Community discussions

MikroTik App
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Block user with bad intention

Fri Aug 24, 2018 11:00 pm

Since my router get hammered all the time especially on port 23 that is not open, I tried to find a better way to handle it.

Last FW rule (Default one) is like this:
add action=drop chain=input comment="Drop all from WAN " in-interface=ether1-Wan log=yes log-prefix= FW_Drop_all_from_WAN
This just block everything that is not destined my other rule. It does also log it and send it to my Splunk server.
.
So one rule above this I did add:
add action=add-src-to-address-list address-list=FW_Block_user_try_unkown_port address-list-timeout=30m chain=\
    input comment="This is used to collect user who tries none open ports." in-interface=ether1-Wan
This rule adds all user who tries to use a none open port to an access list for 30 min.
.
Then close to the topp this access rules blocks the users in the access list to prevent them from trying more port.
add action=drop chain=input comment="Drop all from WAN " in-interface=ether1-Wan  src-address-list=FW_Block_user_try_unkown_port
Any see any negative aspect of this?

Now looking at Splunk, number of hits in the last rule goes down from more than 400 hits pr 5 min to less then 10 minutes. (after 21:30)
Look at the graph:
FW_hits.jpg
Graph made by using Splunk: viewtopic.php?t=137338
You do not have the required permissions to view the files attached to this post.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2865
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Block user with bad intention

Fri Aug 24, 2018 11:30 pm

I use as the first barier:
/interface list
add name=WAN_LIST

/ip firewall raw
add action=accept chain=prerouting dst-port=65432 protocol=tcp
add action=add-src-to-address-list address-list=RAWATTACK2 address-list-timeout=27m chain=prerouting comment=RAW2ADD in-interface-list=WAN_LIST log-prefix="RAW2ADD: " src-address-list=RAWATTACK
add action=drop chain=prerouting comment=RAW2 in-interface-list=WAN_LIST log-prefix="RAW2: " src-address-list=RAWATTACK2
add action=add-src-to-address-list address-list=RAWATTACK address-list-timeout=17m chain=prerouting comment=RAW1ADD dst-port=8291,22,23,2000,7547,11211,135,137-139,548,80,8080,81,37215 in-interface-list=WAN_LIST log=yes log-prefix="RAW1: " protocol=tcp
add action=add-src-to-address-list address-list=RAWATTACK address-list-timeout=17m chain=prerouting comment=RAW1ADD dst-port=8291,22,23,2000,7547,11211,135,137-139,548,80,8080,81,37215 in-interface-list=WAN_LIST log=yes log-prefix="RAW1: " protocol=udp
add action=drop chain=prerouting   comment=RAW1 in-interface-list=WAN_LIST log-prefix="RAW1: " src-address-list=RAWATTACK
You need add interfaces which you use as WAN to WAN_LIST and move WinBox access service to nonstandard port ... in the example it is 65432.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Block user with bad intention

Sat Aug 25, 2018 12:23 am

I would not recommend Winbox open on the internet.
Use VPN
 
R1CH
Forum Guru
Forum Guru
Posts: 1099
Joined: Sun Oct 01, 2006 11:44 pm

Re: Block user with bad intention

Sat Aug 25, 2018 12:42 am

So what happens when I spoof the IP of Google DNS or whatever DNS server you're using? Oops, your network no longer has DNS connectivity.

You should NEVER add to blocklists based on a single input packet. IP spoofing is quite easy, if someone knows this is how your network is setup, they can easily turn this around into a denial of service. Just drop unknown packets and move on with your life.

Only fully established TCP sessions should be considered a safe source of IP address.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Block user with bad intention

Sat Aug 25, 2018 1:11 am

I will just try it out. If someone tries to connect to any closed port at my net, even once, they are not welcome ;)
Anyway they go out of the list after 30 min.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Block user with bad intention

Sun Aug 26, 2018 10:22 am

What @R1CH is saying is that sending a packet with any source IP is trivially easy even for script kiddies, the only thing you need to be able to do so is that there is no src-nat between you and the victim. So if I have a device on public address, I can send a packet to port 23 of your public IP and src-nat that packet with the address of your DNS server. And your drop rule will prevent you from receiving answers from your DNS server if placed into the raw table (before connection tracking) or before the "accept established" rule into the filter table.

So the whole message is to think further than behind the first corner when implementing any security solution.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2865
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Block user with bad intention

Sun Aug 26, 2018 1:08 pm

Your router could always be blocked by DDOS.
Yes, one packet seems to be too preventive but most of addresses I am watching are pure port scanning or attacks to SSH, Winbox or SMB.
I have showed just a snippet of the first barrier.
You can always adjust time used to block particular IP address or add more IPs, ports or services to be accepted unconditionally. You can build more tiers of IPs scanning your router ... put to RAWATTACK list and the second rule adds it to RAWATTACK2 list then could be RAWATTACK3 or as many as you want and then in the last rule you drop packets only from the list with the highest number.
If someone is scaning ssh port or SMB ports from "wild wild world", you can assume that it is "something wrong going on" and IMHO it is better to drop it earlier than later.

Who is online

Users browsing this forum: atais, Bing [Bot], mvz71, TheCat12 and 81 guests