Community discussions

MikroTik App
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2308
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

📌 Configuration to block users that tries to access router on non open port(s)

Mon Sep 13, 2021 1:06 pm

I do use this filter rules to block users that tries any non open port on my router for 24 hours.
So if a user tries to access my router on port 8291, it will end up in a address list for blocked user and will be blocked at all port, even 443 that is open for all. This way user of this IP will not find any open port. Users that tries a non open port on my router has nothing there to do so 100% block.

This needs to be the last two filter rules.
/ip firewall filter
add action=add-src-to-address-list address-list=FW_Block_unkown_port address-list-timeout=1d chain=input comment= "Add IP of user to access list if they have tried port that is not open." in-interface=ether1 log-prefix=FI_AS_port-test
add action=drop chain=input comment="Drop packets that has not been allowed or dropped before." in-interface=ether1 log=yes log-prefix=FI_D_port-test
These two lines are only hit if no line higher in the filter rules has accepted the port to be open or blocked.
First line adds IP to the access list FW_Block_unkown_port
Second line then drop the packet.

This way packet from that IP are only logget first time it hits.


Top line simple:
/ip firewall raw
add action=drop chain=prerouting comment="Drop user that has tried ports that are not open and has bin added to block list" in-interface=ether1  src-address-list=FW_Block_unkown_port
Here we just block the IP as early as we can in raw access list

Top line more advanced (What I do use):
/ip firewall filter
add action=jump chain=input comment="Drop user that has tried ports that are not open and has bin added to block list- Send to TARPIT to prevent DDOS CPU problems" in-interface=ether1 jump-target=TARPIT  protocol=tcp src-address-list=FW_Block_unkown_port
add action=tarpit chain=TARPIT limit=10,5:packet  protocol=tcp
add action=drop chain=TARPIT protocol=tcp
/ip firewall raw
add action=drop chain=prerouting in-interface=ether1  protocol=!tcp src-address-list=FW_Block_unkown_port
These line must be high up in the filter rules list.
Fist line. Jumps to TARPIT chain if IP is in access list FW_Block_unkown_port
Second line. Send packet to tarpit to slow down the user attack to the router. This may use some resource, so it only used until limit hits.
Third line. Drop rest of TCP attack..
Fourth and fifth line. Drop all other than TCP attack.

To not block my self out, I do use port knock. Access list for allow port knock user, must be above block access list.
My block access list does contains from 5000 to 10000 IP address at all time. (no problem for an hEX router)
Around 50% are sent to tarpit and blocked, rest are blocked directly.
Since last reboot (18 days ago)
86000 IP blocked (only counted each IP once every 24 hour)
30 000 000 packets sent to tarpit chain
15 000 000 packets tarpited
15 000 000 tcp packets dropped
750 000 udp pcakets dropped

Suggestion and improvements are always welcome :D
Last edited by Jotne on Mon Sep 13, 2021 2:01 pm, edited 4 times in total.
 
Try Splunk> to monitor your MikroTik Router(s). How to set it up. :mrgreen:

MikroTik->Splunk
 
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Mon Sep 13, 2021 1:23 pm

If I do not remember wrong, tarpit do not consume anything on local router, simply leave each tarpitted connection in waiting state on the remote router, consuming remote router resources...

I suggest to other users that read this post, to never reply with "reject" when drop something, except if the reply is directed on own local network.
(they could otherwise be involved in amplification of DDoS attacks, when received the spoofed IP, the router concurs with "reply"...)

I suggest to change/move last line/rule from this:
/ip firewall filter
[...]
add action=drop chain=input in-interface=ether1  protocol=udp src-address-list=FW_Block_unkown_port

To this:
/ip firewall raw
add action=drop chain=prerouting in-interface=ether1  protocol=!tcp src-address-list=FW_Block_unkown_port
Why block only tcp or udp?
Block everything other than tarpitted tcp
Last edited by rextended on Mon Sep 13, 2021 1:56 pm, edited 3 times in total.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2308
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Mon Sep 13, 2021 1:32 pm

Blocked IP pr hour last 7 days:
block.jpg
Blocked last 30 min show on map. If you zoom in you see each Country/City.
live.jpg
Graphs are made using Splunk, see my singnature.
You do not have the required permissions to view the files attached to this post.
 
Try Splunk> to monitor your MikroTik Router(s). How to set it up. :mrgreen:

MikroTik->Splunk
 
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Mon Sep 13, 2021 1:38 pm

Also another suggestion can be, if you have some spare unused Public IP, use it as Honeypot.
Every IP try to contact the Honeypot, is a scan o something wrong for sure...
(also define a whitelist of own addresses)
/ip firewall raw
add action=add-src-to-address-list address-list=FW_BLOCK_HONEYPOT address-list-timeout=1d chain=prerouting comment=HONEYPOT \
    dst-address=6.6.6.6 dst-address-list=!whitelist in-interface=ether1 src-address-list=!whitelist
add action=drop chain=prerouting in-interface=ether1  src-address-list=FW_BLOCK_HONEYPOT
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2308
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Mon Sep 13, 2021 1:44 pm

Why block only tcp or udp?
Block everything other than tarpitted tcp
Good suggestion, added :)
Thanks

PS I can not use prerouting in standard firwall, only raw, and in raw, I can not use trapit.
Last edited by Jotne on Mon Sep 13, 2021 1:47 pm, edited 1 time in total.
 
Try Splunk> to monitor your MikroTik Router(s). How to set it up. :mrgreen:

MikroTik->Splunk
 
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Mon Sep 13, 2021 1:46 pm

PS I can not use prerouting in standard firwall, only raw, and in raw, I can not use trapit.
Is why on raw I put "!tcp" :)
Last edited by rextended on Mon Sep 13, 2021 1:56 pm, edited 1 time in total.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2308
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Mon Sep 13, 2021 1:56 pm

Ahh, understand, but I do not see the formatting error. Using original phpBB style.
Where exactly to add enter
 
Try Splunk> to monitor your MikroTik Router(s). How to set it up. :mrgreen:

MikroTik->Splunk
 
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Mon Sep 13, 2021 1:57 pm

Ah, the problem is on the "default" style Canvas, happen when a [ code ] block is near another block of any type, like [ b ] bold.

>fixed, thanks!<
Last edited by rextended on Mon Sep 13, 2021 2:03 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Mon Sep 13, 2021 2:02 pm

I hope you read/notice also this:
viewtopic.php?f=23&t=178496&p=879596#p879587
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2308
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Mon Sep 13, 2021 2:09 pm

I did see it, but many do not have an extra IP.

I did try to use VFR to fake two or more outside IF to get more IP, but did not work :(
Here is what I did use before:
https://github.security.telekom.com/201 ... ncept.html
 
Try Splunk> to monitor your MikroTik Router(s). How to set it up. :mrgreen:

MikroTik->Splunk
 
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8393
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Mon Sep 13, 2021 5:34 pm

But I have none of these rules
except two
drop invalid in input chain
drop all else as last rule in input chain.

How come I am not having any issues??
Is it better not to be aware of how many hits one is getting, ignorance is bliss??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2308
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Tue Sep 14, 2021 1:23 am

You do miss some of the point here.
If some one hit my router on wrong port, they are also blocked on all open ports like 443 and other ports.
This prevents them to see any open port therefore can not try to hack my web server etc.
 
Try Splunk> to monitor your MikroTik Router(s). How to set it up. :mrgreen:

MikroTik->Splunk
 
 
R1CH
Forum Veteran
Forum Veteran
Posts: 984
Joined: Sun Oct 01, 2006 11:44 pm

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Tue Sep 14, 2021 1:50 am

And also makes you extremely vulnerable to simple CPU DoS if someone spoofs IP and fills your blacklist with millions of IPs. Can also do http://your_ip:8291/lol in an image tag and firewall yourself off... these rules do more harm than good in the long run.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2308
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Tue Sep 14, 2021 2:59 am

I have this DDoS filter above my block rule.
viewtopic.php?f=2&t=54607

Never have had down time. May have not been target....
 
Try Splunk> to monitor your MikroTik Router(s). How to set it up. :mrgreen:

MikroTik->Splunk
 
 
BrateloSlava
just joined
Posts: 1
Joined: Mon Aug 09, 2021 10:33 am

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Tue Sep 14, 2021 11:15 am

It might be a better idea to use a list of interfaces (WAN) rather than the interface name (ether1).
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2308
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Tue Sep 14, 2021 1:02 pm

Is why on raw I put "!tcp"
After changing from udp to !tcp, I do get a lot of hits on protocol 47 (GRE), that I have not had before.
So thanks again for tip :)
 
Try Splunk> to monitor your MikroTik Router(s). How to set it up. :mrgreen:

MikroTik->Splunk
 
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Tue Sep 14, 2021 3:21 pm

Another user talk about GRE attack started from some days, also Mēris,
probably are that?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8393
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Tue Sep 14, 2021 4:59 pm

I have this DDoS filter above my block rule.
viewtopic.php?f=2&t=54607

Never have had down time. May have not been target....
Hold the fort Jotne..........
I read that long assed thread to find that you are having issues with said DDos!!
quote "But I have for sure not done anything remotely connected to DDoS, mostly surfing :) unquote.

So the fact that chupkas DDos script addresses incoming and outgoing is causing you issues on the outgoing.
Did you add the =result exception for DNS ??? To solve this dilemma.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2308
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Tue Sep 14, 2021 8:17 pm

Did you add the =result exception for DNS ??? To solve this dilemma.
Have not had problem with DNS. Using DoH..
 
Try Splunk> to monitor your MikroTik Router(s). How to set it up. :mrgreen:

MikroTik->Splunk
 

Who is online

Users browsing this forum: Bing [Bot], bk1dz, Jotne and 3 guests