Configuration to block users that tries to access router on non open port(s)

WARNING If you work on filter rules, use SAFE MODE

This is only needed if you have one or more port open to internet.

I do use this filter rules to block users that tries any non open port on my router for 24 hours, to some protect the already open ports.
So if a user tries to access my router on port 8291, it will end up in a address list for blocked user and will be blocked at all port, even 443 that is open for all. This way user of this IP will not find any open port. Users that tries a non open port on my router has nothing there to do so 100% block.

This needs to be the last two filter rules.

/ip firewall filter
add action=add-src-to-address-list address-list=FW_Block_unkown_port address-list-timeout=1d chain=input comment= "Add IP of user to access list if they have tried port that is not open." in-interface=ether1 log-prefix=FI_AS_port-test
add action=drop chain=input comment="Drop packets that has not been allowed or dropped before." in-interface=ether1 log=yes log-prefix=FI_D_port-test

These two lines are only hit if no line higher in the filter rules has accepted the port to be open or blocked.
First line adds IP to the access list FW_Block_unkown_port
Second line then drop the packet.

This way packet from that IP are only logget first time it hits.


Top line simple:

/ip firewall raw
add action=drop chain=prerouting comment="Drop user that has tried ports that are not open and has been added to block list" in-interface=ether1  src-address-list=FW_Block_unkown_port

Here we just block the IP as early as we can in raw access list

Top line more advanced (What I do use):

/ip firewall filter
add action=jump chain=input comment="Drop user that has tried ports that are not open and has bin added to block list. Limit TARPIT to prevent DDOS CPU problems" in-interface=ether1 jump-target=TARPIT  protocol=tcp src-address-list=FW_Block_unkown_port
add action=tarpit chain=TARPIT limit=10,5:packet  protocol=tcp
add action=drop chain=TARPIT protocol=tcp
/ip firewall raw
add action=drop chain=prerouting in-interface=ether1  protocol=!tcp src-address-list=FW_Block_unkown_port

These line must be high up in the filter rules list.
Fist line. Jumps to TARPIT chain if IP is in access list FW_Block_unkown_port
Second line. Send packet to tarpit to slow down the user attack to the router. This may use some resource, so it only used until limit hits.
Third line. Drop rest of TCP attack..
Fourth and fifth line. Drop all other than TCP attack.

To not block my self out, I do use port knock. Access list for allow port knock user, must be above block access list.
My block access list does contains from 5000 to 10000 IP address at all time. (no problem for an hEX router)
Around 50% are sent to tarpit and blocked, rest are blocked directly.
Since last reboot (18 days ago)
86000 IP blocked (only counted each IP once every 24 hour)
30 000 000 packets sent to tarpit chain
15 000 000 packets tarpited
15 000 000 tcp packets dropped
750 000 udp pcakets dropped

Suggestion and improvements are always welcome :smiley:


\

Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk

If I do not remember wrong, tarpit do not consume anything on local router, simply leave each tarpitted connection in waiting state on the remote router, consuming remote router resources…

I suggest to other users that read this post, to never reply with “reject” when drop something, except if the reply is directed on own local network.
(they could otherwise be involved in amplification of DDoS attacks, when received the spoofed IP, the router concurs with “reply”…)

I suggest to change/move last line/rule from this:

/ip firewall filter
[...]
add action=drop chain=input in-interface=ether1  protocol=udp src-address-list=FW_Block_unkown_port

To this:

/ip firewall raw
add action=drop chain=prerouting in-interface=ether1  protocol=!tcp src-address-list=FW_Block_unkown_port

Why block only tcp or udp?
Block everything other than tarpitted tcp

Blocked IP pr hour last 7 days:
block.jpg
Blocked last 30 min show on map. If you zoom in you see each Country/City.
live.jpg
Graphs are made using Splunk, see my singnature.

Also another suggestion can be, if you have some spare unused Public IP, use it as Honeypot.
Every IP try to contact the Honeypot, is a scan o something wrong for sure…
(also define a whitelist of own addresses)

/ip firewall raw
add action=add-src-to-address-list address-list=FW_BLOCK_HONEYPOT address-list-timeout=1d chain=prerouting comment=HONEYPOT \
    dst-address=6.6.6.6 dst-address-list=!whitelist in-interface=ether1 src-address-list=!whitelist
add action=drop chain=prerouting in-interface=ether1  src-address-list=FW_BLOCK_HONEYPOT

Good suggestion, added :slight_smile:
Thanks

PS I can not use prerouting in standard firwall, only raw, and in raw, I can not use trapit.

Is why on raw I put “!tcp” :slight_smile:

Ahh, understand, but I do not see the formatting error. Using original phpBB style.
Where exactly to add enter

Ah, the problem is on the “default” style Canvas, happen when a [ code ] block is near another block of any type, like [ b ] bold.

fixed, thanks!<

I hope you read/notice also this:
http://forum.mikrotik.com/t/configuration-to-block-users-that-tries-to-access-router-on-non-open-port-s/151840/8

I did see it, but many do not have an extra IP.

I did try to use VFR to fake two or more outside IF to get more IP, but did not work :frowning:
Here is what I did use before:
https://github.security.telekom.com/2015/03/honeypot-tpot-concept.html

But I have none of these rules
except two
drop invalid in input chain
drop all else as last rule in input chain.

How come I am not having any issues??
Is it better not to be aware of how many hits one is getting, ignorance is bliss??

You do miss some of the point here.
If some one hit my router on wrong port, they are also blocked on all open ports like 443 and other ports.
This prevents them to see any open port therefore can not try to hack my web server etc.

And also makes you extremely vulnerable to simple CPU DoS if someone spoofs IP and fills your blacklist with millions of IPs. Can also do http://your_ip:8291/lol in an image tag and firewall yourself off… these rules do more harm than good in the long run.

I have this DDoS filter above my block rule.
http://forum.mikrotik.com/t/ddos-story-or-warning-use-conection-limit-with-caution/49743/1

Never have had down time. May have not been target…

It might be a better idea to use a list of interfaces (WAN) rather than the interface name (ether1).

After changing from udp to !tcp, I do get a lot of hits on protocol 47 (GRE), that I have not had before.
So thanks again for tip :slight_smile:

Another user talk about GRE attack started from some days, also Mēris,
probably are that?

Hold the fort Jotne…
I read that long assed thread to find that you are having issues with said DDos!!
quote "But I have for sure not done anything remotely connected to DDoS, mostly surfing :slight_smile: unquote.

So the fact that chupkas DDos script addresses incoming and outgoing is causing you issues on the outgoing.
Did you add the =result exception for DNS ??? To solve this dilemma.

Have not had problem with DNS. Using DoH..

@Jotne

from your first post
i need rules something like that , but may i get the accept list for the port that u want to allow