Hello

I ran the port scan on my network and realized that port 5060 is open.

I went in: IP / Firewall / Service Port and Disable Service. But when you run the port scanning, the port is still open.

In IP / Firewall / Filter Rules create an drop port rule.

How do I block this port so portscan can not find?

Post your config to troubleshoot.
/export hide-sensitive file=yourconfigmar18

IP>Firewall>Service Port isn't "the" service. It's a service helper. A very bad one at that.
Do you have any port forwards?
Are you using UPnP?
5060 is generally used for VOIP/SIP, do you have anything that uses that on your network?

You could make a rule to drop it however surely your firewall must already have a "drop all" at the end of it so you shouldn't need it.

As @anav has mentioned, please do us a quick run of your config, you could narrow it down to "just" the firewall if you wanted;

I do not use SIP, VOIP, UPNP ...

We are in an audit process and this port is reported as unsafe. For this reason I want to close.

# feb/18/2019 15:07:29 by RouterOS 6.32.3
# software id = 9RFM-A3U1
#
/ip firewall address-list
add address=27.221.0.0/16 list=POOL_BLOQUEIO
add address=121.29.0.0/16 list=POOL_BLOQUEIO

/ip firewall filter
add action=drop chain=input dst-port=5060 log=yes log-prefix=SIP5060 \
protocol=tcp
add action=drop chain=input dst-port=53 log=yes log-prefix=DNS_UDP protocol=\
udp
add action=drop chain=input dst-port=53 log=yes log-prefix=DNS_TCP protocol=\
tcp
add action=drop chain=forward dst-port=5060-5061 protocol=tcp src-address=\
0.0.0.0/0
add action=drop chain=input dst-port=5060 protocol=udp
add action=drop chain=forward dst-port=5060-5061 protocol=udp src-address=\
0.0.0.0/0
/ip firewall nat
add chain=srcnat disabled=yes dst-address=10.0.148.0/24 log-prefix=Test
add chain=srcnat disabled=yes dst-address=10.100.7.0/24
add chain=srcnat log-prefix=NAT_MONITOR src-address=10.60.0.200 to-addresses=\
10.50.0.2
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
10.60.0.0/24
add action=dst-nat chain=dstnat comment=Idrac disabled=yes dst-port=28443 \
protocol=tcp to-addresses=10.60.0.8 to-ports=8443
add action=dst-nat chain=dstnat comment="Idrac console" disabled=yes \
dst-port=5900 protocol=tcp to-addresses=10.60.0.8 to-ports=5900
add action=src-nat chain=srcnat disabled=yes src-address=172.20.14.0/24 \
to-addresses=10.50.0.251

/ip firewall service-port
set ftp disabled=yes
set sip disabled=yes sip-direct-media=no sip-timeout=0s

Unlike Steve, I am not going to play whackamole.
Please post your config
/export hide-sensitive file=yourconfigmar18

Note that port 5060 could by opened on your providers modem/router.

We are in an audit process and this port is reported as unsafe. For this reason I want to close.

# feb/18/2019 15:07:29 by RouterOS 6.32.3

Better look for another auditor if they didn't mention anything about your ROS version.
You should upgrade (netinstall) and firewall the device sooner rather than later!

https://blog.mikrotik.com/security/winb ... ility.html

Versions affected:

Affected all bugfix releases from 6.30.1 to 6.40.7, fixed in 6.40.8 on 2018-Apr-23
Affected all current releases from 6.29 to 6.42, fixed in 6.42.1 on 2018-Apr-23
Affected all RC releases from 6.29rc1 to 6.43rc3, fixed in 6.43rc4 on on 2018-Apr-23

Your router is very vulnerable. If it is public facing you need to update it and at a minimum put a public facing firewall on it.

I agree egads, I am remiss for not noticing this fact - # feb/18/2019 15:07:29 by RouterOS 6.32.3

As per the previous poster, do not try to rejig the configuration, complete the netinstall process.
Download from the MT website the latest firmware, use that for the netinstall process and then configure from scratch.

https://wiki.mikrotik.com/wiki/Manual:Netinstall
https://www.youtube.com/watch?v=LtsHrV0QVAY

That takes care of the network, however any PCs behind the router may now be doing bitcoin mining and can be used in botnets.
Thus you want to use layer 7 programming to catch any such behaviour........... at the router level.
Not sure what you can do on the PC level???

What I would do when you get the router back in service at that location is run this program on it for 3-6 months to see if anything untoward is being logged.
https://axiomcyber.com/shield/

I do not use SIP, VOIP, UPNP ...

We are in an audit process and this port is reported as unsafe. For this reason I want to close.

# feb/18/2019 15:07:29 by RouterOS 6.32.3
# software id = 9RFM-A3U1
#
/ip firewall address-list
add address=27.221.0.0/16 list=POOL_BLOQUEIO
add address=121.29.0.0/16 list=POOL_BLOQUEIO

/ip firewall filter
add action=drop chain=input dst-port=5060 log=yes log-prefix=SIP5060 \
protocol=tcp
add action=drop chain=input dst-port=53 log=yes log-prefix=DNS_UDP protocol=\
udp
add action=drop chain=input dst-port=53 log=yes log-prefix=DNS_TCP protocol=\
tcp
add action=drop chain=forward dst-port=5060-5061 protocol=tcp src-address=\
0.0.0.0/0
add action=drop chain=input dst-port=5060 protocol=udp
add action=drop chain=forward dst-port=5060-5061 protocol=udp src-address=\
0.0.0.0/0
/ip firewall nat
add chain=srcnat disabled=yes dst-address=10.0.148.0/24 log-prefix=Test
add chain=srcnat disabled=yes dst-address=10.100.7.0/24
add chain=srcnat log-prefix=NAT_MONITOR src-address=10.60.0.200 to-addresses=\
10.50.0.2
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
10.60.0.0/24
add action=dst-nat chain=dstnat comment=Idrac disabled=yes dst-port=28443 \
protocol=tcp to-addresses=10.60.0.8 to-ports=8443
add action=dst-nat chain=dstnat comment="Idrac console" disabled=yes \
dst-port=5900 protocol=tcp to-addresses=10.60.0.8 to-ports=5900
add action=src-nat chain=srcnat disabled=yes src-address=172.20.14.0/24 \
to-addresses=10.50.0.251

/ip firewall service-port
set ftp disabled=yes
set sip disabled=yes sip-direct-media=no sip-timeout=0s

Hi,

I show you the problem on your configuration by red color. Please note that the "service-port" is in firewall is a NAT-helper service ports and if you use tools like nmap (for example: nmap -sV -Pn ip_address) and try to find the ports and services that is enabled on your router can see the services from the path below:
/ip services
So you need to disable ports and services from ip services menu.

@AminYounessi,
Disable all services on service ports, the error remains.

@All
Let's upgrade MK to the latest release stable and tester.

@AminYounessi,
Disable all services on service ports, the error remains.

@All
Let's upgrade MK to the latest release stable and tester.

Netinstall to latest release is the prudent thing to do.

[/quote]
Netinstall to latest release is the prudent thing to do.
[/quote]

I'm using another MK (RB1100). This is the last release.

This MK is available for a different LAN. A WAN network crawls the same (I just changed the IP).

Even so there are no portscan shows the port open.

It is not an internet provider.
I do not know what else to do !!!

Export file:

# mar/19/2019 17:46:52 by RouterOS 6.44.1
# software id = 5K3K-F73B
#
# model = 1100
# serial number = 2C6B016B85C8
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=ether11 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether12 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether13 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ppp profile
set *0 dns-server=195.128.124.181,195.128.124.150
/ip address
add address=****/28 interface=ether3 network=****
add address=192.168.4.200/24 interface=ether4 network=192.168.4.0
/ip dns
set servers=195.128.124.181,195.128.124.150
/ip firewall filter
add action=drop chain=input dst-port=5060 protocol=tcp
add action=drop chain=input dst-port=2000 protocol=tcp
add action=drop chain=input dst-port=5060 protocol=udp
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=****
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Sao_Paulo
/system watchdog
set watchdog-timer=no