Help securing an l2tp/ipsec Ac

settecplus · June 27, 2017, 1:34pm

Hi,
I have an l2tp/ipsec server which needs to be secured. It is used both with site to site connection and with a RoadWarrior cllient.
I started with IntrusDave blocklist (and his basic firewall), and added a few rules to integrate l2tp/ipsec vpn and general administration, in the hope the whole is as secure as possible. It would be great if one of the more experienced users could take a look mine setup and tell me if it is ok?

/ip firewall filter

# Drop Wannacry
add action=drop chain=input comment="Input - block Wannacry ransomware port 445" connection-state="" dst-port=445 protocol=tcp
# End


# Bruteforce prevention
add action=drop chain=input comment="Input - Bruteforce login prevention(ssh: drop ssh brute forcers)" dst-port=22 log=yes log-prefix="Input - drop ssh bruteforce" protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=4w2d chain=input comment="Input - Bruteforce login prevention(ssh: stage3 to blacklist)" connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1h chain=input comment="Input - Bruteforce login prevention(ssh: stage2 to stage3)" connection-state=new dst-port=22 protocol=tcp \
    src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=6h chain=input comment="Input - Bruteforce login prevention(ssh: stage1 to stage2)" connection-state=new dst-port=22 protocol=tcp \
    src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=12h chain=input comment="Input - Bruteforce login prevention(ssh: stage1)" connection-state=new dst-port=22 protocol=tcp
add action=drop chain=forward comment="Input - Bruteforce login prevention(ssh: drop ssh brute downstream)" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
# End Bruteforce prevention


# FILTER chain
#####################

# Filter - ALLOW est,rel e Whitelist DROP Invalid e Blacklist
add action=accept chain=Filter comment="Filter - allow TO whitelist" connection-state="" dst-address-list=Whitelist
add action=reject chain=Filter comment="Filter - reject TO blacklist" dst-address-list=dynamicBlacklist reject-with=icmp-admin-prohibited
add action=accept chain=Filter comment="Filter - Allow established, related" connection-state=established,related
add action=drop chain=Filter comment="Filter - Drop Invalid packets (No valid current connection)" connection-state=invalid
# End


# Filter - drop malformed tcp packets
add action=drop chain=Filter comment="Filter - Invalid TCP flag combo" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=Filter comment="Filter - Invalid TCP flag combo" protocol=tcp tcp-flags=fin,syn
add action=drop chain=Filter comment="Filter - Invalid TCP flag combo" protocol=tcp tcp-flags=fin,rst
add action=drop chain=Filter comment="Filter - Invalid TCP flag combo" protocol=tcp tcp-flags=fin,!ack
add action=drop chain=Filter comment="Filter - Invalid TCP flag combo" protocol=tcp tcp-flags=fin,urg
add action=drop chain=Filter comment="Filter - Invalid TCP flag combo" protocol=tcp tcp-flags=syn,rst
add action=drop chain=Filter comment="Filter - Invalid TCP flag combo" protocol=tcp tcp-flags=rst,urg
add action=drop chain=Filter comment="Filter - Invalid TCP source port (0)" protocol=tcp src-port=0
add action=drop chain=Filter comment="Filter - Invalid TCP destination port (0)" dst-port=0 protocol=tcp
add action=drop chain=Filter comment="Filter - Invalid UDP source port (0)" protocol=udp src-port=0
add action=drop chain=Filter comment="Filter - Invalid UDP destination port (0)" dst-port=0 protocol=udp
# End

# Return to the chain that jumped
add action=return chain=Filter comment="Filter - Return to the chain that jumped"


# Input chain
####################

add action=jump chain=input comment="Input - Check for bad stuff in \"Filter\" chain" jump-target=Filter
#add action=drop chain=input connection-state=invalid
add action=jump chain=input comment="Input - Jump from Any -> Router-services" jump-target=router-services
add action=log chain=input disabled=yes log-prefix=Drop
add action=drop chain=input comment=comment="Input - Drop all the rest"


# Forward chain
######################

add action=jump chain=forward comment="Forward - Check for bad stuff in \"Filter\" chain" jump-target=Filter
add chain=forward comment="LAN -> Any" src-address-list=LAN
add action=jump chain=forward comment="Any -> LAN" dst-address-list=LAN jump-target=AnyToLAN


# router-services chain
##############################

add chain=router-services comment=OSPF protocol=ospf src-address-list=OSPF_Peers
add action=accept chain=router-services comment=ICMP protocol=icmp
add action=accept chain=router-services comment="Mikrotik Discovery, MAC Winbox" dst-port=5678,20561 protocol=udp
add chain=router-services comment=Winbox dst-port=8291 protocol=tcp src-address-list=network.admins
add chain=router-services comment="SSH, HTTP" dst-port=22,80 protocol=tcp src-address-list=network.admins
add action=accept chain=router-services comment=ESP in-interface=ether1 protocol=ipsec-esp
add chain=router-services comment="UDP 500,4500" dst-port=500,4500 in-interface=ether1 protocol=udp
add chain=router-services comment="ipsec policy matcher" in-interface=ether1 ipsec-policy=in,ipsec
add action=drop chain=router-services comment="drop all" in-interface=ether1 log=yes


# AnyToLAN chain
#######################

add action=accept chain=AnyToLAN comment="Accept from VPNtoLAN" src-address-list=VPNtoLAN
add action=log chain=AnyToLAN disabled=yes
add action=drop chain=AnyToLAN


# RAW firewall
##############

/ip firewall raw
add action=drop chain=prerouting comment="Drop connections from Blacklisted addresses" src-address-list=dynamicBlacklist


# Address lists
###############

/ip firewall address-list
add address=10.255.255.0/24 list=OSPF_Peers
add address=10.10.0.0/24 list=LAN
add address=192.168.1.0/24 list=LAN
add address=10.10.0.0/24 list=network.admins
add address=10.255.250.0/24 list=network.admins
add address=10.10.0.0/24 list=VPNtoLAN
add address=10.255.254.0/24 list=VPNtoLAN
add address=10.255.253.0/24 list=VPNtoLAN
add address=10.255.250.0/24 list=VPNtoLAN
add address=1.2.172.71 comment="blocklist" list=dynamicBlacklist

Kamaz · August 21, 2017, 2:43pm

Hi, settecplus. You configuration is quite right but I suggest you to do couple additional revisions:
-to change standard ports 22, 80, 443 and 8291 to something unusual like 45967 end so on.
-to use https instead of http
-to modify “brutforce prevention” chain adding winbox port to it.
-to change MAC address on wan interfaces to simulate some other hardware (not Mikrotik)
-maybe that post could be useful for you http://forum.mikrotik.com/t/securing-l2tp-ipsec-server-connection/53523/1