Hello,
I made transactions through wiki: https://wiki.mikrotik.com/wiki/Drop_port_scanners
I did everything but the rules didn't work
http://prntscr.com/l9tn0j
I wonder where I'm making a mistake. ?
Yea, but than attacker can scan for ports and for example find my none standard RDP port and than do further attacks on it, this way he get IP block for port scan attempts and he doesnt find my open ports at all.Best practice says you should drop all unknown input, there's no need to make rules specifically for port scanners.
Explain me how can i use VPN when "stupid" Apple decided to block VPN over its hotspot on iPhones which alot of my customers use, not to mention alot of hotels and publics spots sometimes my users use also block VPN..Attacker can't use spoofed IP for scanning because such results wouldn't make it back to him (unless he is your ISP and all your traffic pass through him)
Spoofed IP is used mostly for (D)DoS attacks where you don't care about response or where you want the response to be sent to someone else on purpose.
In addition, the drop rule for blacklisted IP is AFTER "accept established/related" so even if someone use spoofed IP, it will not affect any connection which originates from your side.
However, I agree that relying on "hidden" port is not good. Especially protocols like RDP should never be accessible from outer world. VPN is the way.