jueves, 16 de octubre de 2014

Mikrotik - Filtros de protección

A continuación dejo una liste de filtro para el firewall de protección contra ataques conocidos

/ip firewall filter

add action=drop chain=input comment="FIltra ICMP Redirect" disabled=no \
    icmp-options=5:0-255 protocol=icmp
add action=drop chain=input comment="Bloquear Ataques FTP" disabled=no \
    dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" disabled=no \
    dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=output content="530 Login incorrect" \
    disabled=no protocol=tcp
add action=drop chain=input comment="Proteccion VSC contra ataques via SSH" \
    disabled=no dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new disabled=no \
    dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new disabled=no \
    dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new disabled=no \
    dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new disabled=no \
    dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment=\
    "Lista de Escaners de Puertos" disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no \
    protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no \
    protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=\
    no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=no \
    protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=no \
    protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="Drop Escaners de Red" disabled=no \
    src-address-list="port scanners"

Fuente:
http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention

Publicado por en No hay comentarios:
Etiquetas: , , , ,
Suscribirse a: Entradas (Atom)