Config Review - Security Conscience Home User

Hi everyone, been a while since I’ve done a new config on my router so I figured I’d post here for a config review. If you see anything obviously wrong, missing anything that puts me at risk, or just likely to kill my my overall internet throughput performance I’d love to get your feedback. This is at my home on residential (dynamic IP) Spectrum 100Mbps Internet and I have a DynDns service with a personal domain and an updater client running on a VM.

Router: 1100AHx2

In general, I’m a security conscience user and have some interest in seeing how much scanning activity actually hits my router at home. I frequently travel so I do have a few RDP forward rules set for alternate ports so I can easily log in to home from my work computer rather than travel with two laptops. I run a Pi-Hole internally for my DNS. I don’t, at this point, want to block and reroute ALL DNS, I’d rather be able to put a secondary DNS into DHCP so that if the Pi-Hole fails while I’m traveling I won’t get any frantic phone calls about the internet being down. Although, having a rule to log all DNS traffic not from the Pi-Hole may be useful for visibility… I also found some tutorials on blocking brute force and port scanners, so I’ve included those in my firewall ruleset.

Stage two after getting this config locked down I wanted to build a Cacti (or similar) monitor and Syslog server VM. Maybe even a Security Onion IDS.

Here is the config:

export hide-sensitive (and I’ve redacted some names and MAC addresses)

# feb/11/2019 14:13:52 by RouterOS 6.43.11
# software id = T38F-M5KD
#
# model = 1100AHx2
# serial number = XXXXXXXXXXXXX
/interface bridge
add name=bridge1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=172.22.22.100-172.22.22.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 lease-time=5m name=dhcp1
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set rp-filter=strict
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=172.22.22.1/24 interface=ether2 network=172.22.22.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server lease
add address=172.22.22.192 client-id=MACADDY1 comment=\
    "Canon Printer" mac-address=MACADDY1 server=dhcp1
add address=172.22.22.200 client-id=MACADDY2 mac-address=\
    MACADDY2 server=dhcp1
add address=172.22.22.191 client-id=MACADDY3 comment=\
    "VMWare Management Interface\
    \n" mac-address=MACADDY3 server=dhcp1
add address=172.22.22.190 client-id=MACADDY4 comment=Thermo \
    mac-address=MACADD4 server=dhcp1
add address=172.22.22.197 client-id=MACADDY5 mac-address=\
    MACADDY5 server=dhcp1
add address=172.22.22.196 client-id=MACADDY6 mac-address=\
    MACADDY6 server=dhcp1
add address=172.22.22.198 client-id=MACADDY7 mac-address=\
    MACADDY7 server=dhcp1
/ip dhcp-server network
add address=172.22.22.0/24 dns-server=172.22.22.2,172.22.22.1 domain=\
   domain.local gateway=172.22.22.1 netmask=24 ntp-server=172.22.22.1
/ip dns
set allow-remote-requests=yes servers=172.22.22.2,1.1.1.1
/ip firewall address-list
add address=172.22.22.2-172.22.22.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add comment="Black List (SSH)" list="Black List (SSH)"
add comment="Black List (Telnet)" list="Black List (Telnet)"
add comment="Black List (Winbox)" list="Black List (Winbox)"
add comment="Black List (Port Scanner WAN)" list=\
    "Black List (Port Scanner WAN)"
add comment="Black List (Port Scanner LAN)" list=\
    "Black List (Port Scanner LAN)"
/ip firewall filter
add action=accept chain=input comment="default configuration" \
    connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from LAN" dst-address-list=\
    not_in_internet in-interface=bridge1 log=yes log-prefix=!public_from_LAN \
    out-interface=!bridge1
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=ether1 \
    log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface=bridge1 log=\
    yes log-prefix=LAN_!LAN src-address=!172.22.22.0/24
add action=drop chain=input comment="Drop anyone in Black List (SSH)." \
    in-interface=ether1 log=yes log-prefix="BL_Black List (SSH)" \
    src-address-list="Black List (SSH)"
add action=jump chain=input comment="Jump to Black List (SSH) chain." \
    dst-port=22 in-interface=ether1 jump-target="Black List (SSH) Chain" \
    protocol=tcp
add action=add-src-to-address-list address-list="Black List (SSH)" \
    address-list-timeout=4w2d chain="Black List (SSH) Chain" comment="Transfer\
    \_repeated attempts from Black List (SSH) Stage 3 to Black List (SSH)." \
    connection-state=new in-interface=ether1 log=yes log-prefix=\
    "Add_Black List (SSH)" src-address-list="Black List (SSH) Stage 3"
add action=add-src-to-address-list address-list="Black List (SSH) Stage 3" \
    address-list-timeout=1m chain="Black List (SSH) Chain" comment=\
    "Add successive attempts to Black List (SSH) Stage 3." connection-state=\
    new in-interface=ether1 log=yes log-prefix="Add_Black List (SSH) S3" \
    src-address-list="Black List (SSH) Stage 2"
add action=add-src-to-address-list address-list="Black List (SSH) Stage 2" \
    address-list-timeout=1m chain="Black List (SSH) Chain" comment=\
    "Add successive attempts to Black List (SSH) Stage 2." connection-state=\
    new in-interface=ether1 log=yes log-prefix="Add_Black List (SSH) S2" \
    src-address-list="Black List (SSH) Stage 1"
add action=add-src-to-address-list address-list="Black List (SSH) Stage 1" \
    address-list-timeout=1m chain="Black List (SSH) Chain" comment=\
    "Add initial attempt to Black List (SSH) Stage 1." connection-state=new \
    in-interface=ether1 log=yes log-prefix="Add_Black List (SSH) S1"
add action=return chain="Black List (SSH) Chain" comment=\
    "Return From Black List (SSH) chain."
add action=drop chain=input comment="Drop anyone in Black List (Telnet)." \
    in-interface=ether1 log=yes log-prefix="BL_Black List (Telnet)" \
    src-address-list="Black List (Telnet)"
add action=jump chain=input comment="Jump to Black List (Telnet) chain." \
    dst-port=23 in-interface=ether1 jump-target="Black List (Telnet) Chain" \
    protocol=tcp
add action=add-src-to-address-list address-list="Black List (Telnet)" \
    address-list-timeout=4w2d chain="Black List (Telnet) Chain" comment="Trans\
    fer repeated attempts from Black List (Telnet) Stage 3 to Black List (Teln\
    et)." connection-state=new in-interface=ether1 log=yes log-prefix=\
    "Add_Black List (Telnet)" src-address-list="Black List (Telnet) Stage 3"
add action=add-src-to-address-list address-list="Black List (Telnet) Stage 3" \
    address-list-timeout=1m chain="Black List (Telnet) Chain" comment=\
    "Add successive attempts to Black List (Telnet) Stage 3." \
    connection-state=new in-interface=ether1 log=yes log-prefix=\
    "Add_Black List (Telnet) S3" src-address-list=\
    "Black List (Telnet) Stage 2"
add action=add-src-to-address-list address-list="Black List (Telnet) Stage 2" \
    address-list-timeout=1m chain="Black List (Telnet) Chain" comment=\
    "Add successive attempts to Black List (Telnet) Stage 2." \
    connection-state=new in-interface=ether1 log=yes log-prefix=\
    "Add_Black List (Telnet) S2" src-address-list=\
    "Black List (Telnet) Stage 1"
add action=add-src-to-address-list address-list="Black List (Telnet) Stage 1" \
    address-list-timeout=1m chain="Black List (Telnet) Chain" comment=\
    "Add initial attempt to Black List (Telnet) Stage 1." connection-state=\
    new in-interface=ether1 log=yes log-prefix="Add_Black List (Telnet) S1"
add action=return chain="Black List (Telnet) Chain" comment=\
    "Return From Black List (Telnet) chain."
add action=drop chain=input comment="Drop anyone in Black List (Winbox)." \
    in-interface=ether1 log=yes log-prefix="BL_Black List (Winbox)" \
    src-address-list="Black List (Winbox)"
add action=jump chain=input comment="Jump to Black List (Winbox) chain." \
    dst-port=8291 in-interface=ether1 jump-target="Black List (Winbox) Chain" \
    protocol=tcp
add action=add-src-to-address-list address-list="Black List (Winbox)" \
    address-list-timeout=4w2d chain="Black List (Winbox) Chain" comment="Trans\
    fer repeated attempts from Black List (Winbox) Stage 3 to Black List (Winb\
    ox)." connection-state=new in-interface=ether1 log=yes log-prefix=\
    "Add_Black List (Winbox)" src-address-list="Black List (Winbox) Stage 3"
add action=add-src-to-address-list address-list="Black List (Winbox) Stage 3" \
    address-list-timeout=1m chain="Black List (Winbox) Chain" comment=\
    "Add succesive attempts to Black List (Winbox) Stage 3." \
    connection-state=new in-interface=ether1 log=yes log-prefix=\
    "Add_Black List (Winbox) S3" src-address-list=\
    "Black List (Winbox) Stage 2"
add action=add-src-to-address-list address-list="Black List (Winbox) Stage 2" \
    address-list-timeout=1m chain="Black List (Winbox) Chain" comment=\
    "Add succesive attempts to Black List (Winbox) Stage 2." \
    connection-state=new in-interface=ether1 log=yes log-prefix=\
    "Add_Black List (Winbox) S2" src-address-list=\
    "Black List (Winbox) Stage 1"
add action=add-src-to-address-list address-list="Black List (Winbox) Stage 1" \
    address-list-timeout=1m chain="Black List (Winbox) Chain" comment=\
    "Add initial attempt to Black List (Winbox) Stage 1." connection-state=\
    new in-interface=ether1 log=yes log-prefix="Add_Black List (Winbox) S1"
add action=return chain="Black List (Winbox) Chain" comment=\
    "Return From Black List (Winbox) chain."
add action=drop chain=input comment=\
    "Drop anyone in the Port Scanner (WAN) list." in-interface=ether1 log=yes \
    log-prefix="BL_Black List (Port Scanner WAN)" src-address-list=\
    "Black List (Port Scanner WAN)"
add action=drop chain=forward comment=\
    "Drop anyone in the Port Scanner (WAN) list." in-interface=ether1 log=yes \
    log-prefix="BL_Black List (Port Scanner WAN)" src-address-list=\
    "Black List (Port Scanner WAN)"
add action=add-src-to-address-list address-list=\
    "Black List (Port Scanner WAN)" address-list-timeout=4w2d chain=input \
    comment="Add TCP port scanner to Port Scanner (WAN) list." in-interface=\
    ether1 log=yes log-prefix="Add_Black List (Port Scanner WAN)" protocol=\
    tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=\
    "Black List (Port Scanner WAN)" address-list-timeout=4w2d chain=input \
    comment="Add NMAP FIN Stealth scaner to Port Scanner (WAN) list." \
    in-interface=ether1 log=yes log-prefix=\
    "Add_Black List (Port Scanner WAN)" protocol=tcp tcp-flags=\
    fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=\
    "Black List (Port Scanner WAN)" address-list-timeout=4w2d chain=input \
    comment="Add SYN/FIN scanner to Port Scanner (WAN) list." in-interface=\
    ether1 log=yes log-prefix="Add_Black List (Port Scanner WAN)" protocol=\
    tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=\
    "Black List (Port Scanner WAN)" address-list-timeout=4w2d chain=input \
    comment="Add SYN/RST scanner to Port Scanner (WAN) list." in-interface=\
    ether1 log=yes log-prefix="Add_Black List (Port Scanner WAN)" protocol=\
    tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=\
    "Black List (Port Scanner WAN)" address-list-timeout=4w2d chain=input \
    comment="Add FIN/PSH/URG scanner to Port Scanner (WAN) list." \
    in-interface=ether1 log=yes log-prefix=\
    "Add_Black List (Port Scanner WAN)" protocol=tcp tcp-flags=\
    fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=\
    "Black List (Port Scanner WAN)" address-list-timeout=4w2d chain=input \
    comment="Add ALL/ALL scanner to Port Scanner (WAN) list." in-interface=\
    ether1 log=yes log-prefix="Add_Black List (Port Scanner WAN)" protocol=\
    tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=\
    "Black List (Port Scanner WAN)" address-list-timeout=4w2d chain=input \
    comment="Add NMAP NULL scanner to Port Scanner (WAN) list." in-interface=\
    ether1 log=yes log-prefix="Add_Black List (Port Scanner WAN)" protocol=\
    tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment=\
    "Drop anyone in the Port Scanner (LAN) list." in-interface=ether1 log=yes \
    log-prefix="BL_Black List (Port Scanner LAN)" src-address-list=\
    "Black List (Port Scanner LAN)"
add action=drop chain=forward comment=\
    "Drop anyone in the Port Scanner (LAN) list." in-interface=ether1 log=yes \
    log-prefix="BL_Black List (Port Scanner LAN)" src-address-list=\
    "Black List (Port Scanner LAN)"
add action=add-src-to-address-list address-list=\
    "Black List (Port Scanner LAN)" address-list-timeout=4w2d chain=forward \
    comment="Add TCP port scanner to Port Scanner (LAN) list." in-interface=\
    ether1 log=yes log-prefix="Add_Black List (Port Scanner LAN)" protocol=\
    tcp psd=21,3s,3,1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Workstation1" dst-port=33896 \
    in-interface=ether1 log=yes log-prefix=Workstation protocol=tcp \
    to-addresses=172.22.22.196 to-ports=3389
add action=dst-nat chain=dstnat comment="Workstation2" dst-port=33897 \
    in-interface=ether1 log=yes log-prefix=Workstation protocol=tcp \
    to-addresses=172.22.22.197 to-ports=3389
add action=dst-nat chain=dstnat comment="Workstation3" dst-port=33898 \
    in-interface=ether1 log=yes log-prefix=Workstation3 protocol=tcp \
    to-addresses=172.22.22.198 to-ports=3389
add action=dst-nat chain=dstnat comment="Workstation4" dst-port=33899 \
    in-interface=ether1 log=yes log-prefix=Workstation4 protocol=tcp \
    to-addresses=172.22.22.199 to-ports=3389
/ip firewall service-port
set sip sip-timeout=2h
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name=MyRouter
/system ntp client
set enabled=yes primary-ntp=172.98.193.44 secondary-ntp=54.39.20.247
/system ntp server
set enabled=yes
/system routerboard settings
set auto-upgrade=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool user-manager database
set db-path=user-manager

Credits:
Mikrotik Wiki
https://www.marthur.com/networking/mikrotik-setup-brute-force-protection/382/

Thank you!

I would put

add action=add-src-to-address-list address-list=\
    "Black List (Port Scanner LAN)" address-list-timeout=4w2d chain=forward \
    comment="Add TCP port scanner to Port Scanner (LAN) list." in-interface=\
    ether1 log=yes log-prefix="Add_Black List (Port Scanner LAN)" protocol=\
    tcp psd=21,3s,3,1

before

add action=drop chain=forward comment=\
    "Drop anyone in the Port Scanner (LAN) list." in-interface=ether1 log=yes \
    log-prefix="BL_Black List (Port Scanner LAN)" src-address-list=\
    "Black List (Port Scanner LAN)"

so the drop is last in chain.

There’s a philosophy that there should be an unconditional drop in any chain (input, forward) at the end … so when a connection is not explicitly allowed, it gets dropped. So no need to have this conditional drop (condition is that src-address is on black list) at the end. On the contrary, you want to have this drop at very beginning of forward (and input) chain so that trespassers get dropped also for services which otherwise are available to the public. If not, then there’s no point in collecting addresses in the address list.

You might want to rework firewall filter rules to use in-interface-list={LAN,WAN] instead of in-interface={bridge1,ether1} and out-interface-list={LAN,WAN} instead of out-interface={bridge1,ether1}. Makes firewall rules more readable and easier to adapt if interface layout changes.

Other than that: LAN IP setup should go to bridge1 (not on ether2, which is slave interface).

Thank you for the correction. I guess too early in the morning and not enough coffee.

I would ditch all the blacklist / port scan detect / etc stuff. This kind of thing just opens you up to a resource exhaustion attack and can even result in blacklisting legitimate traffic if an attacker has IP spoofing capabilities. The CPUs on these devices are not powerful enough to this kind of state tracking, instead of being bandwidth limited during an attack you will end up CPU limited to the point where you can’t even log in to the router any more.

Thanks for the feedback. I’ll take a look and make some changes. As it is right now, none of the bruteforce/scanning rules are showing any traffic anyway.

What a surprise. You created reasonable firewall for input chain with just those four rules at the beginning. Rule #4 is unconditional drop, nothing will ever get past that. So all following rules with chain=input are completely useless. And before you start moving them around, think how much you really need them. I’d say you most likely don’t, at all. Most obvious example is telnet, why bother with blacklisting, when you have the service disabled. And similar with others, why blacklist ssh or winbox from WAN, when you don’t allow any ssh or winbox connections from WAN anyway. That could make sense if you’d want to open them from WAN, but if you don’t need it, it’s better to keep them closed.

I agree, I am coming to the conclusion that a list of common ports (that the router users dont need 20,21,22,23, 139, 8192 etc) in RAW, capturing source address for six days and then dropping them in raw, should catch most of the bad guys probing around full stop and not load up the cpu. (besides shutting off all un-needed services changing common ports to uncommon for things you need like ssh to 220 or something. Everything else just creates a messy config just unsure you have drop all rule at end of input and forward chains.
For ports you do use you can always filter them after passing the port traffic you wish to allow (if you can limit by source address) and capture them to the same address list as your raw list.

It is my way of “drop it ASAP”

0. if attacker scans us again (is already on the list) then drop it right now.

A. check if unwanted port is checked.
B. if yes, add attacker to the ban list
C. drop all packets coming from attacker list

/ip firewall raw
add action=accept chain=prerouting dst-port=portofwinboxserviceprotocol=tcp
add action=add-src-to-address-list address-list=RAWATTACK2    address-list-timeout=27m chain=prerouting comment=RAW2ADD 
    in-interface-list=WAN_LIST log-prefix="RAW2ADD: " src-address-list=\
    RAWATTACK
add action=drop chain=prerouting comment=RAW2 in-interface-list=WAN_LIST log-prefix="RAW2: " src-address-list=RAWATTACK2
add action=add-src-to-address-list address-list=RAWATTACK   address-list-timeout=17m chain=prerouting comment=RAW1ADD dst-port=\
    8291,22,23,2000,7547,11211,135,137-139,548,80,8080,81,37215  in-interface-list=WAN_LIST log=yes log-prefix="RAW1: " protocol=tcp
add action=add-src-to-address-list address-list=RAWATTACK  address-list-timeout=17m chain=prerouting comment=RAW1ADD disabled=yes \
    dst-port=8291,22,23,2000,7547,11211,135,137-139,548,80,8080,81,37215 in-interface-list=WAN_LIST log=yes log-prefix="RAW1: " protocol=udp
    
..... here you can do more checks for unwanted ports

add action=drop chain=prerouting comment=RAW1 in-interface-list=WAN_LIST  log-prefix="RAW1: " src-address-list=RAWATTACK

Exactly BartoszP, with that type of ruleset and approach I think most badguys probing/scanning will be caught and with least load on CPU and just a few rules in raw.

Notes:
1 - One should be careful because RAW is stateless it doesnt care if a packet is established, related, it doesnt discriminate between legit or illegit traffic on those ports.
2 - Make sure you use the In-interface(-list)=WAN, otherwise you may catch traffic from users behind the router. On the other hand if they are not supposed to be using those ports…
3- I believe you can have up to (either 15 or 25 ports per rule and thus in your case you only needed the two capture rules (tcp, udp) and the drop rule
4- I am not sure what the best timeout is for this type of rule, I see you used 27 min, whereas I have seen 6 hours and 2 days as well.
Your comment/advice here would be appreciated.
5 - If you have destination nat rules, make sure you dont put in the port for that by mistake into the above rules!!!
6. If you have destination nat rules, try to only allow specific source addresses in the NAT rule because that has two important effects.
a. only allows those with specific WANIPs to enter the router
b. makes the port invisible to scans… (without a source parameter in the NAT rule the port appears closed BUT VISIBLE on a scan)

7. If you do use ports and obviously cannot put them in raw, then you may wish to consider IP FIREWALL FILTER placement.
   Port 53 comes to mind as one that people may try to use…
   I allow LAN to ROUTER (input chain) for port 53, tcp udp
   but I suppose no one wants WAN to LAN incoming port 53 to be allowed, since we cant put that in raw,

add chain=forward dst-port=53 protocol tcp action= add to address list address-list={same list as in raw) timeout xxx
add chain=forward dst-port=53 protocol udp action= add to address list address-list={same list as in raw) timeout xxx

If I’m not doing Winbox from WAN, do I need the rule “add action=accept chain=prerouting dst-port=portofwinboxserviceprotocol=tcp” from BartozP’s rule set?

After making some changes, I now have the following firewall ruleset with everything set to interface lists.

/ip firewall address-list
add list="RAWATTACK" comment="Raw Attack Drop List"
add list="RAWATTACK2" comment="Raw Attack 2 Drop List"

/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input comment="Drop Anything not Matching Above"
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface-list=LAN log=yes log-prefix=!public_from_LAN out-interface-list=!LAN
add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix=!NAT
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface-list=WAN log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface-list=LAN log=yes log-prefix=LAN_!LAN src-address=!172.22.22.0/24

/ip firewall raw
add action=add-src-to-address-list address-list=RAWATTACK2 address-list-timeout=27m chain=prerouting comment=RAW2ADD in-interface-list=WAN log-prefix="RAW2ADD: " src-address-list=RAWATTACK
add action=drop chain=prerouting comment=RAW2 in-interface-list=WAN log-prefix="RAW2: " src-address-list=RAWATTACK2
add action=add-src-to-address-list address-list=RAWATTACK address-list-timeout=17m chain=prerouting comment=RAW1ADD dst-port=8291,22,23,2000,7547,11211,135,137-139,548,80,8080,81,37215,3389 \
    in-interface-list=WAN log=yes log-prefix="RAW1: " protocol=tcp
add action=add-src-to-address-list address-list=RAWATTACK address-list-timeout=17m chain=prerouting comment=RAW1ADD dst-port=8291,22,23,2000,7547,11211,135,137-139,548,80,8080,81,37215,3389 \
    in-interface-list=WAN log=yes log-prefix="RAW1: " protocol=udp
add action=drop chain=prerouting comment=RAW1 in-interface-list=WAN log-prefix="RAW1: " src-address-list=RAWATTACK

As to why I’m interested in dropping and logging scanning and providing a bit more robust ruleset? First, I’m just curious about what is out there and what is scanning, and second, since I do expose some RDP, if I can catch RDP scanners and just drop them before they start trying alternate RDP ports I can see if that reduces the brute force attempts against the actual systems.

As expected, immediately started seeing IPs being recorded in the Address Lists with RAWATTACK and RAWATTACK2.

Edit - It looks like the IPs hitting RAWATTACK and RAWATTACK2 rules are being added in as individual line items in the firewall address lists tab with the appropriate name. Is this correct or is address list supposed to be a container for each IP to be added to?

That’s about the right behaviour.

using RAW for this kind of drops is very dangerous. keep in mind that attacker with spoofed address can easily add to the list important addresses like 8.8.8.8 or 1.1.1.1
And due to the fact it is in prerouting, it happens before connection tracking and therefore even connections initiated from your own network (i.e. legit connections) will not receive any response because it will be all dropped in RAW.

I am not saying it cannot be used this way but admin has to be aware of possible consequences.

In addition having RAW add-to-list action triggered by port 37215 means that everytime your local device opens TCP connection to anywhere and randomly chose this port as a source port (because it is in the available range) it will become reply-dst port which will trigger the blacklisting rule. therefore your own device will sooner or later blacklist legit server, just because this particular port was randomly choosen…

What @vecernik87 wrote about false positives blocking access from LAN to legitimate remote addresses is a real possibility (I had to disable blocking port scanners on one of my sites as quite a few legitimate sites landed on the list and users got slightly upset).

If one really wants to use blacklisting, also whitelisting should be implemented. Something like

add action=accept chain=prerouting comment="static whitelisted SRC-addresses" src-address-list=staticWL
add action=accept chain=prerouting comment="static whitelisted DST-addresses" dst-address-list=staticWL

as top-most rules in /ip firewall raw … then add whichever remote addresses should never get blacklisted to that address list. Address such as 8.8.8.8 and addresses from where one wants to allow remote access of the LAN itself (e.g. winbox connection to router itself or ssh port forwarded to some LAN host). One should keep whitelist relatively short, if it grows to more than 10 addresses or so then the whole blacklisting stuff is flawed.

MKX and to the author,
The raw approach should be seamless and easy,

Two things

1. the capture rules should be from source addresses coming from the internet in-interface(-list)=WAN
2. dont use any ports that users behind the router (or the router itself needs).

Would that alleviate your concerns @Vecernik87n and @Mkx?? For example a stateless rule that has port 80 in is just plain stupid.
Keep the ports to common ones you dont use, 20,21,22,139, 8291, etc…

The only thing a person needs in terms of a firewall address list IMHO is source address list for those wanips authorized to dst nat into the router.

I think it is more about the particular way of thinking, instead of how is it implemented:
We assume that port scanners are bad, so we try hard to detect them and block them. Now, My way of thinking is this: if you don’t have ports open (which you shouldn’t have), why would you care about open ports? What does port scanner do? Nothing In both cases (blocked or not blocked), port scanner will see no response.
Instead of creating clever rules and imitating very crude IPS which will detect and block attackers, I find better (both performance and security terms) to make simple yet bulletproof firewall.

I’m not sure how I feel yet, but the idea is that if you have a service listening on a non-standard port, the slow moving port scanners (who are doing 21, 25, etc) will eventually find it. So, if you see a port 21 attempt, and you don’t host FTP, well, you can block that IP from doing anything else on your WAN port.

I have 3,000 IP address blocked at the moment.

I share view of @pcunite … by detecting port scanners I’m trying to protect services which I otherwise offer to internet at large. Which might or might not be effective … if somebody tries to abuse e.g. SMTP service, they will go for it directly and won’t try FTP first …

I’m fully aware this is not typical case for home user for which approach by @vecernik87 is more appropriate (and more router-friendly).

Concur, its harder to spot aimed trajectories but today, which smtp port?, there are several, so you can stil raw list the ones you dont use!
For the ones you do use, I believe smtp is only outgoing traffic? Incoming is different port correct?

In other words lets say my outgoing traffic to the email server of my isp is on port 25, does that mean returns to my request are on port 25?
All incoming mail traffic I thought comes in on a different port.

So If I raw list on in-interface=wan I am okay with including ports I only use on outgoing.
So the tricky part is the incoming traffic.
From my basic knowledge an email server doesnt send data on that port, YYY until I ping it on port 25 saying feed me!!
Since normally return traffic is allowed in as established when I ask for my email outgoing and return traffci…
I dont have to make separate firewall rule allowing that return traffic back in
I can however make a capture rule for anybody that is truly originating traffic on that port
in-interface=wan dest port = yyy capture to badbuys list timeout=1 day (the list I drop in raw).

e-mail as a complex beast nowadays. There are a few “post office” protocols (POP3, IMAP, …) each one having some variants (plain text, encrypted; the later using original or dedicated port). But all of them require authentication and are thus unattractive for spammers (not so much for hackers). When you connect your post office checking for new e-mail, you’re using one of these protocols and not plain SMTP.
Then there’s the matter of sending out e-mail and there are a few protocol variants as well (plain SMTP over port 25, added authentication and encryption possibly using different port). The plain SMTP is still widely used for e-mail exchange between ISP (and corporate) servers … with added security checks such as some DNS records etc. It is basically used for “pushing” e-mail to the post-office which has no affiliation to the sender and is therefore not aware there’s new e-mail to be transferred otherwise.
Not many home users run SMTP service so this is not their problem … but I do so I have to deal with it. There are spammers trying to discover unsecure SMTP servers which would blindly relay e-mails and blacklisting might (or more probably might not) help fighting against them …