Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Firewall MK

    Hochgeladen von

    Arman Nthree
    45 Ansichten3 Seiten
    The document provides firewall rules to configure network security settings such as: 1) Limiting allowed ICMP packet types to protect against spoofing and denial of service attacks. 2) Preventing brute force login attempts for FTP and SSH through address blacklisting rules. 3) Detecting and blacklisting port scanners through TCP flag and connection patterns. 4) Establishing default drop policies, validating connection states, and blocking bogon IP addresses to secure the router.

    Originalbeschreibung:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Verfügbare Formate

    TXT, PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    The document provides firewall rules to configure network security settings such as: 1) Limiting allowed ICMP packet types to protect against spoofing and denial of service attacks. 2) Preventing brute force login attempts for FTP and SSH through address blacklisting rules. 3) Detecting and blacklisting port scanners through TCP flag and connection patterns. 4) Establishing default drop policies, validating connection states, and blocking bogon IP addresses to secure the router.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als TXT, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    45 Ansichten3 Seiten

    Firewall MK

    Hochgeladen von

    Arman Nthree
    The document provides firewall rules to configure network security settings such as: 1) Limiting allowed ICMP packet types to protect against spoofing and denial of service attacks. 2) Preventing brute force login attempts for FTP and SSH through address blacklisting rules. 3) Detecting and blacklisting port scanners through TCP flag and connection patterns. 4) Establishing default drop policies, validating connection states, and blocking bogon IP addresses to secure the router.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als TXT, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 3

    Codes - Firewall Rules Note: Enter "/ip firewall filter" at Terminal window before copy & paste the

    fol lowing codes

    Allow only needed icmp codes in icmp chain: add chain=icmp y" add chain=icmp chable" add chain=icmp achable" add chain=icmp rce quench" add chain=icmp o request" add chain=icmp me exceed" add chain=icmp rameter bad" add chain=icmp protocol=icmp icmp-options=0:0 action=accept \ comment="echo repl protocol=icmp icmp-options=3:0 action=accept \ comment="net unrea protocol=icmp icmp-options=3:1 action=accept \ comment="host unre protocol=icmp icmp-options=4:0 action=accept \ comment="allow sou protocol=icmp icmp-options=8:0 action=accept \ comment="allow ech protocol=icmp icmp-options=11:0 action=accept \ comment="allow ti protocol=icmp icmp-options=12:0 action=accept \ comment="allow pa action=drop comment="deny all other types"

    Bruteforce login prevention Allows only 10 FTP login incorrect answers per minute: add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=d rop \ comment="drop ftp brute forcers" add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-li mit=1/1m,9,dst-address/1m add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \ address-list=ftp_blacklist address-list-timeout=3h Prevent a SSH brute forcer to be banned for 10 days after repetitive attempts: add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=d rop \ comment="drop ssh brute forcers" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list =ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \ addresslist-timeout=10d comment="" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list =ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \ address-lis t-timeout=1m comment="" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=s sh_stage1 \ action=add-src-to-address-list address-list=ssh_stage2 address-listtimeout=1m comment="" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-toaddress-list \ address-list=ssh_stage1 address-list-timeout=1m comment="" disabl ed=no add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action =drop \ comment="drop ssh brute downstream" disabled=no

    Drop port scanners add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list addres s-list="port scanners" address-list-timeout=2w comment="Port scanners to list "

    disabled=no Various combinations of TCP flags can also indicate port scanner activity: add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-s rc-to-address-list address-list="port scanners" address-list-timeout=2w comment= "NMAP FIN Stealth scan" add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list ad dress-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan" add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list ad dress-list="port scanners" address-list-timeout=2w comment="SYN/RST scan" add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src -to-address-list address-list="port scanners" address-list-timeout=2w comment="F IN/PSH/URG scan" add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to -address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ ALL scan" add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=addsrc-to-address-list address-list="port scanners" address-list-timeout=2w comment ="NMAP NULL scan" Drop those IPs in both Input & Forward chains: add chain=input src-address-list="port scanners" action=drop comment="dropping p ort scanners" disabled=no add chain=forward src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no

    Router protection : add chain=input connection-state=invalid action=drop \ comment="Drop Invalid con nections" add chain=input connection-state=established action=accept \ comment="Allow Esta blished connections" add chain=input src-address=192.168.88.0/24 action=accept \ in-interface=!UniFiInternet add chain=input action=drop comment="Drop everything else"

    Customer protection (forward chain - traffic passing through the router): add chain=forward onnections" add chain=forward ready established add chain=forward d connections" connection-state=invalid \ action=drop comment="drop invalid c connection-state=established action=accept \ comment="allow al connections" connection-state=related action=accept \ comment="allow relate

    Block Bogon IP addresses: add chain=forward dresses" add chain=forward add chain=forward add chain=forward add chain=forward add chain=forward src-address=0.0.0.0/8 action=drop \ comment="Block Bogon IP ad dst-address=0.0.0.0/8 action=drop src-address=127.0.0.0/8 action=drop dst-address=127.0.0.0/8 action=drop src-address=224.0.0.0/3 action=drop dst-address=224.0.0.0/3 action=drop

    Make jumps to new chains: add to add add chain=forward protocol=tcp action=jump jump-target=tcp \ comment="Make jumps new chains" chain=forward protocol=udp action=jump jump-target=udp chain=forward protocol=icmp action=jump jump-target=icmp

    Create TCP chain and deny some TCP ports in it (revise port numbers as needed): add add er" add er" add add add add " add add " add chain=tcp protocol=tcp dst-port=69 action=drop \ comment="deny TFTP" chain=tcp protocol=tcp dst-port=111 action=drop \ comment="deny RPC portmapp chain=tcp protocol=tcp dst-port=135 action=drop \ comment="deny RPC portmapp chain=tcp chain=tcp chain=tcp chain=tcp protocol=tcp protocol=tcp protocol=tcp protocol=tcp dst-port=137-139 action=drop \ comment="deny NBT" dst-port=445 action=drop \ comment="deny cifs" dst-port=2049 action=drop comment="deny NFS" dst-port=12345-12346 action=drop comment="deny NetBus

    chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus" chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"

    Create UDP chain and deny some UDP ports in it (revise port numbers as needed): add add " add " add add add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP" chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT" chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS" chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"

    Das könnte Ihnen auch gefallen