How to prevent Brute Force and Port Scanner Atteacks on Mikrotik

*Vài lưu ý trước khi vào nội dung chính mình cần chia sẽ:

Bài viết này mang tính chất dành cho cá nhân để lưu trữ kiến thức cũng như kinh nghiệm bản thân đã trải qua.
Bài viết chia sẻ phi lợi nhuận
Bài viết có thể làm vài bạn biểu môi: "xời xời, đơn giản thế này ai chẳng biết, post lên làm gì" ==> thì xem lại mục "1" nhé.
Bài viết có lấy thể lấy hình ảnh và 1 vài nội dung trên Internet, nên nếu có gì vi phạm bản quyền, cảm phiền các bạn báo lại giúp mình

Bằng cách tạo Address list cho từng Port và Protocol có liên quan : SSH, Telnet và Winbox port đi kèm với Brute Force Attacks trên Internet (Global) hoặc mạng nội bộ (Local).

Trong bài này, các cuộc tấn công Brute Force sẽ bị ngăn chặn qua 4 giai đoạn khác nhau, control tần xuất của các yêu cầu kết nối riêng biệt cho mỗi SSH, Telnet và Winbox.

Theo cách này, cấu trúc code được dựng lên cho phép gửi request không chính xác 3 lần cho các kết nối. Sau 3 lần không thành công, Source đó sẽ bị chặn bằng cách thêm vào Black List và sẽ bị chặn trong vòng 30 ngày.

Brute Force Protection Rules for SSH:

Code:

Copy


/ ip firewall address-list

add list = "(SSH) Black List" comment = "(SSH) Black List"




/ ip firewall filter

add acction=drop chain=input in-interface=WAN comment="(SSH) Blocks everyone in the Black List" log-yes-log-prefix="KL_ (SSH) Blacklist" src-address-list="(SSH) Blacklist"

add action=jump chain=input in-interface=WAN comment ="(SSH) Black List Chain Skip Rule" dst-port=22 jump-target="(SSH) Blacklist Chain" protocol=tcp

add in-interface=WAN action=add-src-to-address-list address-list="(SSH) Blacklist" address-list-timeout=4w2d chain="(SSH) Blacklist Chain" comment="Repeating moves the initiatives (SSH) from the Level-3 Tracking List (SSH) to the Black List. " connection-state=new log=yes log-prefix="(SSH) Added to Blacklist" src-address-list="(SSH) Level-3 Tracking List"

add in-interface=WAN action=add-src-to-address-list Address-list="(SSH) Level-3 Tracking List" address-list-timeout=1m chain="(SSH) Blacklist Chain" comment="Adds recurring attempts to the 1-minute Tracking List (SSH) Level-3." connection-state=new log=yes log-prefix="Level-3 (SSH) added to Track List" src-address-list="(SSH) Level-2 Track List"

add in-interface=WAN action=add-src-to-address-list Address-list="(SSH) Level-2 Tracking List" address-list-timeout=1m chain="(SSH) Blacklist Chain" comment="Adds recurring attempts to the 1-minute Follow-up List (SSH) Level-2." log-prefix="Level-2 (SSH) added to the Track List" src-address-list="(SSH) Level-1 Track List"

add in-interface=WAN action=add-src-to-address-list Address-list="(SSH) Level-1 Track List" address-list-timeout=1m chain="(SSH) Blacklist Chain" comment="Adds recurring attempts to the 1-minute Track (SSH) Level-1 Tracking List." connection-state=new log=yes log-prefix="Level-1 (SSH) added to the Track List"

add action=return chain="(SSH) Blacklist Chain" comment="(SSH) Components from the Blacklist Chain."

Brute Force Protection Rules for Telnet:

Code:

Copy


/ ip firewall address-list

add list="(Telnet) Black List" comment="(Telnet) Black List"




/ ip firewall filter

add acction=drop chain-input in-interface=WAN comment="(Telnet) Blocks everyone in the Black List." log-yes-log-prefix="KL_ (Telnet) Blacklist" src-address-list="(Telnet) Blacklist"

add acction=jump chain=input in-interface=WAN comment="(Telnet) Black List Chain Skip Rule." dst-port = 23 jump-target="Black List Chain" (Telnet) protocol=tcp

add in-interface=WAN action=add-src-to-address-list address-list="Black List" (Telnet) address-list-timeout=4w2d chain="Black List Chain" comment="Repeating moves the initiatives from the Level-3 Tracking List (Telnet) to the Black List. connection-state=new log = yes log-prefix="Telnet) Added to Blacklist" src-address-list="(Telnet) Level-3 Tracking List"

add in-interface=WAN action=add-src-to-address-list Address-list="(Telnet) Level-3 Tracking List" address-list-timeout=1m chain="(Telnet) Blacklist Chain" comment="Adds recurring attempts to the 1-minute (Telnet) Level-3 Tracking List." connection-state=new log = yes log-prefix="Added to Level-3 (Telnet) Track List" src-address-list="(Telnet) Level-2 Track List"

add in-interface=WAN action=add-src-to-address-list Address-list="(Telnet) Level-2 Tracking List" address-list-timeout=1m chain="(Telnet) Black List Chain" comment="Adds recurring attempts to the 1-minute (Telnet) Level-2 Tracking List." connection-state=new log = yes log-prefix="Added to Level-2 (Telnet) Track List" src-address-list="(Telnet) Level-1 Track List"

add in-interface=WAN action=add-src-to-address-list Address-list="(Telnet) Level-1 Track List" address-list-timeout=1m chain="(Telnet) Blacklist Chain" comment="Adds repeated attempts to the 1-minute (Telnet) Level-1 Tracking List." connection-state=new log = yes log-prefix="Level-1 (Telnet) added to the Track List"

add action=return chain="(Telnet) Blacklist Chain" comment="(Telnet) Blacklist Chain."

Brute Force Protection Rules for Winbox

Code:

Copy


/ip firewall address-list

add list="(Winbox) Kara Liste" comment="(Winbox) Kara Liste"




/ip firewall filter

add action=drop chain=input in-interface=WAN comment="(Winbox) Blocks everyone in the Black List." log=yes log-prefix="(Winbox) Who's on the list?" src-address-list="(Winbox) Who's on the list?"

add action=jump chain=input in-interface=WAN comment="(Winbox) Black List Chain Jump Rule." dst-port=8291 jump-target="(Winbox) Black List Chain" protocol=tcp

add in-interface=WAN action=add-src-to-address-list address-list="(Winbox) Kara Liste" address-list-timeout=4w2d chain="(Winbox) Kara Liste Zinciri" comment="Recurring attempts (Winbox) From Level-3 Watchlist (Winbox) Moves into the Black List." connection-state=new log=yes log-prefix="(Winbox) Added to Blacklist" src-address-list="(Winbox) Seviye-3 Watchlist"

add in-interface=WAN action=add-src-to-address-list address-list="(Winbox) Seviye-3 Takip Listesi" address-list-timeout=1m chain="(Winbox) Black List Chain" comment="Repetitive attempts 1 minute (Winbox) Seviye-3 Adds to the track list content." connection-state=new log=yes log-prefix="Level-3(Winbox) Added to Watchlist" src-address-list="(Winbox) Level-2 Watchlist"

add in-interface=WAN action=add-src-to-address-list address-list="(Winbox) Seviye-2 Takip Listesi" address-list-timeout=1m chain="(Winbox) Black List Chain" comment="Repetitive attempts 1 minute (Winbox) Seviye-2 Adds to the track list content." connection-state=new log=yes log-prefix="Level-2(Winbox) Added to Watchlist" src-address-list="(Winbox) Level-1 Watchlist"

add in-interface=WAN action=add-src-to-address-list address-list="(Winbox) Seviye-1 Takip Listesi" address-list-timeout=1m chain="(Winbox) Black List Chain" comment="Repetitive attempts 1 minute (Winbox) Seviye-1 Adds to the track list content." connection-state=new log=yes log-prefix="Level-1(Winbox) Added to Watchlist"

add action=return chain="(Winbox) Black List Chain" comment="(Winbox) Those from the Black List Chain."

Port Scanner Blocking Rules:

Code:

Copy


/ ip firewall address-list

add list="Black List (Port Scanner WAN)" comment="Black List (Port Scanner WAN)"




/ ip firewall filter

add action=drop chain=input in-interface=WAN comment="(Port Scanner WAN) Block everyone in the Black List." log-yes-log-prefix="(Port Scanner WAN) Black List" src-address-list="(Port Scanner WAN) Black List"

add action=drop chain=forward in-interface=WAN comment="(Port Scanner WAN) Block everyone in the Black List." log-yes-log-prefix="(Port Scanner WAN) Black List" src-address-list="(Port Scanner WAN) Black List"

add-in-interface=WAN action=add-src-to-address-list address-list="Black List (Port Scanner WAN)" address-list-timeout=4w2d chain=input comment="IP addresses that scan TCP ports Scanner WAN) Adds to Blacklist and blocks for 30 days" log=yes log-prefix="(Port Scanner WAN) is added to Blacklist" protocol=tcp psd=21.3s, 3.1

Đặt quảng cáo của bạn ở đây

Tìm kiếm Blog này

I'm Bùi Quang Chính