Deixando
a sua RB (Router Board) Mais Segura
Este
artigo, explicará algumas formas para deixar o S.O. Mikrotik mais seguro.
Para este fim, será usado algumas regras e para aplicá-las, basta abrir o
winbox, clicar em New
Terminal , copiar as regras correspondente e colar usando o
botão direito do mouse na tela do Terminal.
v As Regras, foram testadas apenas na versão 5.xxx usando
uma RB750x.
v
Siga a ordem das regras.
Proteção
DDoS
Sintoma:
RB não aparece tela inicial hotspot e dificilmente consegue-se acessá-la via
winbox. Para certificar-se você pode
baixar o programa (Denial+Dos+Attacker+v+1.0+By+Diablos+4-Ever+www.invasaohacking.com) usado para
tal e fazer o teste. Acesso o link e saiba mais: Aqui
Regras:
/ip firewall filter
add action=add-src-to-address-list address-list=block-ddos \
address-list-timeout=1d chain=input comment="=============================\
=====Iinicio do controle DDoS==============" connection-limit=32,32 \
disabled=no protocol=tcp
add action=tarpit chain=input connection-limit=3,32 disabled=no protocol=tcp \
src-address-list=block-ddos
add action=jump chain=forward comment="SYN Flood protect" connection-state=\
new disabled=no jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=accept chain=SYN-Protect connection-state=new disabled=no limit=\
400,5 protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect comment=\
"=================Fim do Controle DDoS=============================" \
add action=add-src-to-address-list address-list=block-ddos \
address-list-timeout=1d chain=input comment="=============================\
=====Iinicio do controle DDoS==============" connection-limit=32,32 \
disabled=no protocol=tcp
add action=tarpit chain=input connection-limit=3,32 disabled=no protocol=tcp \
src-address-list=block-ddos
add action=jump chain=forward comment="SYN Flood protect" connection-state=\
new disabled=no jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=accept chain=SYN-Protect connection-state=new disabled=no limit=\
400,5 protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect comment=\
"=================Fim do Controle DDoS=============================" \
Passo
6
/ip
firewall connection tracking set tcp-syncookie=yes
Proteção
de Ping interno
/ip
firewall filter add chain=input protocol=icmp icmp-options=8 action=drop
disabled=no comment="Bloqueio Ping"
/ip
firewall filter add chain=forward protocol=icmp icmp-options=8 action=drop disabled=no
caso
queira permitir o ping dos clientes para o gateway, coloque essa regra antes
das duas acima (supondo que o ip do gateway seja 192.168.0.254, altere pro ip
do seu mikrotik):
/ip
firewall filter add chain=input protocol=icmp icmp-options=8
dst-address=192.168.0.254 action=accept disabled=no
Proteção
Contra Scaners (Nmap)
/ip
firewall filter
add
chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list
address-list="port scanners" address-list-timeout=2w
comment="Port scanners to list " disabled=no
add
chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="NMAP FIN Stealth scan"
add
chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list
address-list="port scanners" address-list-timeout=2w
comment="SYN/FIN scan"
add
chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list
address-list="port scanners" address-list-timeout=2w
comment="SYN/RST scan"
add
chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="FIN/PSH/URG scan"
add
chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="ALL/ALL scan"
add
chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="NMAP NULL scan"
add
chain=input src-address-list="port scanners" action=drop
comment="dropping port scanners" disabled=no
Proteção
Brote Force SSH e Telnet
Exemplo:
/ip
firewall filter
add
chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop
\
comment="drop
ftp brute forcers"
add
chain=output action=accept protocol=tcp content="530 Login incorrect"
dst-limit=1/1m,9,dst-address/1m
add
chain=output action=add-dst-to-address-list protocol=tcp content="530
Login incorrect" \
address-list=ftp_blacklist
address-list-timeout=3h
add
chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop
\
comment="drop
ssh brute forcers" disabled=no
add
chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3
action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d
comment="" disabled=no
add
chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2
action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m
comment="" disabled=no
add
chain=input protocol=tcp dst-port=22 connection-state=new
src-address-list=ssh_stage1 \
action=add-src-to-address-list
address-list=ssh_stage2 address-list-timeout=1m comment=""
disabled=no
add
chain=input protocol=tcp dst-port=22 connection-state=new
action=add-src-to-address-list \
address-list=ssh_stage1
address-list-timeout=1m comment="" disabled=no
add
chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist
action=drop \
comment="drop
ssh brute downstream" disabled=no
Proteção
Bloqueio Proxy Externo
ip
web-proxy
set
enabled=yes src-address=0.0.0.0 port=3128 hostname="proxy" \
transparent-proxy=yes
parent-proxy=0.0.0.0:0 \
cache-administrator="webmaster"
max-object-size=40960KiB \
cache-drive=system
max-cache-size=unlimited max-ram-cache-size=unlimited
/
ip web-proxy access
add
dst-port=23-25 action=deny comment="block telnet & spam e-mail
relaying" \
disabled=yes
/
ip web-proxy cache
add
dst-port=3128 url=":cgi-bin \\\\\?" action=deny comment="don't
cache \
dynamic
http pages" disabled=no
add
dst-port=3128 url="https://" action=deny comment=""
disabled=no
Proteção
Contra Retorno de Rota (tracert ou tracerouter)
/ip
firewall filter
add
action=drop chain=forward comment=\
"Bloqueio de retorno Tracert -
Bloqueia rota de dominio." disabled=no \
icmp-options=11:0-255 protocol=icmp
Proteção Anti-Virus
/ip
firewall filter
add
chain=forward connection-state=established comment="allow established
connections"
add
chain=forward connection-state=related comment="allow related
connections"
add
chain=forward connection-state=invalid action=drop comment="drop invalid
connections"
add
chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop
Blaster Worm"
add
chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop
Messenger Worm"
add
chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster
Worm"
add
chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster
Worm"
add
chain=virus protocol=tcp dst-port=593 action=drop comment="________"
add
chain=virus protocol=tcp dst-port=1024-1030 action=drop
comment="________"
add
chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop
MyDoom"
add
chain=virus protocol=tcp dst-port=1214 action=drop comment="________"
add
chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm
requester"
add
chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm
server"
add
chain=virus protocol=tcp dst-port=1368 action=drop comment="screen
cast"
add
chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx"
add
chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid"
add
chain=virus protocol=tcp dst-port=1433-1434 action=drop
comment="Worm"
add
chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle
Virus"
add
chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop
Dumaru.Y"
add
chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop
Beagle"
add
chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop
Beagle.C-K"
add
chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop
MyDoom"
add
chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor
OptixPro"
add
chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm"
add
chain=virus protocol=udp dst-port=4444 action=drop comment="Worm"
add
chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop
Sasser"
add
chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop
Beagle.B"
add
chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop Dabber.A-B"
add
chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop
Dumaru.Y"
add
chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop
MyDoom.B"
add
chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop
NetBus"
add
chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop
Kuang2"
add
chain=forward action=jump jump-target=virus comment="jump to the virus
chain"
add
chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop \
SubSeven"
disabled=no
ip
firewall filter
add
chain=virus protocol=tcp dst-port=445 action=drop comment="bloqueio de \
VIRUS
conhecidos" disabled=no
add
chain=virus protocol=udp dst-port=445 action=drop comment=""
disabled=no
add
chain=virus protocol=tcp dst-port=593 action=drop comment=""
disabled=no
add
chain=virus protocol=tcp dst-port=1080 action=drop comment=""
disabled=no
add
chain=virus protocol=tcp dst-port=1363 action=drop comment=""
disabled=no
add
chain=virus protocol=tcp dst-port=1364 action=drop comment=""
disabled=no
add
chain=virus protocol=tcp dst-port=1373 action=drop comment=""
disabled=no
add
chain=virus protocol=tcp dst-port=1377 action=drop comment=""
disabled=no
add
chain=virus protocol=tcp dst-port=1368 action=drop comment=""
disabled=no
add
chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="" \
disabled=no
add
chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="" \
disabled=no
add
chain=virus protocol=tcp dst-port=1214 action=drop comment=""
disabled=no
add
chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop \
Blaster
Worm" disabled=no
add
chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop \
Messenger
Worm" disabled=no
add
chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster \
Worm"
disabled=no
add
chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster \
Worm"
disabled=no
add
chain=virus protocol=tcp dst-port=593 action=drop comment="________"
\
disabled=no
add
chain=virus protocol=tcp dst-port=1024-1030 action=drop
comment="________" \
disabled=no
add
chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop
MyDoom" \
disabled=no
add
chain=virus protocol=tcp dst-port=1214 action=drop comment="________"
\
disabled=no
add
chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm
requester" \
disabled=no
add
chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm
server" \
disabled=no
add
chain=virus protocol=tcp dst-port=1368 action=drop comment="screen
cast" \
disabled=no
add
chain=virus protocol=tcp dst-port=1373 action=drop
comment="hromgrafx" \
disabled=no
add
chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid"
\
disabled=no
add
chain=virus protocol=tcp dst-port=1433-1434 action=drop
comment="Worm" \
disabled=no
add
chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle
Virus" \
disabled=no
add
chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop
Dumaru.Y" \
disabled=no
add
chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop
Beagle" \
disabled=no
add
chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop \
Beagle.C-K"
disabled=no
add
chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop \
porta
proxy" disabled=no
add
chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor
\
OptixPro"
disabled=no
add
chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm" \
disabled=no
add
chain=virus protocol=udp dst-port=4444 action=drop comment="Worm" \
disabled=no
add
chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop
Sasser" \
disabled=no
add
chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop
Beagle.B" \
disabled=no
add
chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop \
Dabber.A-B"
disabled=no
add
chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop \
Dumaru.Y"
disabled=no
add
chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop \
MyDoom.B"
disabled=no
add
chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop
NetBus" \
disabled=no
add
chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop
Kuang2" \
disabled=no
add
chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop \
SubSeven"
disabled=no
add
chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot,
\
Agobot,
Gaobot" disabled=no
add
chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop
Blaster Worm" disabled=no
add
chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop
Messenger Worm" disabled=no
add
chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster
Worm" disabled=no
add
chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster
Worm" disabled=no
add
chain=virus protocol=tcp dst-port=593 action=drop comment="________"
disabled=no
add
chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________"
disabled=no
add
chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop
MyDoom" disabled=no
add
chain=virus protocol=tcp dst-port=1214 action=drop comment="________"
disabled=no
add
chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm
requester" disabled=no
add
chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm
server" disabled=no
add
chain=virus protocol=tcp dst-port=1368 action=drop comment="screen
cast" disabled=no
add
chain=virus protocol=tcp dst-port=1373 action=drop
comment="hromgrafx" disabled=no
add
chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid"
disabled=no
add
chain=virus protocol=tcp dst-port=1433-1434 action=drop
comment="Worm" disabled=no
add
chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle
Virus" disabled=no
add
chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop
Dumaru.Y" disabled=no
add
chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop
Beagle" disabled=no
add
chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop
Beagle.C-K" disabled=no
add
chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop
MyDoom" disabled=no
add
chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor
OptixPro" disabled=no
add
chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm"
disabled=no
add
chain=virus protocol=udp dst-port=4444 action=drop comment="Worm"
disabled=no
add
chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop
Sasser" disabled=no
add
chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop
Beagle.B" disabled=no
add
chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop
Dabber.A-B" disabled=no
add
chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop
Dumaru.Y" disabled=no
add
chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop
MyDoom.B" disabled=no
add
chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop
NetBus" disabled=no
add
chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop
Kuang2" disabled=no
add
chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop
SubSeven" disabled=no
add
chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot,
Agobot, Gaobot" disabled=no
Nenhum comentário:
Postar um comentário
Observação: somente um membro deste blog pode postar um comentário.