Fri Jan 25, 2019 11:10 pm
Thanks MKX,
So here is what I would propose...............
Tactic1:
Drop everything in raw prerouting for ports one knows will not be used outbound or inbound by the router or users behind the router or to services behind the router (in-interface WAN).
This will take the load off the CPU to do this in filter rule.
(for example 21, 23, 8291 etc.......)
Tactic 2,
Keep everything in raw and this time simply get the source address for the standard port hackers routinely attempt to probe, (in-interface=wan)
(21,22,23, 53, etc.............)
Create list
Still in raw, then drop all from source source addresses for 5 days or something.
What is the risk, downside of this approach......
I like your logic which lends itself to Tactic 2, in that bad guys will not just try the standard ports but perhaps many more or groups etc.............. and this method blocks them from all attempts.
A starting list of ports I do not use that could be effective in identifying bad guys and banning for 5 days.
0,11,20,21,22,23,79, 113, 119, 135, 139, 194, 389,445, 500, 1002, 1025, 1026, 1027, 1028, 1029, 1030, 1720, 5000
I dont expect any unsolicited incoming traffic on ports 25, 53, 80, 110, 143 or port 443 unsolicited but I should probably do these ones in firewall filter as I do not want to catch legitimate return traffic inbound to the WAN. Agreed?
Would look like so..........(just before last rule of drop all input).
/ip firewall filter
add action=add-src-to-address-list address-list=DropPortProbes \
address-list-timeout=5d chain=input comment=CaptureInputProbes_tcp \
disabled=yes dst-port=25,53,80,443 in-interface-list=WAN protocol=tcp
add action=add-src-to-address-list address-list=DropPortProbes \
address-list-timeout=5d chain=input comment=CaptureInputProbes_udp \
disabled=yes dst-port=25,53,80,443 in-interface-list=WAN protocol=udp
/ip firewall raw (PREROUTING)
add action=add-src-to-address-list address-list=DropPortProbes \
address-list-timeout=5d chain=prerouting comment=CaptureUnusedPorts_TCP \
disabled=yes dst-port=0,11,20,21,22,23,79,113,119,135,139,194,389 \
in-interface-list=WAN protocol=tcp
add action=add-src-to-address-list address-list=DropPortProbes \
address-list-timeout=5d chain=prerouting comment=CaptureUnusedPorts_TCP2 \
disabled=yes dst-port=445,500,1002,1025,1026,1027,1028,1029,1030,1720,5000 \
in-interface-list=WAN protocol=tcp
add action=add-src-to-address-list address-list=DropPortProbes \
address-list-timeout=5d chain=prerouting comment=CaptureUnusedPortsUDP \
disabled=yes dst-port=0,11,20,21,22,23,79,113,119,135,139,194,389 \
in-interface-list=WAN protocol=udp
add action=add-src-to-address-list address-list=DropPortProbes \
address-list-timeout=5d chain=prerouting comment=CaptureUnusedPorts_UDP2 \
disabled=yes dst-port=445,500,1002,1025,1026,1027,1028,1029,1030,1720,5000 \
in-interface-list=WAN protocol=udp
add action=drop chain=prerouting disabled=yes in-interface-list=WAN \
src-address-list=DropPortProbes
As you may have noticed I didnt have any firewall filter capture FORWARD probes on 25,53,80,443 etc.
Should I add those to the mix??