Community discussions

MikroTik App
 
AminGN
just joined
Topic Author
Posts: 4
Joined: Mon Nov 21, 2016 4:49 am

How To Stop Attack to Server And Control User internet Usage

Mon Nov 21, 2016 5:16 am

Hello everybody
We have a PC as Server With Windows Server 2012 as Domain Controller, DNS, DHCP like below map
Image
I Have these problems:
1.the DNS in section network in resource monitor send(upload) a lots of data to unknown IPs and my internet traffic finish quickly. I can stop this with block public DNS connection in antivirus firewall.
2.the Lsass.exe program in section network in resource monitor send(upload) a lots of data to unknown IPs and my internet traffic finish quickly.
Image
3.I want to control my client (user) internet Usage by IP Or Mac( for example in address list on mickrotik firewall) like below Map
Image

What basic wireless mikrotik model is nessesery . Can anyone help me to config it step by step and write Codes?
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Re: How To Stop Attack to Server And Control User internet Usage

Mon Nov 21, 2016 9:34 am

Your problem is quite not clear. You have to know what unwanted data are going out and why. Then remove the reason and implement corresponding firewall rules. Regarding the device selection. All mikrotik devices work the same as they share the same operating system. So choose by physical configuration and performance data to fit your needs.
 
AminGN
just joined
Topic Author
Posts: 4
Joined: Mon Nov 21, 2016 4:49 am

Re: How To Stop Attack to Server And Control User internet Usage

Mon Nov 21, 2016 10:54 am

Your problem is quite not clear. You have to know what unwanted data are going out and why. Then remove the reason and implement corresponding firewall rules. Regarding the device selection. All mikrotik devices work the same as they share the same operating system. So choose by physical configuration and performance data to fit your needs.
Thank You for response. How should I Know What data are going out? I googled lsass.exe. that is "Local Security Authority Subsystem Service" and I Guess because of remote desktop connection that I Use to remote server. and I guess the other reason following the first map is that Internet directly connected to server so could it be a brute-force attack? I want to just make my network security better like change default port , ... but I don't Know How? so whats your suggestion?
 
asghari
Trainer
Trainer
Posts: 41
Joined: Thu Feb 07, 2013 4:49 pm
Contact:

Re: How To Stop Attack to Server And Control User internet Usage

Mon Nov 21, 2016 1:39 pm

I think you have DNS attack on your router.
please describe more about your network problem.
monitor real time traffic with torch tool.
I send some security rules that protect your router.
#
/ip firewall filter
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=ps comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=ps comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=ps comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=ps comment="FIN/PSH/URG scan" protocol=tcp \
tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=ps comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=ps comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=ps comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=ps comment="Port scanners to list " \
protocol=tcp psd=21,3s,3,1
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=135-139 \
protocol=tcp
add action=drop chain=virus comment="Drop Messenger Worm" dst-port=135-139 \
protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 \
protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 \
protocol=udp
add action=drop chain=virus comment=________ dst-port=593 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=1080 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1214 protocol=tcp
add action=drop chain=virus comment="ndm requester" dst-port=1363 protocol=\
tcp
add action=drop chain=virus comment="ndm server" dst-port=1364 protocol=tcp
add action=drop chain=virus comment="screen cast" dst-port=1368 protocol=tcp
add action=drop chain=virus comment=hromgrafx dst-port=1373 protocol=tcp
add action=drop chain=virus comment=cichlid dst-port=1377 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=1433-1434 protocol=tcp
add action=drop chain=virus comment="Bagle Virus" dst-port=2745 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=2283 protocol=\
tcp
add action=drop chain=virus comment="Drop Beagle" dst-port=2535 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.C-K" dst-port=2745 protocol=\
tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=3127-3128 \
protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" dst-port=3410 \
protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=udp
add action=drop chain=virus comment="Drop Sasser" dst-port=5554 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.B" dst-port=8866 protocol=\
tcp
add action=drop chain=virus comment="Drop Dabber.A-B" dst-port=9898 protocol=\
tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=10000 protocol=\
tcp
add action=drop chain=virus comment="Drop MyDoom.B" dst-port=10080 protocol=\
tcp
add action=drop chain=virus comment="Drop NetBus" dst-port=12345 protocol=tcp
add action=drop chain=virus comment="Drop Kuang2" dst-port=17300 protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" dst-port=27374 protocol=\
tcp
add action=drop chain=virus comment=cache dst-port=47585 protocol=tcp
add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" dst-port=\
65506 protocol=tcp
add action=drop chain=virus comment="Deny all p2p" p2p=all-p2p
add action=drop chain=input src-address-list="port scanners"
add action=jump chain=input jump-target=ps
add action=jump chain=input jump-target=virus
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
protocol=tcp src-address-list=ftp_blacklist
add chain=output content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist

add action=drop chain=input comment="DNS ATTack" dst-port=53 in-interface=\
ether1-EXT protocol=udp
add action=drop chain=input comment="DNS ATTACK" dst-port=53 in-interface=\
ether1-EXT protocol=tcp
 
AminGN
just joined
Topic Author
Posts: 4
Joined: Mon Nov 21, 2016 4:49 am

Re: How To Stop Attack to Server And Control User internet Usage

Mon Nov 21, 2016 2:29 pm

I think you have DNS attack on your router.
please describe more about your network problem.
monitor real time traffic with torch tool.
I send some security rules that protect your router.
#
/ip firewall filter
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=ps comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=ps comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=ps comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=ps comment="FIN/PSH/URG scan" protocol=tcp \
tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=ps comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=ps comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=ps comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=ps comment="Port scanners to list " \
protocol=tcp psd=21,3s,3,1
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=135-139 \
protocol=tcp
add action=drop chain=virus comment="Drop Messenger Worm" dst-port=135-139 \
protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 \
protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 \
protocol=udp
add action=drop chain=virus comment=________ dst-port=593 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=1080 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1214 protocol=tcp
add action=drop chain=virus comment="ndm requester" dst-port=1363 protocol=\
tcp
add action=drop chain=virus comment="ndm server" dst-port=1364 protocol=tcp
add action=drop chain=virus comment="screen cast" dst-port=1368 protocol=tcp
add action=drop chain=virus comment=hromgrafx dst-port=1373 protocol=tcp
add action=drop chain=virus comment=cichlid dst-port=1377 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=1433-1434 protocol=tcp
add action=drop chain=virus comment="Bagle Virus" dst-port=2745 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=2283 protocol=\
tcp
add action=drop chain=virus comment="Drop Beagle" dst-port=2535 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.C-K" dst-port=2745 protocol=\
tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=3127-3128 \
protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" dst-port=3410 \
protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=udp
add action=drop chain=virus comment="Drop Sasser" dst-port=5554 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.B" dst-port=8866 protocol=\
tcp
add action=drop chain=virus comment="Drop Dabber.A-B" dst-port=9898 protocol=\
tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=10000 protocol=\
tcp
add action=drop chain=virus comment="Drop MyDoom.B" dst-port=10080 protocol=\
tcp
add action=drop chain=virus comment="Drop NetBus" dst-port=12345 protocol=tcp
add action=drop chain=virus comment="Drop Kuang2" dst-port=17300 protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" dst-port=27374 protocol=\
tcp
add action=drop chain=virus comment=cache dst-port=47585 protocol=tcp
add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" dst-port=\
65506 protocol=tcp
add action=drop chain=virus comment="Deny all p2p" p2p=all-p2p
add action=drop chain=input src-address-list="port scanners"
add action=jump chain=input jump-target=ps
add action=jump chain=input jump-target=virus
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
protocol=tcp src-address-list=ftp_blacklist
add chain=output content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist

add action=drop chain=input comment="DNS ATTack" dst-port=53 in-interface=\
ether1-EXT protocol=udp
add action=drop chain=input comment="DNS ATTACK" dst-port=53 in-interface=\
ether1-EXT protocol=tcp
I haven't mikrotik router yet. What Model Do you suggest for second Map of my first Post?
 
asghari
Trainer
Trainer
Posts: 41
Joined: Thu Feb 07, 2013 4:49 pm
Contact:

Re: How To Stop Attack to Server And Control User internet Usage

Mon Nov 21, 2016 2:42 pm

I think you can use Mikrotik SOHO router board like RB951G-2HnD.(recommended bridge the DSL modem and register PPPOE connection on the Router Board).
for traffic management i suggest run the hotspot or any ppp server (vpn server like as pptp, l2tp and ... , best is hotspot).
but for best device select we must know about some importance items like as traffic throughput on router and user usage.
 
User avatar
karlisi
Member
Member
Posts: 437
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: How To Stop Attack to Server And Control User internet Usage

Mon Nov 21, 2016 4:45 pm

Make sure in server network settings there are only internal DNS server IP addresses. AD DC should not know about any external DNS servers. To access Internet resources there should be forwarders configured on DNS server.
 
AminGN
just joined
Topic Author
Posts: 4
Joined: Mon Nov 21, 2016 4:49 am

Re: How To Stop Attack to Server And Control User internet Usage

Tue Nov 22, 2016 11:02 am

I think you can use Mikrotik SOHO router board like RB951G-2HnD.(recommended bridge the DSL modem and register PPPOE connection on the Router Board).
for traffic management i suggest run the hotspot or any ppp server (vpn server like as pptp, l2tp and ... , best is hotspot).
but for best device select we must know about some importance items like as traffic throughput on router and user usage.
May I contact you directly? Please send me an email: aminamini766@gmail.com
 
asghari
Trainer
Trainer
Posts: 41
Joined: Thu Feb 07, 2013 4:49 pm
Contact:

Re: How To Stop Attack to Server And Control User internet Usage

Tue Nov 22, 2016 12:44 pm

You can talk with me on skype.
Hasan.asghari@hotmail.com

Who is online

Users browsing this forum: AtomikRoach, hatred, jfox, mszru, tesme33 and 48 guests