Hello!I read the port scanners example the wiki!
I tried and tried but the examples not work! 
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w comment="Port scanners to list " disabled=no
Mikrotik say:no such command address-list-timeout
My version:2.9.23
What s the matter?
Thank you for your advance!
Hi Kapulan, this is what I´m using, and works for me:
Hope works for you too.
rgs,
Fernando
/ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="Port scanners to list " disabled=no
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="NMAP FIN Stealth scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="SYN/FIN scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="SYN/RST scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="FIN/PSH/URG scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="ALL/ALL scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="NMAP NULL scan"
/ip firewall filter add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
Further to that, in your input chain you can also limit connections to say, only 5/second or something low like that… Port scanners normally attempt to make high amounts of connections in a very short period of time, so it should be a good way as a additional measure to try and catch/drop them.
thanks for this rules
can you post some rules to drop viruses netbios ports?
something like this is working?
iptables -A FORWARD -m multiport -p udp --dports 135,137,138,139,411,445,49921,4662 -j DROP
4 ;;; port scanners to list
chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list
address-list=port scanners address-list-timeout=2w
5 ;;; drop port scan connections
chain=input src-address-list=port scanners action=drop
i use only the following two rules in input chain and it works great for me.
If u examine them u will find that any one is trying to scan my server from outside and inside their ips will be listed at address list found in firewall box inside winbox and then block those ips.U can try to use any port scanning program from ur test computer and u will see that MT has listed ur ip and prevented it from scanning ur server.I tested it and the results are excellent.
Note:u can use the following url to test the security of ur server.It is a an excellent site for that issue.
http://www.dslreports.com/scan/
when the site opens click on probe and see the result that must be all green.
u have to install java for the site to work well.
zaher hamiyah