Hi there,
Im trying to secure my RB, and I would very grateful if someone could look at the following rules and tell me if these are ok, or if I need more to secure it.
Thanks:
[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; log invalid connections
chain=input action=log connection-state=invalid log-prefix="INVALID"
1 X ;;; ICMP Accept
chain=input action=accept protocol=icmp
2 ;;; accept established connections
chain=input action=accept connection-state=established
3 ;;; accept related connections
chain=input action=accept connection-state=related
4 ;;; accept hosts from lan
chain=input action=accept src-address-list=lan_list
5 ;;; accept hosts from trusted list
chain=input action=accept src-address-list=trusted_list
6 ;;; port knock stage 1
chain=input action=add-src-to-address-list protocol=tcp
address-list=knock_list address-list-timeout=15s dst-port=60000
7 ;;; port knock stage 2
chain=input action=add-src-to-address-list protocol=tcp
src-address-list=knock_list address-list=trusted_list
address-list-timeout=15m dst-port=40000
8 ;;; Drop FTP Brute Forcers
chain=input action=drop protocol=tcp src-address-list=ftp_blacklist
dst-port=21
9 chain=output action=accept protocol=tcp content=530 Login incorrect
dst-limit=1/1m,9,dst-address/2m
10 chain=output action=add-dst-to-address-list protocol=tcp
address-list=ftp_blacklist address-list-timeout=3h
content=530 Login incorrect
11 ;;; Drop SSH Brute Forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist
dst-port=22
12 chain=input action=add-src-to-address-list connection-state=new
protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3
address-list-timeout=1m dst-port=22
13 chain=input action=add-src-to-address-list connection-state=new
protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2
address-list-timeout=1m dst-port=22
14 chain=input action=add-src-to-address-list connection-state=new
protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22
15 chain=input action=add-src-to-address-list connection-state=new
protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist
address-list-timeout=1w3d dst-port=22
16 ;;; drop invalid connections
chain=input action=drop connection-state=invalid
17 ;;; drop everything else
chain=input action=drop