Beruflich Dokumente
Kultur Dokumente
######################
# Rick Frey's Basic MikroTik Firewall Rev 5.0 (Free Version)
#
###################################################################################
######################
# Author: Rick Frey
#
# email: support@rickfreyconsulting.com
#
# Username in MikroTik Forum is rickfrey
#
###################################################################################
######################
# License
#
# This script has been created for use by the general public and may be used
freely. This script may #
# not be sold!
#
###################################################################################
######################
###################################################################################
######################
# Features
#
# -Detect and block brute force attacks to the routers via SSH, Telnet, and Winbox
(Disables WWW & FTP) #
# -Basic Antivirus filtering
#
# -P2P Blocking
#
# -High Connection Rate detection
#
# -Basic Spam detection
#
# -Basic Port Scanner Detection
#
# -Bogon Address Blocking
#
###################################################################################
######################
###################################################################################
########################################
###################################################################################
########################################
#### Firewall Settings
####
###################################################################################
########################################
/ip firewall connection tracking
set enabled=yes
###################################################################################
########################################
#### Drop Invalid Connections
####
#### To make this more useful, create a copy of the forward chain rule and set the
interface for each LAN intface ####
#### on your network. Remember to remove the orginal rule.
####
###################################################################################
########################################
/ip firewall filter
add action=drop chain=input comment="Drop Invalid Connections" connection-
state=invalid disabled=no
add action=drop chain=forward comment="Drop Invalid Connections" connection-
state=invalid disabled=no
###################################################################################
########################################
#### Must Add Admin IP Addresses in the Address List for Administering the Network
in "Exempt Addresses" #####
###################################################################################
########################################
###################################################################################
#########################################
#### Multiple "Black Lists" have been created to help identify why any given person
has been blocked.#######################
#### By default Port Scanners Black List is disabled. The Firewall will continue to
add these people to the ################
#### the Black List, but will not block them unless the Black List is enabled. Use
with caution!!!! ########################
#### Once someone is on a Black List they are permanently recorded there. To remove
them, go to the address list.###########
###################################################################################
#########################################
###################################################################################
########################################
#### Detect & Block Brute Force Login Attempts
####
###################################################################################
########################################
add action=jump chain=input comment="Jump to RFC SSH Chain" disabled=no jump-
target="RFC SSH Chain"
add action=add-src-to-address-list address-list="Black List (SSH)" address-list-
timeout=0s chain="RFC SSH Chain" comment="Transfer repeated attempts from SSH Stage
3 to Black-List" connection-state=new disabled=no dst-port=22 protocol=tcp src-
address-list="SSH Stage 3"
add action=add-src-to-address-list address-list="SSH Stage 3" address-list-
timeout=1m chain="RFC SSH Chain" comment="Add succesive attempts to SSH Stage 3"
connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list="SSH
Stage 2"
add action=add-src-to-address-list address-list="SSH Stage 2" address-list-
timeout=1m chain="RFC SSH Chain" comment="Add succesive attempts to SSH Stage 2"
connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list="SSH
Stage 1"
add action=add-src-to-address-list address-list="SSH Stage 1" address-list-
timeout=1m chain="RFC SSH Chain" comment="Add intial attempt to SSH Stage 1 List"
connection-state=new disabled=no dst-port=22 protocol=tcp
add action=return chain="RFC SSH Chain" comment="Return From RFC SSH Chain"
disabled=no
add chain=output comment="Section Break" disabled=yes
###################################################################################
########################################
#### Detect & Manage Port Scanners
####
###################################################################################
########################################
/ip firewall filter
add action=add-src-to-address-list address-list="Wan Port Scanners" chain=input
comment="Add TCP Port Scanners to Address List" protocol=tcp psd=40,3s,2,1
add action=add-src-to-address-list address-list="LAN Port Scanners" chain=forward
comment="Add TCP Port Scanners to Address List" protocol=tcp psd=40,3s,2,1
add chain=output comment="Section Break" disabled=yes
###################################################################################
########################################
#### Detect & Manage High Connection Rates
####
###################################################################################
########################################
/ip firewall filter
add action=add-src-to-address-list address-list="(WAN High Connection Rates)"
chain=input comment="Add WAN High Connections to Address List" connection-
limit=100,32 protocol=tcp
add action=add-src-to-address-list address-list="(LAN High Connection Rates)"
chain=forward comment="Add LAN High Connections to Address List" connection-
limit=100,32 protocol=tcp
###################################################################################
#########################################
#### The Virus Chain has been added at the request of customers, but there is no
guarantee expressed or implied with the ###
#### Virus Chain.
###################################################################################
#######################
###################################################################################
#########################################
add action=jump chain=input comment="Jump to Virus Chain" disabled=no jump-
target=Virus
add action=drop chain=Virus comment="Drop Blaster Worm" disabled=no dst-port=135-
139 protocol=tcp
add action=drop chain=Virus comment="Drop Blaster Worm" disabled=no dst-port=445
protocol=tcp
add action=drop chain=Virus comment="Drop Blaster Worm" disabled=no dst-port=445
protocol=udp
add action=drop chain=Virus comment="Drop Messenger Worm" disabled=no dst-port=135-
139 protocol=udp
add action=drop chain=Virus comment=Conficker disabled=no dst-port=593 protocol=tcp
add action=drop chain=Virus comment=Worm disabled=no dst-port=1024-1030
protocol=tcp
add action=drop chain=Virus comment="ndm requester" disabled=no dst-port=1363
protocol=tcp
add action=drop chain=Virus comment="ndm server" disabled=no dst-port=1364
protocol=tcp
add action=drop chain=Virus comment="screen cast" disabled=no dst-port=1368
protocol=tcp
add action=drop chain=Virus comment=hromgrafx disabled=no dst-port=1373
protocol=tcp
add action=drop chain=Virus comment="Drop MyDoom" disabled=no dst-port=1080
protocol=tcp
add action=drop chain=Virus comment=cichlid disabled=no dst-port=1377 protocol=tcp
add action=drop chain=Virus comment=Worm disabled=no dst-port=1433-1434
protocol=tcp
add action=drop chain=Virus comment="Drop Dumaru.Y" disabled=no dst-port=2283
protocol=tcp
add action=drop chain=Virus comment="Drop Beagle" disabled=no dst-port=2535
protocol=tcp
add action=drop chain=Virus comment="Drop Beagle.C-K" disabled=no dst-port=2745
protocol=tcp
add action=drop chain=Virus comment="Drop MyDoom" disabled=no dst-port=3127-3128
protocol=tcp
add action=drop chain=Virus comment="Drop Backdoor OptixPro" disabled=no dst-
port=3410 protocol=tcp
add action=drop chain=Virus comment="Drop Sasser" disabled=no dst-port=5554
protocol=tcp
add action=drop chain=Virus comment=Worm disabled=no dst-port=4444 protocol=tcp
add action=drop chain=Virus comment=Worm disabled=no dst-port=4444 protocol=udp
add action=drop chain=Virus comment="Drop Beagle.B" disabled=no dst-port=8866
protocol=tcp
add action=drop chain=Virus comment="Drop Dabber.A-B" disabled=no dst-port=9898
protocol=tcp
add action=drop chain=Virus comment="Drop Dumaru.Y" disabled=no dst-port=10000
protocol=tcp
add action=drop chain=Virus comment="Drop MyDoom.B" disabled=no dst-port=10080
protocol=tcp
add action=drop chain=Virus comment="Drop NetBus" disabled=no dst-port=12345
protocol=tcp
add action=drop chain=Virus comment="Drop Kuang2" disabled=no dst-port=17300
protocol=tcp
add action=drop chain=Virus comment="Drop SubSeven" disabled=no dst-port=27374
protocol=tcp
add action=drop chain=Virus comment="Drop PhatBot, Agobot, Gaobot" disabled=no dst-
port=65506 protocol=tcp
add action=return chain=Virus comment="Return From Virus Chain" disabled=no
add chain=output comment="Section Break" disabled=yes
###################################################################################
########################################
#### This is the BOGON short list.
####
####!!!!! All subnets in this list will be blocked!!! Disable or remove any subnets
that you are using!!!##################
###################################################################################
########################################
###################################################################################
###########################################################
#### This is a list of all common ports as found on
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers and other sources.
##
#### By default they are enabled to prevent immediate problems when applying the
script. Carefully review the list of ##
#### ports and remove or disable entries that are not needed.
##
###################################################################################
###########################################################
/ip firewall filter
add action=jump chain=forward comment="Jump to \"Manage Common Ports\" Chain" jump-
target="Manage Common Ports"
add chain="Manage Common Ports" comment="\"All hosts on this subnet\" Broadcast"
src-address=224.0.0.1
add chain="Manage Common Ports" comment="\"All routers on this subnet\" Broadcast"
src-address=224.0.0.2
add chain="Manage Common Ports" comment="DVMRP (Distance Vector Multicast Routing
Protocol)" src-address=224.0.0.4
add chain="Manage Common Ports" comment="OSPF - All OSPF Routers Broadcast" src-
address=224.0.0.5
add chain="Manage Common Ports" comment="OSPF - OSPF DR Routers Broadcast" src-
address=224.0.0.6
add chain="Manage Common Ports" comment="RIP Broadcast" src-address=224.0.0.9
add chain="Manage Common Ports" comment="EIGRP Broadcast" src-address=224.0.0.10
add chain="Manage Common Ports" comment="PIM Broadcast" src-address=224.0.0.13
add chain="Manage Common Ports" comment="VRRP Broadcast" src-address=224.0.0.18
add chain="Manage Common Ports" comment="IS-IS Broadcast" src-address=224.0.0.19
add chain="Manage Common Ports" comment="IS-IS Broadcast" src-address=224.0.0.20
add chain="Manage Common Ports" comment="IS-IS Broadcast" src-address=224.0.0.21
add chain="Manage Common Ports" comment="IGMP Broadcast" src-address=224.0.0.22
add chain="Manage Common Ports" comment="GRE Protocol (Local Management)"
protocol=gre
add chain="Manage Common Ports" comment="FTPdata transfer" port=20 protocol=tcp
add chain="Manage Common Ports" comment="FTPdata transfer" port=20 protocol=udp
add chain="Manage Common Ports" comment="FTPcontrol (command)" port=21 protocol=tcp
add chain="Manage Common Ports" comment="Secure Shell(SSH)" port=22 protocol=tcp
add chain="Manage Common Ports" comment="Secure Shell(SSH)" port=22 protocol=udp
add chain="Manage Common Ports" comment=Telnet port=23 protocol=tcp
add chain="Manage Common Ports" comment=Telnet port=23 protocol=udp
add chain="Manage Common Ports" comment="Priv-mail: any privatemailsystem." port=24
protocol=tcp
add chain="Manage Common Ports" comment="Priv-mail: any privatemailsystem." port=24
protocol=udp
add chain="Manage Common Ports" comment="Simple Mail Transfer Protocol(SMTP)"
port=25 protocol=tcp
add chain="Manage Common Ports" comment="Simple Mail Transfer Protocol(SMTP)"
port=25 protocol=udp
add chain="Manage Common Ports" comment="TIME protocol" port=37 protocol=tcp
add chain="Manage Common Ports" comment="TIME protocol" port=37 protocol=udp
add chain="Manage Common Ports" comment="ARPA Host Name Server Protocol & WINS"
port=42 protocol=tcp
add chain="Manage Common Ports" comment="ARPA Host Name Server Protocol & WINS"
port=42 protocol=udp
add chain="Manage Common Ports" comment="WHOIS protocol" port=43 protocol=tcp
add chain="Manage Common Ports" comment="WHOIS protocol" port=43 protocol=udp
add chain="Manage Common Ports" comment="Domain Name System (DNS)" port=53
protocol=tcp
add chain="Manage Common Ports" comment="Domain Name System (DNS)" port=53
protocol=udp
add chain="Manage Common Ports" comment="Mail Transfer Protocol(RFC 780)" port=57
protocol=tcp
add chain="Manage Common Ports" comment="(BOOTP) Server & (DHCP)" port=67
protocol=udp
add chain="Manage Common Ports" comment="(BOOTP) Client & (DHCP)" port=68
protocol=udp
add chain="Manage Common Ports" comment="Trivial File Transfer Protocol (TFTP)"
port=69 protocol=udp
add chain="Manage Common Ports" comment="Gopher protocol" port=70 protocol=tcp
add chain="Manage Common Ports" comment="Finger protocol" port=79 protocol=tcp
add chain="Manage Common Ports" comment="Hypertext Transfer Protocol (HTTP)"
port=80 protocol=tcp
add chain="Manage Common Ports" comment="RemoteTELNETService protocol" port=107
protocol=tcp
add chain="Manage Common Ports" comment="Post Office Protocolv2 (POP2)" port=109
protocol=tcp
add chain="Manage Common Ports" comment="Post Office Protocolv3 (POP3)" port=110
protocol=tcp
add chain="Manage Common Ports" comment="IdentAuthentication Service/Identification
Protocol" port=113 protocol=tcp
add chain="Manage Common Ports" comment="Authentication Service (auth)" port=113
protocol=udp
add chain="Manage Common Ports" comment="Simple File Transfer Protocol (SFTP)"
port=115 protocol=tcp
add chain="Manage Common Ports" comment="Network Time Protocol(NTP)" port=123
protocol=udp
add chain="Manage Common Ports" comment="NetBIOSNetBIOS Name Service" port=137
protocol=tcp
add chain="Manage Common Ports" comment="NetBIOSNetBIOS Name Service" port=137
protocol=udp
add chain="Manage Common Ports" comment="NetBIOSNetBIOS Datagram Service" port=138
protocol=tcp
add chain="Manage Common Ports" comment="NetBIOSNetBIOS Datagram Service" port=138
protocol=udp
add chain="Manage Common Ports" comment="NetBIOSNetBIOS Session Service" port=139
protocol=tcp
add chain="Manage Common Ports" comment="NetBIOSNetBIOS Session Service" port=139
protocol=udp
add chain="Manage Common Ports" comment="Internet Message Access Protocol (IMAP)"
port=143 protocol=tcp
add chain="Manage Common Ports" comment="Background File Transfer Program (BFTP)"
port=152 protocol=tcp
add chain="Manage Common Ports" comment="Background File Transfer Program (BFTP)"
port=152 protocol=udp
add chain="Manage Common Ports" comment="SGMP,Simple Gateway Monitoring Protocol"
port=153 protocol=tcp
add chain="Manage Common Ports" comment="SGMP,Simple Gateway Monitoring Protocol"
port=153 protocol=udp
add chain="Manage Common Ports" comment="DMSP, Distributed Mail Service Protocol"
port=158 protocol=tcp
add chain="Manage Common Ports" comment="DMSP, Distributed Mail Service Protocol"
port=158 protocol=udp
add chain="Manage Common Ports" comment="Simple Network Management Protocol(SNMP)"
port=161 protocol=udp
add chain="Manage Common Ports" comment="Simple Network Management ProtocolTrap
(SNMPTRAP)" port=162 protocol=tcp
add chain="Manage Common Ports" comment="Simple Network Management ProtocolTrap
(SNMPTRAP)" port=162 protocol=udp
add chain="Manage Common Ports" comment="BGP (Border Gateway Protocol)" port=179
protocol=tcp
add chain="Manage Common Ports" comment="Internet Message Access Protocol (IMAP),
version 3" port=220 protocol=tcp
add chain="Manage Common Ports" comment="Internet Message Access Protocol (IMAP),
version 3" port=220 protocol=udp
add chain="Manage Common Ports" comment="BGMP, Border Gateway Multicast Protocol"
port=264 protocol=tcp
add chain="Manage Common Ports" comment="BGMP, Border Gateway Multicast Protocol"
port=264 protocol=udp
add chain="Manage Common Ports" comment="Lightweight Directory Access Protocol
(LDAP)" port=389 protocol=tcp
add chain="Manage Common Ports" comment="Lightweight Directory Access Protocol
(LDAP)" port=389 protocol=udp
add chain="Manage Common Ports" comment="SSTP TCP Port 443 (Local Management) &
HTTPS" port=443 protocol=tcp
add chain="Manage Common Ports" comment="Microsoft-DSActive Directory, Windows
shares" port=445 protocol=tcp
add chain="Manage Common Ports" comment="L2TP/ IPSEC UDP Port 500 (Local
Management)" port=500 protocol=udp
add chain="Manage Common Ports" comment="Modbus, Protocol" port=502 protocol=tcp
add chain="Manage Common Ports" comment="Modbus, Protocol " port=502 protocol=udp
add chain="Manage Common Ports" comment="Shell (Remote Shell, rsh, remsh)" port=514
protocol=tcp
add chain="Manage Common Ports" comment="Syslog - used for system logging" port=514
protocol=udp
add chain="Manage Common Ports" comment="Routing Information Protocol (RIP)"
port=520 protocol=udp
add chain="Manage Common Ports" comment="e-mail message submission (SMTP)" port=587
protocol=tcp
add chain="Manage Common Ports" comment="LDP,Label Distribution Protocol" port=646
protocol=tcp
add chain="Manage Common Ports" comment="LDP,Label Distribution Protocol" port=646
protocol=udp
add chain="Manage Common Ports" comment="FTPS Protocol (data):FTP over TLS/SSL"
port=989 protocol=tcp
add chain="Manage Common Ports" comment="FTPS Protocol (data):FTP over TLS/SSL"
port=989 protocol=udp
add chain="Manage Common Ports" comment="FTPS Protocol (control):FTP over TLS/SSL"
port=990 protocol=tcp
add chain="Manage Common Ports" comment="FTPS Protocol (control):FTP over TLS/SSL"
port=990 protocol=udp
add chain="Manage Common Ports" comment="TELNET protocol overTLS/SSL" port=992
protocol=tcp
add chain="Manage Common Ports" comment="TELNET protocol overTLS/SSL" port=992
protocol=udp
add chain="Manage Common Ports" comment="Internet Message Access Protocol over
TLS/SSL (IMAPS)" port=993 protocol=tcp
add chain="Manage Common Ports" comment="Post Office Protocol3 over TLS/SSL
(POP3S)" port=995 protocol=tcp
add chain="Manage Common Ports" comment="OVPN TCP Port 1194 (Local Management)"
port=1194 protocol=tcp
add chain="Manage Common Ports" comment="PPTP Port 1723 (Local Management)"
port=1723 protocol=tcp
add chain="Manage Common Ports" comment="L2TP UDP Port 1701 (Local Management)"
port=1701 protocol=udp
add chain="Manage Common Ports" comment="L2TP UDP Port 4500 (Local Management)"
port=4500 protocol=udp
-----------------------------------------------------------------------------------
-----------------------------------------------
###################################################################################
######################
# Rick Frey's MikroTik DNS Attack Prevention Rev 3.0
#
###################################################################################
######################
# Author: Rick Frey
#
# email: support@rickfreyconsulting.com
#
# Username in MikroTik Forum is rickfrey
#
###################################################################################
######################
# License
#
# This script has been created for use by the general public and may be used
freely. This script may #
# not be sold!
#
###################################################################################
#####################
# Features
# #
# -Mitigates DNS based attack on your MikroTik router
#
###################################################################################
######################
###################################################################################
#########################################
#### Remove any private subnets that you are not using. Ensure that your LAN subnet
is listed here. ##
###################################################################################
#########################################
/ip firewall address-list
###################################################################################
#########################################
#### Add your DNS servers to the DNS_Accept list. Remove and DNS servers you are
not using for your router. ##
###################################################################################
#########################################