Community discussions

MikroTik App
 
dolomite792
just joined
Topic Author
Posts: 17
Joined: Fri Oct 16, 2009 11:49 am

Port Scan Blocking Firewall Rule not Working

Wed Jul 30, 2014 7:38 am

Good Evening Everyone

I have just implemented the rules found here:

http://wiki.mikrotik.com/wiki/Drop_port_scanners

I then use nmap to do a full scan of my ports from an outside network and sadly I was able to scan everything. All of the rules were easy to add except for the first one:

add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no

For some reason the terminal didn't like the comment being before the disabled = no entry so I switched it around and it took the rule fine.

However the most important part is that this isn't working at all. I am able to easily scan all sports using SYN stealth scan.

Any assistance would be greatly appreciated.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Port Scan Blocking Firewall Rule not Working

Wed Jul 30, 2014 11:06 pm

You scan routerboard or other devices?

The link you post is only for detect the scanning of the device you put this rule on (admitting all is configured right).
 
dolomite792
just joined
Topic Author
Posts: 17
Joined: Fri Oct 16, 2009 11:49 am

Re: Port Scan Blocking Firewall Rule not Working

Wed Jul 30, 2014 11:51 pm

Thank you for the reply

So I wondering are these rules supposed to stop wan side port scans? The description on that page says this:

"To protect the Router from port scanners, we can record the IPs of hackers who try to scan your box. Using this address list we can drop connection from those IP"

I copied these rules directly using the terminal and they are present on the firewall rules. Then I tested the router by scanning it with nmap from an outside network. The internal network port scanning rules are working quite well and do block any internal port scans. So should the chain be set to input or forward?

Is there anything else that you could recommend?

Please and thank you
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Port Scan Blocking Firewall Rule not Working

Thu Jul 31, 2014 12:05 am

I reccomend to not lost time.

When you block port scanners what have you obtained?

First of all read this (And consider to add that rules also on input chain):

http://forum.mikrotik.com/viewtopic.php ... 87#p417380

And you probably block the most used "hack scanner"

Simply discard / tarpit ;) all incoming connection, except the service you want reach outside:
/ip firewall filter
add action=tarpit chain=forward connection-state=new in-interface=<WAN-INTERFACE> protocol=tcp
add action=drop chain=forward connection-state=new in-interface=<WAN-INTERFACE> protocol=!tcp
add action=tarpit chain=input connection-state=new in-interface=<WAN-INTERFACE> protocol=tcp
add action=drop chain=input connection-state=new in-interface=<WAN-INTERFACE> protocol=!tcp
Put that rule before all your "accept from outside" rules.
 
dolomite792
just joined
Topic Author
Posts: 17
Joined: Fri Oct 16, 2009 11:49 am

Re: Port Scan Blocking Firewall Rule not Working

Thu Jul 31, 2014 7:30 am

Ah thank you for the reply and interesting information. I added these rules:

/ip firewall filter
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input connection-state=invalid
add action=drop chain=forward comment="TCP flags and Port 0 attacks" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=forward protocol=tcp tcp-flags=fin,syn
add action=drop chain=forward protocol=tcp tcp-flags=fin,rst
add action=drop chain=forward protocol=tcp tcp-flags=fin,!ack
add action=drop chain=forward protocol=tcp tcp-flags=fin,urg
add action=drop chain=forward protocol=tcp tcp-flags=syn,rst
add action=drop chain=forward protocol=tcp tcp-flags=rst,urg
add action=drop chain=forward protocol=tcp src-port=0
add action=drop chain=forward dst-port=0 protocol=tcp
add action=drop chain=forward protocol=udp src-port=0
add action=drop chain=forward dst-port=0 protocol=udp
add action=accept chain=forward connection-state=established
add action=accept chain=forward connection-state=related
add action=drop chain=forward connection-state=invalid
add action=accept chain=output connection-state=established
add action=accept chain=output connection-state=related
add action=drop chain=output connection-state=invalid


I was still able to port scan without detection using nmap. Blocking all connections except for what I want in and out seems interesting. However I really want to be able to stop the port scanning, do you have any other recommendations or is there something that I may have missed with these rules? Was I supposed to change any of the "0" for actual ports or anything of that nature? Please let me know.

Thank you
 
dolomite792
just joined
Topic Author
Posts: 17
Joined: Fri Oct 16, 2009 11:49 am

Re: Port Scan Blocking Firewall Rule not Working

Sat Aug 09, 2014 5:12 am

Any suggestions from anyone?
 
User avatar
wahidtelco
just joined
Posts: 15
Joined: Mon Mar 02, 2015 9:13 am
Location: Bangladesh
Contact:

Re: Port Scan Blocking Firewall Rule not Working

Mon Jun 06, 2016 4:35 pm

add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no

above rule is not working, when i apply this rule , my router became reobooted automatically. why?
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Port Scan Blocking Firewall Rule not Working

Tue Jun 07, 2016 4:53 am

<snip>

Simply discard / tarpit ;) all incoming connection, except the service you want reach outside:
/ip firewall filter
add action=tarpit chain=forward connection-state=new in-interface=<WAN-INTERFACE> protocol=tcp
add action=drop chain=forward connection-state=new in-interface=<WAN-INTERFACE> protocol=!tcp
add action=tarpit chain=input connection-state=new in-interface=<WAN-INTERFACE> protocol=tcp
add action=drop chain=input connection-state=new in-interface=<WAN-INTERFACE> protocol=!tcp
Put that rule before all your "accept from outside" rules.

Doesn't that need to be AFTER your "accept from outside"rules? If you put it before, EVERYTHING coming in gets either tarpitted (tcp) or dropped (other than tcp) before it ever gets to your "accept from outside" rules. Or am I missing something?
 
User avatar
grusu
Member Candidate
Member Candidate
Posts: 129
Joined: Tue Aug 13, 2013 7:35 am
Location: Bucharest, Romania

Re: Port Scan Blocking Firewall Rule not Working

Tue Jun 07, 2016 8:24 am

add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no

above rule is not working, when i apply this rule , my router became reobooted automatically. why?

For me works the following rule:

add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect" connection-limit=0,32 disabled=no limit=0,5:packet log=no log-prefix="" protocol=tcp psd=21,3s,3,1

Who is online

Users browsing this forum: hatred and 51 guests