Community discussions

 
User avatar
kapulan
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Tue Feb 07, 2006 7:48 pm
Location: Hungary

drop port scanners

Fri Jun 02, 2006 2:17 am

Hello!I read the port scanners example the wiki!
I tried and tried but the examples not work! :(

add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="Port scanners to list " disabled=no
Mikrotik say:no such command address-list-timeout
My version:2.9.23
What s the matter?
Thank you for your advance!

:wink:
 
User avatar
FOV
Frequent Visitor
Frequent Visitor
Posts: 69
Joined: Tue Nov 29, 2005 5:34 pm
Location: ARGENTINA

Fri Jun 02, 2006 2:59 am

Hi Kapulan, this is what I´m using, and works for me:

Hope works for you too.

rgs,

Fernando

#### Configuro Reglas de PSD #####
/ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="Port scanners to list " disabled=no
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="NMAP FIN Stealth scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="SYN/FIN scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="SYN/RST scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="FIN/PSH/URG scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="ALL/ALL scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="NMAP NULL scan"
/ip firewall filter add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
 
savage
Forum Guru
Forum Guru
Posts: 1213
Joined: Mon Oct 18, 2004 12:07 am
Location: Cape Town, South Africa
Contact:

Fri Jun 02, 2006 9:24 am

Further to that, in your input chain you can also limit connections to say, only 5/second or something low like that... Port scanners normally attempt to make high amounts of connections in a very short period of time, so it should be a good way as a additional measure to try and catch/drop them.
Regards,
Chris
 
ronniee
Member Candidate
Member Candidate
Posts: 123
Joined: Sun Jan 15, 2006 9:32 pm

Sat Jun 03, 2006 10:30 pm

thanks for this rules
can you post some rules to drop viruses netbios ports?

something like this is working?
iptables -A FORWARD -m multiport -p udp --dports 135,137,138,139,411,445,49921,4662 -j DROP
 
zaherhamiyah
Frequent Visitor
Frequent Visitor
Posts: 82
Joined: Thu Mar 23, 2006 12:43 am

Sat Jun 03, 2006 11:04 pm

4 ;;; port scanners to list
chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list
address-list=port scanners address-list-timeout=2w

5 ;;; drop port scan connections
chain=input src-address-list=port scanners action=drop

i use only the following two rules in input chain and it works great for me.
If u examine them u will find that any one is trying to scan my server from outside and inside their ips will be listed at address list found in firewall box inside winbox and then block those ips.U can try to use any port scanning program from ur test computer and u will see that MT has listed ur ip and prevented it from scanning ur server.I tested it and the results are excellent.
Note:u can use the following url to test the security of ur server.It is a an excellent site for that issue.
http://www.dslreports.com/scan/
when the site opens click on probe and see the result that must be all green.
u have to install java for the site to work well.
zaher hamiyah

Who is online

Users browsing this forum: Google [Bot], MSN [Bot] and 115 guests