Community discussions

MikroTik App
 
rfritz80
just joined
Topic Author
Posts: 24
Joined: Wed Jan 17, 2018 9:17 pm

Help on Port Scanners

Mon Jan 21, 2019 3:51 pm

Hello everyone, I saw this on Mikrotik Wiki on how to help prevent people from using Port Scanners to find out what ports we use on our routers.
My Question is if I use this rule (Below), and use the Forward Chain command, will this automatically drop those IPs that are trying to scan on our network ?

Drop port scanners

To protect the Router from port scanners, we can record the IPs of hackers who try to scan your box. Using this address list we can drop connection from those IP

in /ip firewall filter

add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no

Various combinations of TCP flags can also indicate port scanner activity.

add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"

add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan"

add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan"

add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"

add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"

add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"

Then you can drop those IPs:

add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no

Similarly, you can drop these port scanners in the forward chain, but using the above rules with "chain=forward".
 
anav
Forum Guru
Forum Guru
Posts: 4783
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Help on Port Scanners

Mon Jan 21, 2019 6:57 pm

Try to keep it simple is a good rule of thumb.
For example this is the only rule I sometimes use........
add action=add-src-to-address-list address-list=Port_Scanner \
address-list-timeout=1w chain=input comment="Port Scanner Detect" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
src-address-list=Port_Scanner


What this is basically saying is that at a certain rate of repeated attempts (# of attempts within a finite period of time) on any TCP traffic- all ports,
add that address to the list for one week and then drop the list. Simple and effective for basic port scan defense.
Whether its worth it or no not sometimes is debated.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1788
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Help on Port Scanners

Mon Jan 21, 2019 7:50 pm

I have the following rules on my router:
#near the top
#5
add action=drop chain=input comment="Drop user that has tried blocked ports" in-interface=ether1-Wan log-prefix=\
    FW_Drop_all_from_WAN src-address-list=FW_Block_user_try_unkown_port
.
.
.
.
# at the bottom of the filter list
#15
add action=add-src-to-address-list address-list=FW_Block_user_try_unkown_port address-list-timeout=1d chain=input in-interface=ether1-Wan
#16
add action=drop chain=input comment="Drop all from WAN " in-interface=ether1-Wan log=yes log-prefix=FW_Drop_all_from_WAN
In short, if a person tries one port that is not open on my router, block him for 24 hour on all port. They has nothing to do on my router.
Strict rule, and you can block your self out. To prevent block my self out, I have an white list rule for my work to unlock my self.

In some more detail..
First time a user enters. Rule #5 does nothing, since he is not in the block list FW_Block_user_try_unkown_port
Then he travels down and if no rules allow him to enter he hits rule #15 where he is added to FW_Block_user_try_unkown_port
Rules #16 is just to drop the user and log him. (only log him one times of first hits)

Second time a user enters. Since he is in the block list, he will be blocked at rule #5, no logging.

I have around 1500 IP in the access list at all time.
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
rfritz80
just joined
Topic Author
Posts: 24
Joined: Wed Jan 17, 2018 9:17 pm

Re: Help on Port Scanners

Mon Jan 21, 2019 9:44 pm

Thank you all so much, this really helps me out a lot. :) Going to try these, thanks :)

Who is online

Users browsing this forum: AndyGs, cosambo, maxsaf and 105 guests