Ban IPs that access not open common ports (21,80,etc.)

RouterOS General
1

Hi,

I just recently bought a Mikrotik router (hAP ac2) a couple days ago, and still playing with the firewall settings.
After I saw that there are a lot of connects to some service default port (ftp,http,etc.) I thought that since I don’t run an FTP server on port 21, so anyone who tries to connect on port 21 must be a bad person :slight_smile:
So I made this rule, which collects these IP addresses in an address list:

 
 /ip firewall nat
 ;;; port BAIT
      chain=dstnat action=add-src-to-address-list protocol=tcp 
      address-list=banned_IPs address-list-timeout=1w3d in-interface-list=WAN 
      dst-port=20-25,53,80,110,443 log=yes log-prefix="Port bait BAN:"

And then I have a rule, which drops everything from these addresses:

/ip firewall raw
 ;;; drop banned IPs
      chain=prerouting action=drop log=no log-prefix="" 
      src-address-list=banned_IPs

Do you think that it is completely unnecessary or does it makes sense?
Could this be a performance issue? Will it be a problem, if I will have several hundred IPs in that address list?

2

Its an exercise to go through to learn about some of the settings on the router, but for the majority of home users, this suffices. Rule of thumb, keep it clean and keep it minimal.
If issues arise, bring them up at the forum and folks will advise accordingly. Much of the stuff you can find trolling around the net will get you confused and are not necessarily recommended regardless.

Start with the default setup and then modify. You will note that the modifications include getting rid of the two default rules that for the beginner are harder to read/understand ( a tad over complicated ) and require the use of the ! symbol (means not, or everything else but this). ‘Everything but this’ has many unintended consequences for the new user.

Input Chain
Default Rules
-established etc. accept
-invalid drop
USER Rules ******
Last Rule - add chain=input action=drop comment=‘drop all else’

where ******* is comprised of one or more entries

  • add admin access to router (caution: this rule has to be in place before putting in the last rule, otherwise one is locked out of the router)
  • add services LAN users may need from router, such as DNS, NTP

Forward Chain
Default Rules
-ipsec accept
-fastrack accept
-established etc. accept
-invalid drop
USER Rules ******
Last Rule - add chain=input action=drop comment=‘drop all else’

******** Where All the traffic you wish to allow is defined, such as subnets to internet, access from one subnet to a shared printer on a different subnet for example, if you have port forwarding, then add this here as well.