- Adbot
-
ADBOT LOVES YOU
|
|
#
¿
Apr 29, 2024 05:08
|
|
- Farking Bastage
- Sep 22, 2007
-
Who dey think gonna beat dem Bengos!
|
Exporting in 5.12 is definitely flaky. It picked up most of my rules, but it left off all the tcp flags on my portscanner rules so it basically started blacklisting everything
It's supposed to be this:
code:add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Drop Port Scanners" \
disabled=no in-interface=ether1 protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input disabled=no in-interface=ether1 \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input disabled=no in-interface=ether1 \
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input disabled=no in-interface=ether1 \
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input disabled=no in-interface=ether1 \
protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input disabled=no in-interface=ether1 \
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input disabled=no in-interface=ether1 \
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=jump chain=input disabled=no in-interface=ether1 jump-target=\
droplog src-address-list="port scanners"
but if I export, it comes out without the tcp-flags=fin,syn,rst,psh,ack,urg pieces.
That coupled with tarpitting does extremely unkind things to the tcp stack of anyone who tries to portscan me.
Farking Bastage fucked around with this message at 19:29 on Feb 9, 2012
|
#
¿
Feb 9, 2012 19:23
|
|
- Farking Bastage
- Sep 22, 2007
-
Who dey think gonna beat dem Bengos!
|
If I did it right, It's drop/logging DDOS and blacklisting, dropping SYN attack stuff, and tarpitting the portscanners.
code:
/ip firewall filter
add action=accept chain=input comment="DNS - Approved list only" disabled=no \
in-interface=ether1 protocol=udp src-address-list=dns src-port=53
add action=accept chain=input comment=\
"Only allow internal traffic on ports other than your WAN port" disabled=\
no in-interface=!ether1 src-address=10.10.120.0/24
add action=drop chain=forward comment="Drop all P2P" disabled=yes \
in-interface=ether1 p2p=all-p2p
add action=drop chain=forward disabled=yes layer7-protocol=Bit-T-Newest
add action=drop chain=forward disabled=yes layer7-protocol=BITTORRENT
add action=tarpit chain=forward disabled=yes p2p=all-p2p protocol=tcp
add action=accept chain=input comment="NTP Allow - if mikrotik is not updating\
\_from network but directly from pool.ntp.org" disabled=no in-interface=\
ether1 protocol=udp src-address-list=ntp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Drop Port Scanners" \
disabled=no in-interface=ether1 protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input disabled=no in-interface=ether1 \
protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input disabled=no in-interface=ether1 \
protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input disabled=no in-interface=ether1 \
protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input disabled=no in-interface=ether1 \
protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input disabled=no in-interface=ether1 \
protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input disabled=no in-interface=ether1 \
protocol=tcp
add action=jump chain=input disabled=no in-interface=ether1 jump-target=\
droplog src-address-list="port scanners"
add action=jump chain=forward comment="Drop DDoS" connection-state=new \
disabled=no in-interface=ether1 jump-target=block-ddos
add action=drop chain=forward connection-state=new disabled=no \
dst-address-list=ddosed in-interface=ether1 src-address-list=ddoser
add action=return chain=block-ddos disabled=no dst-limit=\
30,30,src-and-dst-addresses/10s in-interface=ether1
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
10m chain=block-ddos disabled=no in-interface=ether1
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
10m chain=block-ddos disabled=no in-interface=ether1
add action=jump chain=forward comment="SYN Flood protect" connection-state=\
new disabled=no jump-target=SYN-Protect protocol=tcp
add action=drop chain=input comment=\
"SSH brute forcers blacklisting (3rd, 2nd, 1st)" disabled=no dst-port=22 \
in-interface=ether1 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=0s chain=input connection-state=new disabled=no \
dst-port=22 in-interface=ether1 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-port=22 in-interface=ether1 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-port=22 in-interface=ether1 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-port=22 in-interface=ether1 protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input comment=\
"WinBox brute forcers blacklisting (3rd, 2nd, 1st)" disabled=no dst-port=\
8291 in-interface=ether1 protocol=tcp src-address-list=wb_blacklist
add action=add-src-to-address-list address-list=wb_blacklist \
address-list-timeout=0s chain=input connection-state=new disabled=no \
dst-port=8291 in-interface=ether1 protocol=tcp src-address-list=wb_stage3
add action=add-src-to-address-list address-list=wb_stage3 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-port=8291 in-interface=ether1 protocol=tcp src-address-list=wb_stage2
add action=add-src-to-address-list address-list=wb_stage2 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-port=8291 in-interface=ether1 protocol=tcp src-address-list=wb_stage1
add action=add-src-to-address-list address-list=wb_stage1 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-port=8291 in-interface=ether1 protocol=tcp
add action=drop chain=input comment="drop ftp brute forcers" disabled=no \
dst-port=21 protocol=tcp src-address-list=ftp_black_list
add action=add-src-to-address-list address-list=ftp_black_list \
address-list-timeout=0s chain=input connection-state=new disabled=no \
dst-port=21 protocol=tcp src-address-list=ftp_stage3
add action=add-src-to-address-list address-list=ftp_stage3 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-port=21 protocol=tcp src-address-list=ftp_stage2
add action=add-src-to-address-list address-list=ftp_stage2 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-port=21 protocol=tcp src-address-list=ftp_stage1
add action=add-src-to-address-list address-list=ftp_stage1 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-port=21 protocol=tcp
add action=drop chain=input comment="FTP brute forcers blacklisting" \
disabled=yes dst-port=20,21 in-interface=ether1 protocol=tcp \
src-address-list=ftp_blacklist
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=0s chain=output content="530 Login incorrect" \
disabled=yes out-interface=ether1 protocol=tcp
add action=accept chain=output comment=\
"Allow only 10 FTP login incorrect answers per minute" content=\
"530 Login incorrect" disabled=yes dst-limit=1/1m,9,dst-address/1m \
out-interface=ether1 protocol=tcp
add action=accept chain=input comment="Allow WinBox safe hosts" \
connection-state=new disabled=no dst-port=8291 in-interface=ether1 \
protocol=tcp src-address-list=safe
add action=accept chain=input comment="Allow SSH" connection-state=new \
disabled=no dst-port=22 in-interface=ether1 protocol=tcp
add action=accept chain=input comment="Allow SSH safe hosts" \
connection-state=new disabled=no dst-port=22 in-interface=ether1 \
protocol=tcp src-address-list=safe
add action=accept chain=input comment="Allow WinBox" connection-state=new \
disabled=no dst-port=8291 in-interface=ether1 protocol=tcp
add action=accept chain=input comment="Allow FTP" connection-state=new \
disabled=yes dst-port=20-21 in-interface=ether1 protocol=tcp
add action=accept chain=input comment=\
"Allow packets belonging to existing connections" connection-state=\
established disabled=no in-interface=ether1 protocol=tcp
add action=accept chain=input comment=\
"Allow packets related to existing connections" connection-state=related \
disabled=no in-interface=ether1
add action=accept chain=forward comment=\
"allow already established connections" connection-state=established \
disabled=no in-interface=ether1
add action=accept chain=forward comment="allow related connections" \
connection-state=related disabled=no in-interface=ether1
add action=add-src-to-address-list address-list=knock address-list-timeout=\
15s chain=input comment="Port knocking the first stage" disabled=yes \
dst-port=1337 in-interface=ether1 protocol=tcp
add action=add-src-to-address-list address-list=safe address-list-timeout=15m \
chain=input comment="Port knocking whitelisting" disabled=yes dst-port=\
7331 in-interface=ether1 protocol=tcp src-address-list=knock
add action=log chain=input comment="DROP ALL UNKNOWN LOG" disabled=yes \
in-interface=ether1 log-prefix=droplog
add action=drop chain=input comment="drop invalid connections" \
connection-state=invalid disabled=no in-interface=ether1
add action=drop chain=forward comment="drop invalid connections" \
connection-state=invalid disabled=no in-interface=ether1 protocol=tcp
add action=drop chain=input comment="DROP ALL UNKNOWN" disabled=no \
in-interface=ether1
add action=log chain=droplog comment="Tarpit Log and Drops" disabled=no \
in-interface=ether1 log-prefix=tarpited protocol=tcp
add action=jump chain=droplog disabled=no in-interface=ether1 jump-target=\
drop protocol=tcp
add action=tarpit chain=drop disabled=no in-interface=ether1 protocol=tcp
add action=drop chain=dropall comment="Drop jump to" disabled=no \
in-interface=ether1
add action=accept chain=SYN-Protect comment="SYN Protect" connection-state=\
new disabled=no limit=400,5 protocol=tcp
add action=log chain=SYN-Protect connection-state=new disabled=yes \
log-prefix=synprotect protocol=tcp
add action=drop chain=SYN-Protect connection-state=new disabled=no protocol=\
tcp
/ip firewall mangle
add action=mark-packet chain=prerouting comment="Detect NAT Traversal" \
disabled=yes in-interface=ether1 new-packet-mark=nat-traversal \
passthrough=yes
add action=mark-connection chain=prerouting comment="Mark bittorrent" \
disabled=no dst-port=6881-6889 in-interface=ether1 new-connection-mark=\
bittorrent passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=prerouting comment="Mark DNS" disabled=no \
new-connection-mark=dns passthrough=no protocol=udp src-port=53
add action=mark-connection chain=postrouting disabled=no dst-port=53 \
new-connection-mark=dns passthrough=no protocol=udp
add action=mark-connection chain=postrouting comment="Mark SNMP" disabled=no \
dst-port=161 new-connection-mark=snmp passthrough=no protocol=udp
add action=mark-connection chain=prerouting comment="Mark VNC" disabled=no \
dst-port=5900-5901 in-interface=ether1 new-connection-mark=vnc \
passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=postrouting comment="Mark all Netbios" \
disabled=no dst-port=137 new-connection-mark=netbios passthrough=no \
protocol=udp
add action=mark-connection chain=prerouting comment="Mark WINBOX" disabled=no \
dst-port=8291 in-interface=ether1 new-connection-mark=winbox passthrough=\
no protocol=tcp src-port=1024-65535
add action=mark-packet chain=prerouting comment="Mark all HTTP Packets" \
connection-mark=http_connection disabled=no in-interface=ether1 \
new-packet-mark=http_packets passthrough=yes
add action=mark-connection chain=prerouting comment=\
"Mark all HTTP Connections" disabled=no dst-port=80 in-interface=ether1 \
new-connection-mark=http_connection passthrough=no protocol=tcp
add action=mark-connection chain=postrouting disabled=no dst-port=80 \
new-connection-mark=http_connection_outbound out-interface=ether1 \
passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment="Mark all ICMP Packets" \
disabled=no in-interface=ether1 new-packet-mark=icmp_packet passthrough=\
no protocol=icmp
add action=mark-packet chain=prerouting comment="Mark all OTHER packets" \
disabled=yes in-interface=ether1 new-packet-mark=other_packets \
passthrough=no
add action=mark-connection chain=prerouting comment=\
"Mark all OTHER connections" disabled=yes in-interface=ether1 \
new-connection-mark=other_connections passthrough=no
Also, this is for a home connection, so the likelihood of a full on DDOS is low.
e: due to export bugs, a lot of those firewall rules are incomplete
e2: Maybe I misunderstood tarpit. I thought it basically sent back ack flags regardless of whether a port is open or not causing an attacker's TCP stack to poo poo itself.
Farking Bastage fucked around with this message at 03:02 on Feb 10, 2012
|
#
¿
Feb 10, 2012 02:55
|
|
- Farking Bastage
- Sep 22, 2007
-
Who dey think gonna beat dem Bengos!
|
I have a little script here that comes in handy. It pulls the block list from dshield.org ( a regularly updated list of the top 20 botnet/malware producing networks ) and slaps them into an address list to do with what you please.
code:
/tool fetch address=feeds.dshield.org host=feeds.dshield.org mode=http src-path=block.txt
##
## DSHIELD Drop List
##
:if ( [/file get [/file find name=block.txt] size] > 0 ) do={
/ip firewall address-list remove [/ip firewall address-list find list=dshield]
:global content [/file get [/file find name=block.txt] contents] ;
:global contentLen [ :len $content ] ;
:global lineEnd 0;
:global line "";
:global lastEnd 0;
:do {
:set lineEnd [:find $content "\n" $lastEnd ] ;
:set line [:pick $content $lastEnd $lineEnd] ;
:set lastEnd ( $lineEnd + 1 ) ;
:if ( [:pick $line 0 1] != "#" ) do={
:if ([:typeof [:toip [:pick $line 0 [:find $line "\t"] ] ] ] != "nil") do={
:local pos1 [:find $line "\t" 0]
:local pos2 [:find $line "\t" $pos1]
:local pos3 [:find $line "\t" $pos2]
:log info ( "DShield Entry: " . [:pick $line 0 $pos1 ] . "/" . [:pick $line ($pos2+1) $pos3 ] )
/ip firewall address-list add list=dshield address=( [:pick $line 0 $pos1 ] . "/" . [:pick $line ($pos2+1) $pos3 ] )
}
}
} while ($lineEnd < $contentLen)
}
You can then set it to run however much you want
code:/system script
.. scheduler
add name=<Name> interval=<whateveryouwant> on-event=<name_of_your_script>
I have inbound and outbound drop rules applied to that address-list. Seems to work pretty well.
|
#
¿
Sep 9, 2013 18:17
|
|
- Farking Bastage
- Sep 22, 2007
-
Who dey think gonna beat dem Bengos!
|
We had to take the routing mark off fasttrack rules becaue of issues
|
#
¿
May 3, 2016 21:21
|
|
- Farking Bastage
- Sep 22, 2007
-
Who dey think gonna beat dem Bengos!
|
I've got a job that's 99% Mikrotik now. Was one hell of an adjustment over primarily a cisco background but I'm on board now. We have 300-ish MT's in the field and they are doing some pretty amazing poo poo.
We use:
<400 mbps bidirectional RB2011UIAS x2 in VRRP( yes I know you can bond)
>400 mbps bidirectional CR 1009 x2 in VRRP
branch offices/bureaus 951G's
All the locations are pretty much a router on a stick configuration using virtual interfaces. poo poo were running video over some of these. They're awesome.
|
#
¿
Jul 28, 2016 21:39
|
|
- Farking Bastage
- Sep 22, 2007
-
Who dey think gonna beat dem Bengos!
|
Test it internally, then a limited number of sites, then eventually company-wide. The core stuff only gets changed in set quarterly windows.
Also these things are the tits
http://routerboard.com/RBwAPG-5HacT2HnD
|
#
¿
Jul 28, 2016 22:00
|
|
- Farking Bastage
- Sep 22, 2007
-
Who dey think gonna beat dem Bengos!
|
We have adopted 6.35 rapidly because of a bug causing GRE tunnels to poo poo themselves. 6.36 is being put on new gear without issues
|
#
¿
Aug 5, 2016 03:22
|
|
- Farking Bastage
- Sep 22, 2007
-
Who dey think gonna beat dem Bengos!
|
Just a PSA. If you're running 6.33 and your GRE tunnels go to poo poo, upgrade.
|
#
¿
Aug 15, 2016 17:14
|
|
- Farking Bastage
- Sep 22, 2007
-
Who dey think gonna beat dem Bengos!
|
We recently pulled out the FastTrack rules from our routers due to some really strange behavior they were causing. Mainly loving with queueing and also phantom connection issues on IPSEC tunnels. They were set to only fast track with "no-mark" specified on the packet marks. Being that were not really using anything smaller than a rb2011 for a main gateway, the CPU savings just aren't worth it.
|
#
¿
Nov 17, 2016 01:23
|
|
- Farking Bastage
- Sep 22, 2007
-
Who dey think gonna beat dem Bengos!
|
PRTG Network monitor does this too. It's free up to 100 sensors.
I got an annoying one going lately. I work for a TV station operator that's all Mikrotik. Getting a weird drop on l2tp vpn over ipsec when the user is on a LTE card or hotspot. I turned the ipsec logging on and I swear something on verizon's side is interfering with the dead peer detection, You can ping-t over it and it stays connected, let it sit and after an indeterminate amount of time the router flushes the SA's.
Farking Bastage fucked around with this message at 18:46 on Feb 8, 2017
|
#
¿
Feb 8, 2017 18:44
|
|
- Farking Bastage
- Sep 22, 2007
-
Who dey think gonna beat dem Bengos!
|
Crossposting from the Cisco thread:
To add to this, the colo has suggested we enable tunnel monitoring for each subnet, however I can only provide one pingable IP that we can rely on - they said that would mean only that phase 2 SA would re-negotiate. That makes no loving sense to me since this is a phase 1 issue.
Anyone know a quick fix to this problem? We have a few different ASAs that have this problem with this colo's virtual microtiks.
code::if ([/ping <endpoint_of_tunnel> src-address=<your_end_of_tunnel> interval=3 count=5]=0) do={
/ip ipsec installed-sa flush
:log info "Flush IPsec"
}
We just gave up on ASA's being lovely and have a script to flush the SA's and reconnect the tunnel when it dies.
Farking Bastage fucked around with this message at 23:01 on Feb 24, 2017
|
#
¿
Feb 24, 2017 22:57
|
|
- Adbot
-
ADBOT LOVES YOU
|
|
#
¿
Apr 29, 2024 05:08
|
|