Community discussions

 
irghost
Member Candidate
Member Candidate
Topic Author
Posts: 281
Joined: Sun Feb 21, 2016 1:49 pm

Block inComing and OutGoing PortScan

Thu Jun 23, 2016 10:11 am

hi guys
 all of my clients which are connected to mikrotik (as gateway) has a valid ip address
i wanna Block Block incoming and Outgoing Port Scan
i have to Drop them in Forward chain ? right?
MTCNA MTCRE MTCTCE MTCUME MTCWE MTCIPv6E MTCINE
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1718
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Block inComing and OutGoing PortScan

Thu Jun 23, 2016 10:32 am

You need to specify which traffic do you want to filter.
Incoming from WAN ? Originating from LAN going to WAN ? Scanning your users' IPs by your users ?
Real admins use real keyboards.
 
irghost
Member Candidate
Member Candidate
Topic Author
Posts: 281
Joined: Sun Feb 21, 2016 1:49 pm

Re: Block inComing and OutGoing PortScan

Thu Jun 23, 2016 2:10 pm

i have router which it has 2 interface ( both with valid ip address ether1 connected to internet
ether2 connected to virtual machines ) this router is my default gateway for my virtual machines ( on vmware esxi )
all of virtual machines has valid ip address assign by DHCP-Server (by mikrotik)
i need to block both of incoming and outgoing
so no one can scan my virtual machines and none of my virtual machines  can scan any ip
is it clear?
MTCNA MTCRE MTCTCE MTCUME MTCWE MTCIPv6E MTCINE
 
irghost
Member Candidate
Member Candidate
Topic Author
Posts: 281
Joined: Sun Feb 21, 2016 1:49 pm

Re: Block inComing and OutGoing PortScan

Fri Jun 24, 2016 8:42 pm

You need to specify which traffic do you want to filter.
Incoming from WAN ? Originating from LAN going to WAN ? Scanning your users' IPs by your users ?
UP UP UP  UP
MTCNA MTCRE MTCTCE MTCUME MTCWE MTCIPv6E MTCINE
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Block inComing and OutGoing PortScan

Fri Jun 24, 2016 9:45 pm

You could use the PSD feature of firewall filter rules.

According to the Wiki entry:

PSD - Attempts to detect TCP and UDP scans. Parameters are in following format 
  • WeightThreshold - total weight of the latest TCP/UDP packets with different destination ports coming from the same host to be treated as port scan sequence
  • DelayThreshold - delay for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence
  • LowPortWeight - weight of the packets with privileged (<=1024) destination port
  • HighPortWeight - weight of the packet with non-priviliged destination port
What this means is that for every packet that arrives at a new port, it will add some value to a "score" for each IP source. This score is increased by the "LowPortWeight" if the port is a priveleged port (like 25, 22, 80, 443, etc) and by the HighPortWeight for all other ports. DelayThreshold states how long this "score" is kept, so if a request comes in for a privileged port, and the LowPortWeight is 3 (default) then the score goes up by three, for 'threshold' seconds. (defaults to 3 seconds). If the IP source's total score is below "WeightThreshold" then the match returns true, else returns false.

You have to also set the rule to match TCP or UDP in order for this option to be available on the rule.
So to implement this, your forward chain should have some rules near the end like this:
protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list=blacklist address-list-timeout=1d log=yes log-prefix="tcp port scan detected"
protocol=udp psd=21,3s,3,1 action=add-src-to-address-list address-list=blacklist address-list-timeout=1d log=yes log-prefix="udp port scan detected"

And of course somewhere early in the filter chain, there should be a rule which drops packets with src-address-list=blacklist

EDIT: Note that you may want to have a different action for the "outgoing" connections than to blacklist them - or maybe you do want to blacklist them.... but the main thing to note is that the given rules apply to ALL forwarded traffic, regardless of direction, so if you want to narrow the scope of this port scan detection (that's what PSD stands for) then you can also specify in-interface, out-interface, src-address-list=!whitelist , etc.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
irghost
Member Candidate
Member Candidate
Topic Author
Posts: 281
Joined: Sun Feb 21, 2016 1:49 pm

Re: Block inComing and OutGoing PortScan

Sat Jun 25, 2016 12:04 am

thanks but i know i must use PSD

here is my rule
/ip firewall filter

add action=add-dst-to-address-list address-list=PortScan address-list-timeout=\
    12h chain=forward comment="OutGoing PortScan" \
    connection-nat-state=srcnat out-interface=all-ethernet protocol=tcp psd=\
    21,3s,3,1
add action=add-dst-to-address-list address-list=PortScan address-list-timeout=\
    12h chain=forward comment="OutGoing PortScan" \
    connection-nat-state=srcnat out-interface=all-ethernet protocol=udp psd=\
    21,3s,3,1

add action=drop chain=forward comment="Drop Out Going PortScan" \
    connection-nat-state=srcnat dst-address-list=PortScan out-interface=\
    all-ethernet protocol=tcp
add action=drop chain=forward comment="Drop Out Going PortScan" \
    connection-nat-state=srcnat dst-address-list=PortScan out-interface=\
    all-ethernet protocol=udp


add action=add-src-to-address-list address-list=inComing-PortScan \
    address-list-timeout=12h chain=forward comment=AdressList-inComing-PortScan \
    connection-nat-state=dstnat in-interface=all-ethernet protocol=tcp psd=\
    21,3s,3,1
add action=add-src-to-address-list address-list=inComing-PortScan \
    address-list-timeout=12h chain=forward comment=AdressList-inComing-PortScan \
    connection-nat-state=dstnat in-interface=all-ethernet protocol=udp psd=\
    21,3s,3,1

add action=drop chain=forward comment=Drop-inComing-PortScan \
    connection-nat-state=dstnat in-interface=all-ethernet protocol=tcp \
    src-address-list=inComing-PortScan
add action=drop chain=forward comment=Drop-inComing-PortScan \
    connection-nat-state=dstnat in-interface=all-ethernet protocol=udp \
    src-address-list=inComing-PortScan
MTCNA MTCRE MTCTCE MTCUME MTCWE MTCIPv6E MTCINE
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Block inComing and OutGoing PortScan

Sat Jun 25, 2016 12:32 am

First question - you said multiple times that all hosts have "valid IP."
What does this mean? 192.168.39.147 is a valid IP....
I had assumed that you meant that all hosts have PUBLIC (globally routed) IP addresses - was this wrong? Your rules all reference nat states.

Secondly, it's redundant to specify interface=all-ethernet in the forwarding chain unless you also have tunnel interfaces, vpn interfaces, pppoe interfaces, etc... Your original post makes it sound like your router is a simple lan/wan setup, so I'd say that you don't need these criteria.

So do your rules work for you?

(note - I edited my last post to correct my suggested rules because I had the logic for PSD backwards - it returns false unless the threshold is exceeded)
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
irghost
Member Candidate
Member Candidate
Topic Author
Posts: 281
Joined: Sun Feb 21, 2016 1:49 pm

Re: Block inComing and OutGoing PortScan

Sat Jun 25, 2016 1:11 am

First question - you said multiple times that all hosts have "valid IP."
What does this mean? 192.168.39.147 is a valid IP....
I had assumed that you meant that all hosts have PUBLIC (globally routed) IP addresses - was this wrong? Your rules all reference nat states.

Secondly, it's redundant to specify interface=all-ethernet in the forwarding chain unless you also have tunnel interfaces, vpn interfaces, pppoe interfaces, etc... Your original post makes it sound like your router is a simple lan/wan setup, so I'd say that you don't need these criteria.

So do your rules work for you?

(note - I edited my last post to correct my suggested rules because I had the logic for PSD backwards - it returns false unless the threshold is exceeded)
all of clients have public ip
so they can be victim by port scan (incoming port scan ) ( in this case i wanna to block src ip )
or
they can port scan other IPs (xxx.xxx.xxx.xxx) ( out going port scan ) ( in this case i wanna drop all of packets which dst address = xxx.xxx.xxx.xxx  )

ether1 = connected to internet
ether2 = connected to clients
MTCNA MTCRE MTCTCE MTCUME MTCWE MTCIPv6E MTCINE
 
irghost
Member Candidate
Member Candidate
Topic Author
Posts: 281
Joined: Sun Feb 21, 2016 1:49 pm

Re: Block inComing and OutGoing PortScan

Sat Jun 25, 2016 1:22 am

add action=add-dst-to-address-list address-list=PortScan address-list-timeout=\
    12h chain=forward comment="OutGing PortScan" in-interface=ether2 \
    out-interface=ether1 protocol=tcp psd=21,3s,3,1
add action=add-dst-to-address-list address-list=PortScan address-list-timeout=\
    12h chain=forward comment="OutGoing PortScan" in-interface=ether2 \
    out-interface=ether1 protocol=udp psd=21,3s,3,1
add action=drop chain=forward comment="Drop Out Going PortScan" \
    dst-address-list=PortScan in-interface=ether2 out-interface=ether1 \
    protocol=tcp
add action=drop chain=forward comment="Drop Out Going PortScan" \
    dst-address-list=PortScan in-interface=ether2 out-interface=ether1 \
    protocol=udp
add action=add-src-to-address-list address-list=inComing-PortScan \
    address-list-timeout=12h chain=forward comment=AdressList-inComing-PortScan \
    in-interface=ether1 out-interface=ether2 protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=inComing-PortScan \
    address-list-timeout=12h chain=forward comment=AdressList-inComing-PortScan \
    in-interface=ether1 out-interface=ether2 protocol=udp psd=21,3s,3,1
add action=drop chain=forward comment=Drop-inComing-PortScan in-interface=\
    ether1 out-interface=ether2 protocol=tcp src-address-list=inComing-PortScan
add action=drop chain=forward comment=Drop-inComing-PortScan in-interface=\
    ether1 out-interface=ether2 protocol=udp src-address-list=inComing-PortScan


 NAT state Removed
MTCNA MTCRE MTCTCE MTCUME MTCWE MTCIPv6E MTCINE
 
SystemErrorMessage
Member
Member
Posts: 378
Joined: Sat Dec 22, 2012 9:04 pm

Re: Block inComing and OutGoing PortScan

Sat Jun 25, 2016 7:39 pm

One simple way that doesnt involve complicated understanding is to use a simple blacklist such as if at random there is an input from WAN add it to the blacklist and block it at input and forwarding chains. This should disable all sorts of incoming prods 
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1718
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Block inComing and OutGoing PortScan

Sat Jun 25, 2016 8:02 pm

Real admins use real keyboards.

Who is online

Users browsing this forum: No registered users and 35 guests