,

sw-1(config)#snmp-server host 172.17.10.4 version 3 RO 


Step-2

Then, enable SNMP Traps using the command below:

snmp-server enable traps [notification-type] [notification-option] 
Note:This trap means , snmp-server enable traps config [this will send all configurationnotifications as traps]



Note-Sometimes this configuration may not sufficent becaue according to my experinece
sometimes needed the Authentication and authentication type etc. etc.






Posted by at No comments:

Thursday, 17 August 2017

MIKROTIK:How to block all the virus ports in mikrotik

You can stop all the virus attacks in the mikrotik using this below rules .


/ ip firewall filter 
add chain=Virus protocol=tcp dst-port=1434 action=drop comment="port block \ 
warning" disabled=no 
add chain=Virus protocol=udp dst-port=1434 action=drop comment="" disabled=no 
add chain=Virus protocol=udp dst-port=2745 action=drop comment="" disabled=no 
add chain=Virus protocol=tcp dst-port=6344-6381 action=drop comment="" \ 
disabled=no 
add chain=Virus protocol=udp dst-port=6344-6381 action=drop comment="" \ 
disabled=no 
add chain=Virus protocol=tcp dst-port=1080 action=drop comment="MyDoom" \ 
disabled=no 
add chain=Virus protocol=tcp dst-port=1214 action=drop comment="" disabled=no 
add chain=Virus protocol=tcp dst-port=593 action=drop comment="" disabled=no 
add chain=Virus protocol=tcp dst-port=1024-1030 action=drop comment="" \ 
disabled=no 
add chain=Virus protocol=tcp dst-port=135-139 action=drop comment="Blaster \ 
Worm" disabled=no 
add chain=Virus protocol=udp dst-port=135-139 action=drop comment="Messenger \ 
Worm" disabled=no 
add chain=Virus protocol=tcp dst-port=445 action=drop comment="Blaster Worm" \ 
disabled=no 
add chain=Virus protocol=udp dst-port=445 action=drop comment="Blaster Worm" \ 
disabled=no 
add chain=Virus protocol=tcp dst-port=1363 action=drop comment="ndm requester" \ 
disabled=no 
add chain=Virus protocol=tcp dst-port=1364 action=drop comment="ndm server" \ 
disabled=no 
add chain=Virus protocol=tcp dst-port=1368 action=drop comment="screen cast" \ 
disabled=no 
add chain=Virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx" \ 
disabled=no 
add chain=Virus protocol=tcp dst-port=1377 action=drop comment="cichlid" \ 
disabled=no 
add chain=Virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm" \ 
disabled=no 
add chain=Virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus" \ 
disabled=no 
add chain=Virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y" \ 
disabled=no 
add chain=Virus protocol=tcp dst-port=2235 action=drop comment="Drop Beagle" \ 
disabled=no 
add chain=Virus protocol=tcp dst-port=2745 action=drop comment="Drop \ 
Beagle.C-K" disabled=no 
add chain=Virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop \ 
MyDoom" disabled=no 
add chain=Virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor \ 
OptixPro" disabled=no 
add chain=Virus protocol=tcp dst-port=4444 action=drop comment="Worm" \ 
disabled=no 
add chain=Virus protocol=udp dst-port=4444 action=drop comment="Worm" \ 
disabled=no 
add chain=Virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser" \ 
disabled=no 
add chain=Virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B" \ 
disabled=no 
add chain=Virus protocol=tcp dst-port=9898 action=drop comment="Drop \ 
Dabber.A-B" disabled=no 
add chain=Virus protocol=tcp dst-port=10000 action=drop comment="Drop \ 
Dumaru.Y" disabled=no 
add chain=Virus protocol=tcp dst-port=10080 action=drop comment="Drop \ 
MyDoom.B" disabled=no 
add chain=Virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus" \ 
disabled=no 
add chain=Virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2" \ 
disabled=no 
add chain=Virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, \ 
Agobot, Gaobot" disabled=no 
add chain=Virus protocol=tcp dst-port=27374 action=drop comment="Drop \ 
SubSeven" disabled=no 

# forward 
add chain=forward connection-state=invalid action=drop comment="" disabled=no 
add chain=forward connection-state=related action=accept comment="" \ 
disabled=no 
add chain=forward connection-state=established action=accept comment="" \ 
disabled=no 
add chain=forward action=jump jump-target=Virus comment="" disabled=no 

# input 
add chain=input connection-state=invalid action=drop comment="" disabled=no 
add chain=input connection-state=related action=accept comment="" disabled=no 
add chain=input connection-state=established action=accept comment="" \ 
disabled=no 
add chain=input action=jump jump-target=Virus comment="" disabled=no 




Posted by at 22 comments:

MIKROTIK: How to provide more security to your mikrotik router !!

If you want to Secure your MikroTik Firewall then please use this below created rules .


You must have very good idea and You should thoroughly test this configuration before deploying in a live environment.



/ip firewall address-list
add address=x.x.x.x/x comment=My Server Subnet list=safe



Lets say our private network is 192.168.1.0/24 and public (WAN) interface is ether1.
We will set up firewall to allow connections to router itself only from our local network and drop the rest.
Also we will allow ICMP protocol on any interface so that anyone can ping your router from internet.


/ip firewall filter
add chain=input in-interface=ether10-WAN src-address-list=safe action=accept comment="Allow connections from safe list"
add chain=input connection-state=invalid action=drop comment="Drop Invalid connections"
add action=drop chain=input comment="Drop external DNS requests" dst-port=53 in-interface=ether10-WAN protocol=tcp
add action=drop chain=input comment="Drop external DNS requests" dst-port=53 in-interface=ether10-WAN protocol=udp
add chain=input connection-state=established action=accept comment="Allow Established connections" 
add chain=input protocol=icmp action=accept comment="Allow ICMP"
add chain=input src-address=192.168.10.0/24 action=accept in-interface=!ether10-WAN comment="Allow LAN connections"
add chain=input src-address=192.168.11.0/24 action=accept in-interface=!ether10-WAN comment="Allow LAN connections"
add chain=input action=drop comment="Drop everything else"

#Optional

add action=log chain=input comment="Log any other inbound traffic" log-prefix="Inbound Alert"


#For icmp, tcp, udp traffic we will create chains, where we will drop all unwanted packets:


/ip firewall filter
add chain=forward protocol=tcp connection-state=invalid action=drop comment="drop invalid connections" 
add chain=forward connection-state=established action=accept comment="allow already established connections" 
add chain=forward connection-state=related action=accept comment="allow related connections"
add chain=forward comment="Allow all new outbound LAN connections" connection-state=new out-interface=ether1-WAN

#Block "bogon" IP Addresses:

add chain=forward src-address=0.0.0.0/8 action=drop comment="block bogon ip addresses"
add chain=forward dst-address=0.0.0.0/8 action=drop comment="block bogon ip addresses" 
add chain=forward src-address=127.0.0.0/8 action=drop comment="block bogon ip addresses"
add chain=forward dst-address=127.0.0.0/8 action=drop comment="block bogon ip addresses"
add chain=forward src-address=224.0.0.0/3 action=drop comment="block bogon ip addresses"
add chain=forward dst-address=224.0.0.0/3 action=drop comment="block bogon ip addresses"



#Make jumps to new chains:

add chain=forward protocol=tcp action=jump jump-target=tcp comment="make jumps to new chains"
add chain=forward protocol=udp action=jump jump-target=udp comment="make jumps to new chains"
add chain=forward protocol=icmp action=jump jump-target=icmp comment="make jumps to new chains"

#Create TCP chain and deny some TCP ports in it:

add chain=tcp protocol=tcp dst-port=69 action=drop comment="deny TFTP"
add chain=tcp protocol=tcp dst-port=111 action=drop comment="deny RPC portmapper" 
add chain=tcp protocol=tcp dst-port=135 action=drop comment="deny RPC portmapper" 
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment="deny NBT" 
add chain=tcp protocol=tcp dst-port=445 action=drop comment="deny cifs" 
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS" 
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus" 
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus" 
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice" 
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"

#Deny UDP ports in UDP chain:

add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP" 
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper" 
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper" 
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT" 
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS" 
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"

#Allow only needed ICMP codes in ICMP chain:

add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="echo reply" 
add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment="net unreachable" 
add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment="host unreachable"
add chain=icmp protocol=icmp icmp-options=3:4 action=accept comment="host unreachable fragmentation required" 
add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment="allow source quench" 
add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment="allow echo request" 
add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="allow time exceed" 
add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="allow parameter bad" 
add chain=icmp action=drop comment="deny all other types" 

Posted by at No comments:

Friday, 4 August 2017

How to Block any website using Mikrotik Router Firewall !!!!

Here I am not going to show you to write the regular expression for different different websites.
This blog will help you to take the over view to write the regular expression when there is a challenge to block any websites.


Lets consider , I am going to block the youtube.com in my complete network .

This regular expression will help you to block any of the websites you want .So keep in your mind how to write the regular expression .


lets go to IP>Firewall>Layer 7 protocols

/ip/ip firewall layer7-protocol
add name="Block_youtube" regexp="^.+(youtube.com).*$"



Step 2 create the firewall rule to drop the traffic of Youtube.com



/ip firewall filter
add action=drop chain=forward disabled=yes dst-port=80,443 layer7-protocol=\
    "Block_youtube" protocol=tcp


Same as you can make the rules of any websites and you can the write the appropriate regular expression in this way .



Posted by at No comments:

Wednesday, 2 August 2017

ICMP Traffic Higher Priority In Mikrotik Router .

Some times you may see that there is being loss the ICMP packets while the users in your network are trying to ping to any destination hosts .and sue to this problem the users are getting high ms .


Let's start the configuration to give the higher priority to users .


Step-1 

Create a Mangle rule for marking the connection of ICMP and after marking the connections of ICMp you will have to mark the ICMP packets . 


Create a mangle  rule First .


add action=mark-connection chain=forward comment="ICMP_Higher_Priority" new-connection-mark=ICMP_High protocol=icmp 

add action=mark-packet chain=forward connection-mark=ICMP_High new-packet-mark=ICMP_PKT passthrough=no 



create a simple queue for giving the exact bandwidth to ICMP packets .




/queue simple
add comment=ICMP max-limit=4M/4M name=ICMP packet-marks=ICMP_PKT  target=""



Posted by at No comments:
Subscribe to: Posts (Atom)