Saturday, June 18, 2016

Port mapping




add action=dst-nat chain=dstnat comment="Port Forwarding Jovision DVR access" \
    dst-address=<WAN_IP> dst-port=9101 in-interface=WAN protocol=tcp \
    to-addresses=<LOCAL_IP> to-ports=9101

Monday, June 6, 2016

Drop port scanners in Mikrotik

To protect the Router from port scanners, we can record the IPs of hackers who try to scan your box. Using this address list we can drop connection from those IP
in /ip firewall filter


/ip firewall filter

add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port_scanners_list" address-list-timeout=30d comment="Port scanners to list " disabled=yes

Various combinations of TCP flags can also indicate port scanner activity.
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port_scanners_list" address-list-timeout=30d comment="NMAP FIN Stealth scan" disabled=yes

add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port_scanners_list" address-list-timeout=30d comment="SYN/FIN scan" disabled=yes

add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port_scanners_list" address-list-timeout=30d comment="SYN/RST scan" disabled=yes

add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port_scanners_list" address-list-timeout=30d comment="FIN/PSH/URG scan" disabled=yes

add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port_scanners_list" address-list-timeout=30d comment="ALL/ALL scan" disabled=yes

add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port_scanners_list" address-list-timeout=30d comment="NMAP NULL scan" disabled=yes

Set below rule top of all rule mentioned here.

add chain=input src-address-list="port_scanners_list" action=drop comment="dropping port scanners" disabled=yes



Similarly, we can drop these port scanners in the forward chain, but using the above rules with "chain=forward".

Sunday, June 5, 2016

Bruteforce login prevention in Mikrotik

Bruteforce login prevention for FTP, SSh, Telnet and Winbox

Please read the article: https://en.wikipedia.org/wiki/Brute-force_attack


# jun/05/2016 19:06:05 by RouterOS 6.35.2
# wahid.telco@gmail.com
#

#########################################
#Bruteforce login prevention for ftp    #
#########################################
/ip firewall filter

add action=drop chain=input comment=\
    "Bruteforce login prevention(ftp: drop ftp brute forcers)" dst-port=21 \
    protocol=tcp src-address-list=ftp_blacklist
add chain=output comment="Bruteforce login prevention(ftp: 530 Login incorrect\
    \_to limit dst address)" content="530 Login incorrect" dst-limit=\
    1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=output comment=\
    "Bruteforce login prevention(ftp: 530 Login incorrect to ftp_blacklist)" \
    content="530 Login incorrect" protocol=tcp


#########################################
#Bruteforce login prevention for ssh    #
#########################################
/ip firewall filter

add action=drop chain=input comment=\
    "Bruteforce login prevention(ssh: drop ssh brute forcers)" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=4w2d chain=input comment=\
    "Bruteforce login prevention(ssh: stage3 to blacklist)" connection-state=\
    new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1h chain=input comment=\
    "Bruteforce login prevention(ssh: stage2 to stage3)" connection-state=new \
    dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=6h chain=input comment=\
    "Bruteforce login prevention(ssh: stage1 to stage2)" connection-state=new \
    dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=12h chain=input comment=\
    "Bruteforce login prevention(ssh: stage1)" connection-state=new dst-port=\
    22 protocol=tcp
add action=drop chain=forward comment=\
    "Bruteforce login prevention(ssh: drop ssh brute downstream)" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist


#########################################
#Bruteforce login prevention for Telnet #
#########################################
If you can identify telnet attacker IP then add attacker IP in address list then make a firewall rule to droop from the address list.

/ip firewall address list
add list=telnet_droop_list_static address=ATTACKER IP comment="Add telnet attacker to this list"

/ip firewall filter
add action=drop chain=input comment=\
    "Telnet known attacker droop(from address list: telnet_droop_list_static)" \

    dst-port=23 protocol=tcp src-address-list=telnet_droop_list_static

If you want to use above mention filter rule then above rule must set top of below mentioned rule. If you don't want to use above rule then just skip above rule and copy/paste below rule.


/ip firewall filter

add action=drop chain=input comment=\
    "Bruteforce login prevention(Telnet: droop telnet brute forcers)" \
    dst-port=23 protocol=tcp src-address-list=telnet_blacklist
add action=add-src-to-address-list address-list=telnet_blacklist \
    address-list-timeout=4w2d chain=input comment=\
    "Bruteforce login prevention(Telnet: stage3 to telnet_blacklist)" \
    connection-state=new dst-port=23 protocol=tcp src-address-list=\
    telnet_stage_3
add action=add-src-to-address-list address-list=telnet_stage_3 \
    address-list-timeout=1h chain=input comment=\
    "Bruteforce login prevention(Telnet: stage2 to stage3)" connection-state=\
    new dst-port=23 protocol=tcp src-address-list=telnet_stage_2
add action=add-src-to-address-list address-list=telnet_stage_2 \
    address-list-timeout=6h chain=input comment=\
    "Bruteforce login prevention(Telnet: stage1 to stage2)" connection-state=\
    new dst-port=23 protocol=tcp src-address-list=telnet_stage_1
add action=add-src-to-address-list address-list=telnet_stage_1 \
    address-list-timeout=12h chain=input comment=\
    "Bruteforce login prevention(Telnet: stage1)" connection-state=new \
    dst-port=23 protocol=tcp


#########################################
#Bruteforce login prevention for Winbox #
#########################################
/ip firewall filter
add action=drop chain=input comment=\
    "Bruteforce login prevention(Winbox: droop Winbox brute forcers)" \
    dst-port=8291 protocol=tcp src-address-list=winbox_blacklist
add action=add-src-to-address-list address-list=winbox_blacklist \
    address-list-timeout=15d chain=input comment=\
    "Bruteforce login prevention(Winbox: stage3 to winbox_blacklist)" \
    connection-state=new dst-port=8291 protocol=tcp src-address-list=\
    winbox_stage_3
add action=add-src-to-address-list address-list=winbox_stage_3 \
    address-list-timeout=1m chain=input comment=\
    "Bruteforce login prevention(Winbox: stage2 to stage3)" connection-state=\
    new dst-port=8291 protocol=tcp src-address-list=winbox_stage_2
add action=add-src-to-address-list address-list=winbox_stage_2 \
    address-list-timeout=6h chain=input comment=\
    "Bruteforce login prevention(Winbox: stage1 to stage2)" connection-state=\
    new dst-port=8291 protocol=tcp src-address-list=winbox_stage_1
add action=add-src-to-address-list address-list=winbox_stage_1 \
    address-list-timeout=12h chain=input comment=\
    "Bruteforce login prevention(Winbox: stage1)" connection-state=new \

    dst-port=8291 protocol=tcp

Wednesday, June 1, 2016

Block torrent downloads


ip firewall layer7-protocol add name=peer_to_peer_dns regexp="^.+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|
h33t|zoozle|bitnova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*$" comment="block torrent"


ip firewall layer7-protocol add name=peer_to_peer_www regexp="^.*(get|GET).+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*$" comment="block torrent"




/ip firewall filter add chain=forward out-interface=WAN action=drop layer7-protocol=peer_to_peer_dns disabled=yes comment="block torrent"

/ip firewall filter add chain=forward out-interface=WAN action=drop layer7-protocol=peer_to_peer_www disabled=yes comment="block torrent"


Also you can follow http://forum.mikrotik.com/viewtopic.php?f=2&t=73462&start=0

Monday, May 30, 2016

How to block website by any name by layer7

How to block website by any name?

you can try this.......
/ip firewall layer7-protocol
add name=prothom regexp="^.+(prothom-alo).*\$"

/ip firewall filter
add action=drop chain=forward layer7-protocol=prothom

Port Number, Protocol Number and Description :

Port Number, Protocol Number and Description :

1 — Ping (Packet Internet Groper) and ICMP)

6 — TCP (Transmission Control Protocol)

7 — Echo (Display the Line of Text)

15 — Netstat (Ip Monitoring)

17 — UDP (User Datagram Protocol)

20 — FTP (File Transfer Protocol) Client

21 — FTP Server

22 — SSH (Secure Shell) (Remote Login)

23 — Telnet (Remote Login)

25 — SMTP (Simple Mail Transfer Protocol) (Incoming Service)

34 — RF (Remote File Transfer)

37 — Timeserver

42 — Name Server or (Wins)

43 — WHOIS

53 — DNS (Domain Naming System or Server)

67 — BOOTP (Bootstrap Protocol)

68 — DHCP (Dynamic Host Configuration Protocol)

69 — TFTP (Trivial File Transfer Protocol)

79 — Finger (List the Current User information)

80 — HTTP (Hyper Text Transfer Protocol)

88 — Kerberos (Authentication Protocol)

101 — NIC Host NAME

108 — SNA (IBM System Network Architecture)

109 — POP2 (Post Office Protocol Version2)

110 — POP3 (Post Office Protocol Version3)

111 — Portmap

115 — SFTP (Secure File Transfer Protocol)

118 — SQL Structure Query Languages

119 — NNTP (Network News Transfer Protocol)

123 — NTP (Network Time Protocol)

136 — Profile

137 — NetBIOS Name Service

138 — NetBIOS Datagram Service

139 — NetBIOS Session Service

143 — IMAP (Internet Message Access Protocol)

161 — SNMP (Simple Network Managing Protocol)

167 — NMAP (Network Mapper)

174 — Mailq (Mails)

180 — RIS (Remote Installation Service)

223 — IMAP3 (Internet Mail Accessing Protocol)

389 — LDAP (Lightweight Directory Access Protocol)

443 — HTTPS (Hyper Text Transfer Protocol over Security)

500 — IKE (Internet Key Exchange)

514 — Syslog / UDP

515 — Printer (Printing Service)

519 — Uptime (for load average)

520 — RIP Routing Information Protocol

546 — DHCPV6 Client (Dynamic Host configuration Protocol Version6)

547 — DHCPV7 Server (Dynamic Host configuration Protocol Version6)

565 — Whoami (Present user information)

636 — LDAPS over SSL (Secure Socket Layer)

992 — Telnets over SSL

993 — IMAPS over SSL

995 — POP3S over SSL

2049 — NFS (Network File System in Linux) in Windows GFS (Global File System)

2082 — CPANEL (Web server Third-party Tool)

2095 — CPANEL Webmail

2427 — MCGP (Media Gateway Control Protocol)

3128 — Squid (Proxy) (Firewall Filter)

3268 — AD Global Catalog

3269 — AD Global Catalog over SSL

3306 — My SQL Server

3346 — Transporentproxy

33443 — Trace route

6000 to 6063 — Xwindow (Graphical Window)

8080 — Web cache

10000 — Webmin

How to block all website except gmail and ymail by layer7

How to block all website except gmail and ymail

You can use layer 7 protocols

For accept rule:
Name: Accept
regexp= ^.+(gmail.com|mail.google.com|yahoo.com|login.yahoo.com|in-mg61.mail.yahoo.com).*$

For deny rule:
Name=Block  regexp=^.+(.).*$

Need two filters rules
1. action=accept and L7=(Accept)
2. action=drop and L7=Block

if u have any trouble to understanding. inbox me :)