I have an issue with the Mikrotik capturing new activity on the router, and sending it to the proper lists. Can someone please comment on this situation.
I am trying to capture many types of hacking attempts by simply creating a Hacker list, and i have two issues.
- It puts in Whitelist ips into the Hacker Category, so does that mean i should have the Hacker rule above the Whitelist rule, I had to add dont include Whitelist in the source address list.
- If we list several ports either with commas or ranges, it doesnt seem to capture the “Hacker” rule, as i am capturing telnet hackers below using “Black List (Telnet)” . I have highlighted the two rules in question.
When i check the address lists, there is nothing under Hacker and a whole bunch under “Black List (Telnet)”
I changed the port knocking ports for security reasons.
/ip firewall filter
add action=passthrough chain=forward comment=
“special dummy rule to allow fasttrack counters”
add action=accept chain=forward comment=Whitelist connection-state=“”
log-prefix=Whitelist src-address-list=Whitelist
add action=accept chain=input comment=Whitelist connection-state=“”
src-address-list=Whitelist
add action=add-src-to-address-list address-list=Temporary
address-list-timeout=30s chain=input comment=“Port Knocking” dst-port=
41690 protocol=tcp
add action=add-src-to-address-list address-list=Whitelist
address-list-timeout=1h chain=input dst-port=16907 protocol=tcp
src-address-list=Temporary
add action=accept chain=input protocol=tcp src-address-list=Whitelist
add action=drop chain=forward comment=Hacker connection-state=“”
src-address-list=Hacker
add action=drop chain=input comment=Hacker connection-state=“”
src-address-list=Hacker
add action=drop chain=forward comment=“Hacked PC or Virus” connection-state=
“” src-address-list=“Hacked PC or Virus”
add action=drop chain=input comment=“Hacked PC or Virus” connection-state=“”
src-address-list=“Hacked PC or Virus”
add action=drop chain=forward comment=“Black List (Telnet)” connection-state=
“” src-address-list=“Black List (Telnet)”
add action=drop chain=input comment=“Black List (Telnet)” connection-state=“”
src-address-list=“Black List (Telnet)”
add action=jump chain=input comment=Hacker connection-state=“” jump-target=
“Hacker TCP Chain” protocol=tcp src-address-list=Whitelist
add action=add-dst-to-address-list address-list=Hacker address-list-timeout=
none-dynamic chain=“Hacker TCP Chain” connection-state=new dst-port=
21,22,23,24,25,143,8291,64312 protocol=tcp src-address-list=!Whitelist
add action=add-dst-to-address-list address-list=“Hacker Stage 1”
address-list-timeout=30s chain=“Hacker TCP Chain” connection-state=new
disabled=yes dst-port=21,22,23,24,25,143,8291,64312 protocol=tcp
add action=return chain=“Hacker TCP Chain” connection-state=“”
add action=jump chain=forward comment=“Find out if a PC is using unsecure emai
l ports - so we can identify it and run antivirus” connection-state=“”
jump-target=“Hacker TCP Chain” protocol=tcp src-address-list=Whitelist
add action=add-src-to-address-list address-list=“Hacked PC”
address-list-timeout=none-dynamic chain=“Hacker TCP Chain” comment=
“Block Hacked PC - this will also get a complaint from the user”
connection-state=new dst-port=21-25,143,8291,64312 protocol=tcp
src-address-list=“Hacked PC Stage 1”
add action=add-src-to-address-list address-list=“Hacked PC Stage 1”
address-list-timeout=30s chain=“Hacker TCP Chain” comment=“Mail Hack”
connection-state=new dst-port=21-25,143,8291,64312 protocol=tcp
add action=return chain=“Hacker TCP Chain” connection-state=“”
add action=drop chain=forward comment=“Drop Invalid Connections”
connection-state=invalid log-prefix=i
add action=drop chain=input comment=“Drop Invalid Connections”
connection-state=invalid
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=accept chain=output comment=“Section Break” log-prefix=outbound
out-interface=“Lan Data Network”
add action=accept chain=output comment=“Section Break” log-prefix=
outbound-wan
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
add action=accept chain=forward comment=“default configuration”
connection-state=established
add action=jump chain=input comment=“Jump to TSG SSH Chain” jump-target=
“TSG SSH Chain”
add action=add-src-to-address-list address-list=“Black List (SSH)”
address-list-timeout=none-dynamic chain=“TSG SSH Chain” comment=
“Add intial attempt to SSH Stage 1 to Black List” connection-state=new
dst-port=22 log=yes protocol=tcp
add action=return chain=“TSG SSH Chain” comment=“Return From TSG SSH Chain”
add action=jump chain=input comment=“Jump to TSG Telnet Chain” jump-target=
“TSG Telnet Chain”
add action=add-src-to-address-list address-list=“Black List (Telnet)”
address-list-timeout=none-dynamic chain=“TSG Telnet Chain” comment=
“Add Intial attempt to Telnet Stage 1 to Black List” connection-state=new
dst-port=23 protocol=tcp
add action=return chain=“TSG Telnet Chain” comment=
“Return From TSG Telnet Chain”
add action=jump chain=input comment=“Jump to TSG Winbox Chain” jump-target=
“TSG Winbox Chain”
add action=add-src-to-address-list address-list=“Black List (Winbox)”
address-list-timeout=none-dynamic chain=“TSG Winbox Chain” comment=
“Transfer repeated attempts from Winbox Stage 3 to Black-List”
connection-state=new dst-port=8291 protocol=tcp src-address-list=
“Winbox Stage 3”
add action=add-src-to-address-list address-list=“Winbox Stage 3”
address-list-timeout=1m chain=“TSG Winbox Chain” comment=
“Add succesive attempts to Winbox Stage 3” connection-state=new dst-port=
8291 protocol=tcp src-address-list=“Winbox Stage 2”
add action=add-src-to-address-list address-list=“Winbox Stage 2”
address-list-timeout=1m chain=“TSG Winbox Chain” comment=
“Add succesive attempts to Winbox Stage 2” connection-state=new dst-port=
8291 protocol=tcp src-address-list=“Winbox Stage 1”
add action=add-src-to-address-list address-list=“Winbox Stage 1”
address-list-timeout=1m chain=“TSG Winbox Chain” comment=
“Add Intial attempt to Winbox Stage 1” connection-state=new dst-port=8291
protocol=tcp
add action=return chain=“TSG Winbox Chain” comment=
“Return From TSG Winbox Chain”