Community discussions

MikroTik App
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Configuration to block users that tries to access router on non open port(s)

Mon Sep 13, 2021 1:06 pm

WARNING If you work on filter rules, use SAFE MODE

This is only needed if you have one or more port open to internet.

I do use this filter rules to block users that tries any non open port on my router for 24 hours, to some protect the already open ports.
So if a user tries to access my router on port 8291, it will end up in a address list for blocked user and will be blocked at all port, even 443 that is open for all. This way user of this IP will not find any open port. Users that tries a non open port on my router has nothing there to do so 100% block.

This needs to be the last two filter rules.
/ip firewall filter
add action=add-src-to-address-list address-list=FW_Block_unkown_port address-list-timeout=1d chain=input comment= "Add IP of user to access list if they have tried port that is not open." in-interface=ether1 log-prefix=FI_AS_port-test
add action=drop chain=input comment="Drop packets that has not been allowed or dropped before." in-interface=ether1 log=yes log-prefix=FI_D_port-test
These two lines are only hit if no line higher in the filter rules has accepted the port to be open or blocked.
First line adds IP to the access list FW_Block_unkown_port
Second line then drop the packet.

This way packet from that IP are only logget first time it hits.


Top line simple:
/ip firewall raw
add action=drop chain=prerouting comment="Drop user that has tried ports that are not open and has been added to block list" in-interface=ether1  src-address-list=FW_Block_unkown_port
Here we just block the IP as early as we can in raw access list

Top line more advanced (What I do use):
/ip firewall filter
add action=jump chain=input comment="Drop user that has tried ports that are not open and has bin added to block list. Limit TARPIT to prevent DDOS CPU problems" in-interface=ether1 jump-target=TARPIT  protocol=tcp src-address-list=FW_Block_unkown_port
add action=tarpit chain=TARPIT limit=10,5:packet  protocol=tcp
add action=drop chain=TARPIT protocol=tcp
/ip firewall raw
add action=drop chain=prerouting in-interface=ether1  protocol=!tcp src-address-list=FW_Block_unkown_port
These line must be high up in the filter rules list.
Fist line. Jumps to TARPIT chain if IP is in access list FW_Block_unkown_port
Second line. Send packet to tarpit to slow down the user attack to the router. This may use some resource, so it only used until limit hits.
Third line. Drop rest of TCP attack..
Fourth and fifth line. Drop all other than TCP attack.

To not block my self out, I do use port knock. Access list for allow port knock user, must be above block access list.
My block access list does contains from 5000 to 10000 IP address at all time. (no problem for an hEX router)
Around 50% are sent to tarpit and blocked, rest are blocked directly.
Since last reboot (18 days ago)
86000 IP blocked (only counted each IP once every 24 hour)
30 000 000 packets sent to tarpit chain
15 000 000 packets tarpited
15 000 000 tcp packets dropped
750 000 udp pcakets dropped

Suggestion and improvements are always welcome :D



----------------------------------------------------------------------------------------
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
Last edited by Jotne on Sun Feb 12, 2023 9:57 pm, edited 10 times in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Mon Sep 13, 2021 1:23 pm

If I do not remember wrong, tarpit do not consume anything on local router, simply leave each tarpitted connection in waiting state on the remote router, consuming remote router resources...

I suggest to other users that read this post, to never reply with "reject" when drop something, except if the reply is directed on own local network.
(they could otherwise be involved in amplification of DDoS attacks, when received the spoofed IP, the router concurs with "reply"...)

I suggest to change/move last line/rule from this:
/ip firewall filter
[...]
add action=drop chain=input in-interface=ether1  protocol=udp src-address-list=FW_Block_unkown_port

To this:
/ip firewall raw
add action=drop chain=prerouting in-interface=ether1  protocol=!tcp src-address-list=FW_Block_unkown_port
Why block only tcp or udp?
Block everything other than tarpitted tcp
Last edited by rextended on Mon Sep 13, 2021 1:56 pm, edited 3 times in total.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Mon Sep 13, 2021 1:32 pm

Blocked IP pr hour last 7 days:
block.jpg
Blocked last 30 min show on map. If you zoom in you see each Country/City.
live.jpg
Graphs are made using Splunk, see my singnature.
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Mon Sep 13, 2021 1:38 pm

Also another suggestion can be, if you have some spare unused Public IP, use it as Honeypot.
Every IP try to contact the Honeypot, is a scan o something wrong for sure...
(also define a whitelist of own addresses)
/ip firewall raw
add action=add-src-to-address-list address-list=FW_BLOCK_HONEYPOT address-list-timeout=1d chain=prerouting comment=HONEYPOT \
    dst-address=6.6.6.6 dst-address-list=!whitelist in-interface=ether1 src-address-list=!whitelist
add action=drop chain=prerouting in-interface=ether1  src-address-list=FW_BLOCK_HONEYPOT
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Mon Sep 13, 2021 1:44 pm

Why block only tcp or udp?
Block everything other than tarpitted tcp
Good suggestion, added :)
Thanks

PS I can not use prerouting in standard firwall, only raw, and in raw, I can not use trapit.
Last edited by Jotne on Mon Sep 13, 2021 1:47 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Mon Sep 13, 2021 1:46 pm

PS I can not use prerouting in standard firwall, only raw, and in raw, I can not use trapit.
Is why on raw I put "!tcp" :)
Last edited by rextended on Mon Sep 13, 2021 1:56 pm, edited 1 time in total.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Mon Sep 13, 2021 1:56 pm

Ahh, understand, but I do not see the formatting error. Using original phpBB style.
Where exactly to add enter
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Mon Sep 13, 2021 1:57 pm

Ah, the problem is on the "default" style Canvas, happen when a [ code ] block is near another block of any type, like [ b ] bold.

>fixed, thanks!<
Last edited by rextended on Mon Sep 13, 2021 2:03 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Mon Sep 13, 2021 2:02 pm

I hope you read/notice also this:
viewtopic.php?f=23&t=178496&p=879596#p879587
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Mon Sep 13, 2021 2:09 pm

I did see it, but many do not have an extra IP.

I did try to use VFR to fake two or more outside IF to get more IP, but did not work :(
Here is what I did use before:
https://github.security.telekom.com/201 ... ncept.html
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Mon Sep 13, 2021 5:34 pm

But I have none of these rules
except two
drop invalid in input chain
drop all else as last rule in input chain.

How come I am not having any issues??
Is it better not to be aware of how many hits one is getting, ignorance is bliss??
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Tue Sep 14, 2021 1:23 am

You do miss some of the point here.
If some one hit my router on wrong port, they are also blocked on all open ports like 443 and other ports.
This prevents them to see any open port therefore can not try to hack my web server etc.
 
R1CH
Forum Guru
Forum Guru
Posts: 1098
Joined: Sun Oct 01, 2006 11:44 pm

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Tue Sep 14, 2021 1:50 am

And also makes you extremely vulnerable to simple CPU DoS if someone spoofs IP and fills your blacklist with millions of IPs. Can also do http://your_ip:8291/lol in an image tag and firewall yourself off... these rules do more harm than good in the long run.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Tue Sep 14, 2021 2:59 am

I have this DDoS filter above my block rule.
viewtopic.php?f=2&t=54607

Never have had down time. May have not been target....
 
User avatar
BrateloSlava
Member Candidate
Member Candidate
Posts: 167
Joined: Mon Aug 09, 2021 10:33 am
Location: Ukraine, Kharkiv

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Tue Sep 14, 2021 11:15 am

It might be a better idea to use a list of interfaces (WAN) rather than the interface name (ether1).
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Tue Sep 14, 2021 1:02 pm

Is why on raw I put "!tcp"
After changing from udp to !tcp, I do get a lot of hits on protocol 47 (GRE), that I have not had before.
So thanks again for tip :)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Tue Sep 14, 2021 3:21 pm

Another user talk about GRE attack started from some days, also Mēris,
probably are that?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Tue Sep 14, 2021 4:59 pm

I have this DDoS filter above my block rule.
viewtopic.php?f=2&t=54607

Never have had down time. May have not been target....
Hold the fort Jotne..........
I read that long assed thread to find that you are having issues with said DDos!!
quote "But I have for sure not done anything remotely connected to DDoS, mostly surfing :) unquote.

So the fact that chupkas DDos script addresses incoming and outgoing is causing you issues on the outgoing.
Did you add the =result exception for DNS ??? To solve this dilemma.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Tue Sep 14, 2021 8:17 pm

Did you add the =result exception for DNS ??? To solve this dilemma.
Have not had problem with DNS. Using DoH..
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Wed Jul 27, 2022 7:51 am

@Jotne

from your first post
i need rules something like that , but may i get the accept list for the port that u want to allow
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Wed Jul 27, 2022 8:11 am

If you add a nat rule to port 443 (https), you do not need an explicit filter rule, but I do have it.
And if you have a filter rule, it must be before the rule that starts to block stuff.

Filter rule:
add action=accept chain=forward dst-port=443 in-interface=ether1 log=yes log-prefix=FI_A_HTTPS protocol=tcp
Nat rule:
add action=dst-nat chain=dstnat comment="Web SSL -> Varg" dst-address-list=WAN-IP dst-port=443 log-prefix=ND_DE_SSL-Server protocol=tcp  to-addresses=192.168.3.4
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Wed Jul 27, 2022 8:55 am

ye even if i do that , still it puthing the ip on blacklist. something is not happy with the access list
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Wed Jul 27, 2022 2:45 pm

Are this true?
This needs to be the last two filter rules.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Thu Jul 28, 2022 4:01 am

@Jotne

i made this work ,can u explain more about TARPIT.

The question that i cant answer my self is what is the differences between TARPIT and drop.

If you put them sequentially (properly) without tarpit, just drop(everythings else) at the bottem , that will do all the job,

im assuming that tarpit above drop (everythings else)

if u can give us more info.

Thanks
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Thu Jul 28, 2022 6:13 am

Tarpit will cost more time and resources for the attacker.
You do not need this part.

A quick google search
https://en.wikipedia.org/wiki/Tarpit_(networking)
https://www.mtin.net/blog/use-tarpit-vs ... attackers/
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Thu Jul 28, 2022 7:57 am

and the last question i was playing around with your rules above,

I've noted something.

When i'm trying to get access from outsite with tarpit enabled, on the winbox i can see logging in and is gettign stack there. (the ip-add goes on blocked list)

If i disable tarpit and becouse of drop everythings else im seeying connecting to 1.2.3.4 (doesn't know how to get there)

is that normal behavior?
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Fri Jul 29, 2022 6:47 am

if i read double what u have posted, what i'm experiencing is absolutely for expecting.
That is tarpit jobs

Thanks
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Wed Aug 03, 2022 2:27 am

Not convinced that there is any value in this approach.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Wed Aug 03, 2022 9:24 am

how u mean?
according from the @Jones's links and from what i'm experiencing , that completely match.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Wed Aug 03, 2022 12:30 pm

Lets say that you have a web server (443) and RDP (3389) open to all internett.

If some one with bad intention has a script that tests various ports, and if open ports are found trying to breake inn, this script for sure helps.
When the hackers script test port 10000 for any reason, he will be blocked for 24 hour on all ports, including 443 and 3389. Se his script can not try out anything to enter 443 or 3389, its blocked. Does not block a user trying only 443 or 3389.

You should not have 3389 open in any way (just as an example here).
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Thu Aug 04, 2022 4:12 am

@Jotne

that is absolutely clear.
What i was wandering is whether that behavior with the winbox (or any TCP connections, i have explained above ) is because of Tarpit job.

From what u have posted and from what i'm experiencing is completely match, can you confirm that. thanks
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Thu Aug 04, 2022 8:09 am

I do not use Winbox on outside. Not secure at all.
But to not look my self out I have a fixed white-list and a port knock that can add IP temporary to white-list.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Thu Aug 04, 2022 8:40 am

me too, i have blocked everything from outside, and also i'm using port knock.

Even though i'm getting Logging... - and it's stuck there, only if i play with Tarpit, otherwise, i'm getting Connecting to 1.2.3.4 if i disable Tarpit
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Thu Aug 04, 2022 12:24 pm

I do not understand where your problem is:
When i'm trying to get access from outsite with tarpit enabled, on the winbox i can see logging in and is gettign stack there. (the ip-add goes on blocked list)
Are you not able to login? from where?
Do you get message that should not be there?
Are anything other broken?
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Thu Aug 04, 2022 12:32 pm

im not able to log in , i can see only logging in...and it's getting stuck there, doesn't go further, with tarpit enabled

and according from the link:

When connections come in and are “tarpitted” they don’t go back out. The connection is accepted, but when data transfer begins to happen, the TCP window size is set to zero.

so , from what i'm experiencing is completely for expecting, am i right?
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Thu Aug 04, 2022 3:45 pm

The tarpit rule:
add action=jump chain=input comment="Drop user that has tried ports that are not open and has bin added to block list. Limit TARPIT to prevent DDOS CPU problems" in-interface=ether1 jump-target=TARPIT protocol=tcp src-address-list=FW_Block_unkown_port
It will only hit when you are coming in on interface ether1 (outside) and are in the address list FW_Block_unkown_port

So:
1. You try to access router using winbox on outside interface???
2. Your IP are in the block list.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Fri Aug 05, 2022 12:00 am

So:
1. You try to access router using winbox on outside interface???
yes,also on my router ether1 is wan
2. Your IP are in the block list.
yes my ip-add goes on the block list,

i'll repeat again , i can't get access, the wnbox getting stuck on logging in..

that is only if tarpit is on , looks like this:

that remind me to:
nat
add action=dst-nat chain=dstnat dst-address=public-ip in-interface=wan protocol=tcp to-addresses=local to-ports=80

i dont have that one, that is only e.g.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Fri Aug 05, 2022 7:57 am

Add a specific rule to allow Winbox to reach port 8291 on the input change as a rule above tarpit.

But as a long user here, you should know that you should never open Winbox on a public IP. Use VPN.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Fri Aug 05, 2022 8:47 am

Add a specific rule to allow Winbox to reach port 8291 on the input change as a rule above tarpit.
i got that for the local lan
But as a long user here, you should know that you should never open Winbox on a public IP. Use VPN.
i'm not asking that , only i want to know, is that what i'm experiencing is Tarpit behavior?
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Fri Aug 05, 2022 2:12 pm

I have not see this problem, nor has other posted about it before, so it may be a bug or some wrong with your configuration.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Sat Aug 06, 2022 8:27 am

try to get access to your Router from outside without port knocking , (using the rules about).
What u getting on your winbox?
logging in...(and stuck there) or
connecting to 1.2.3.4
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Sat Aug 06, 2022 11:11 am

Will see if I get time to do a test. It will be on a test router, since I would not open any production routers from outside to WinBox.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Sun Aug 07, 2022 3:14 am

i'm happy to share with u my public ip-add.
6f1406302c00.sn.mynetname.net
Try to log in to it, specificate any user and pass.
Once u done that , than ill disable tarpit and i'll get you to long in to it again, see what you will see on your end.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Sun Aug 07, 2022 9:30 am

i do see that it just hanging. I did also needed to turn on Legacy Mode. First time I do see that I need to do that.

Post full config, it may be some wrong with it.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Sun Aug 07, 2022 12:10 pm

i'm sending my firewall.
And if u can try again, i did disable tarpit (also on this config that i'm sending Tarpit has been disabled).
u should be seeing now Connecting to 1.2.3.4
Last edited by nichky on Mon Aug 08, 2022 8:28 am, edited 1 time in total.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Mon Aug 08, 2022 12:22 am

I do not see any difference in Winbox,still just hanging at Logging in
Will have a look at the firewall.

PS hope this is not your real port for port knocking. If so, change them.

As I told before you should not have Winbox open on internet. One of the rule I do post you should follow if you need to do it, change the port away from the default port


----------------------------------------------------------------------------------------
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
Last edited by Jotne on Sun Feb 12, 2023 9:56 pm, edited 1 time in total.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Mon Aug 08, 2022 2:07 am

that is device just for testing only
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Mon Aug 08, 2022 7:42 am

Then I do suggest you remove all other rules not needed and only keep the blocking part to see if some of the other rules gives problems.


----------------------------------------------------------------------------------------
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
Last edited by Jotne on Sun Feb 12, 2023 9:56 pm, edited 1 time in total.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Mon Aug 08, 2022 8:27 am

done, atm i have, see the file:
You do not have the required permissions to view the files attached to this post.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Mon Aug 08, 2022 9:04 am

If you have problem with tarpit, just remove it. It is just used to slowdown the hacker. For me it works fine.


----------------------------------------------------------------------------------------
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
Last edited by Jotne on Sun Feb 12, 2023 9:56 pm, edited 1 time in total.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Mon Aug 08, 2022 9:16 am

that is fine , but i'm willing to deep in dive.


on your end if can play around, can u disable the rules in RAW , and try to log in see what u will get. Play with Tarpit disable/enable
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Mon Aug 08, 2022 11:06 am

I did test on a CHR router running 7.2rc3.
This has a set of default rules with NAT setup and ether1 as Wan IP.
Only rules that are added are those from this post +
This is disabled add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
And som filter rule to ignore lan spam filling logs UDP/17500 5678 67 138 5634

I have no problem reaching router with Winbox on outside interface with and without Tarpit filter rules.
Only difference I see when Tarpit is used is that telnet to a port seems to open and just hangs (the point of using tarpit)
I can see Tarpit counter increase while I do the test.
.
Tarpit.png
.

Here is the complete router config
/export hide-sensitive 
# aug/08/2022 08:05:10 by RouterOS 7.2rc3
# software id = 
#
/interface bridge
add name=bridge1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.22.10-192.168.22.100
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.22.1/24 interface=bridge1 network=192.168.22.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
add address=192.168.22.0/24 gateway=192.168.22.1 netmask=24
/ip firewall filter
add action=accept chain=input dst-port=8291 protocol=tcp src-port=""
add action=jump chain=input comment="Drop user that has tried ports that are not open and has bin added to block list. Lim\
    it TARPIT to prevent DDOS CPU problems" in-interface=ether1 jump-target=TARPIT protocol=tcp src-address-list=\
    FW_Block_unkown_port
add action=tarpit chain=TARPIT limit=10,5:packet protocol=tcp
add action=drop chain=TARPIT protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment="For test to not clog logs" dst-port=17500 protocol=udp
add action=accept chain=input comment="For test to not clog logs" dst-port=5678 protocol=udp
add action=accept chain=input comment="For test to not clog logs" dst-port=67 protocol=udp
add action=accept chain=input comment="For test to not clog logs" dst-port=138 protocol=udp
add action=accept chain=input comment="For test to not clog logs" dst-port=5684 protocol=udp
add action=add-src-to-address-list address-list=FW_Block_unkown_port address-list-timeout=1d chain=input comment=\
    "Add IP of user to access list if they have tried port that is not open." in-interface=ether1 log-prefix=\
    FI_AS_port-test
add action=drop chain=input comment="Drop packets that has not been allowed or dropped before." in-interface=ether1 log=\
    yes log-prefix=FI_D_port-test
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip firewall raw
add action=drop chain=prerouting in-interface=ether1 protocol=!tcp src-address-list=FW_Block_unkown_port
/system identity
set name=v7.2rc3

Here is a screenshot of Tarpit on a production router. 60 millions packet entered Tarpit in 69 days:
.
Tarpit2.png

----------------------------------------------------------------------------------------
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
You do not have the required permissions to view the files attached to this post.
Last edited by Jotne on Sun Feb 12, 2023 9:56 pm, edited 1 time in total.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Mon Aug 08, 2022 1:46 pm

I have no problem reaching router with Winbox on outside interface with and without Tarpit filter rules.
Only difference I see when Tarpit is used is that telnet to a port seems to open and just hangs (the point of using tarpit)
I can see Tarpit counter increase while I do the test.
i think that we are not on same page. I'm not saying about accessing at all. i have repeated that couple of time and i am doing that for the las time:

When i'm trying to get access from outsite with Tarpit enabled, on the winbox i can see logging in[ and is gettign stack there. (the ip-add goes on blocked list)
If i disable tarpit and becouse of drop everythings else im seeying Connecting to 1.2.3.4 (doesn't know how to get there)


However thanks for everything!
.

.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: 📌 Configuration to block users that tries to access router on non open port(s)

Mon Aug 08, 2022 2:40 pm

And I say that on the test above Winbox works fine with Tarpit enabled to my test router on the Wan interface.

One strange thing at your side, is that Winbox tells me that I need to switch to Lagacy Mode to be able to access your router, why?
Not seeing this anywhere on my routers.
Legacy.png

----------------------------------------------------------------------------------------
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
You do not have the required permissions to view the files attached to this post.
Last edited by Jotne on Sun Feb 12, 2023 9:56 pm, edited 1 time in total.
 
sorphin
just joined
Posts: 1
Joined: Sat Jan 21, 2023 3:49 am

Re: Configuration to block users that tries to access router on non open port(s)

Sat Jan 21, 2023 4:34 am

Thanks for this. I had been wanting a way to catch all the portscanner bots and waste THEIR resources and time for a change.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Configuration to block users that tries to access router on non open port(s)

Sun Jan 22, 2023 5:11 pm

Jotne rereading this thread,,,,,,,, and will get to my questions.
But couldnt help notice your multiple comments on servers. MT ARE YOU LISTENING................... put zero trust cloudfare tunnel in a package........ Grow a pair and do it! ( of gonads of course ).

Okay lets say there is some validity to your approach and for me to adopt it..........

A. So you detect a port searching on the router...... ( not a port already open on the router I presume, not sure how the router knows that )
B. You then blog the user by firewall address list.
C. you tarpit the user?
D. you drop the user?

IM getting confused on the basic concepts here before getting into the config details.........
Rextended has a unique way of trapping all other protocols except TCP okay got that but the tarpit is confusing me.........
He does this in RAW so there is little ramification on CPU........
What about the tarpit CPU intensive???

Also rextended says to do something different regarding tarpit to ensure its the external hackers router that gets loaded not yours etc............
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Once I am happy with a setup will add it ot my firewall article.......
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Configuration to block users that tries to access router on non open port(s)

Sun Jan 22, 2023 7:24 pm

B. Add to list for 24 hour (can be changed)
C. It should only tarpit until certain degree, then go to
D. drop to not kill the router by eating CPU by tarpitting to many IP.

Tarpit is only an option as mention in first post.
I have not had any problem with this rule on my routers.


----------------------------------------------------------------------------------------
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
Last edited by Jotne on Sun Feb 12, 2023 9:56 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Configuration to block users that tries to access router on non open port(s)

Sun Jan 22, 2023 8:09 pm

Okay sounds good but dont quite understand...........
add action=add-src-to-address-list address-list=FW_Block_unknown_port address-list-timeout=1d chain=input comment=\
"Add IP of user to access list if they have tried port that is not open." in-interface=ether1 log-prefix=\
FI_AS_port-test

Doesnt this simply add every source address hitting every port on your router???

Why do you have winbox port coming in from the outside .......?
This should be something like........... . as a first rule so as to bypass all other ports being blocked.
add action=accept chain=input dst-port wireguard port protocol=udp

The next rule does something with those on the firewall address list, but then this is the second time they have attempted something.......
YOu add it to a jump chain okay.........

You tarpit these incoming attempts, but what does that mean ? and what effect does 10,5 limit provide.........

Then you drop chain tarpit............ Very confusing, if you tarpitted above why are you dropping now...... ??
and WHY only TCP.........

So we are tarpitting only TCP connections???

I find your order confusing.............. I would put jump chain physicall after the input chain to not eff with my mind LOL.

add action=add-src-to-address-list address-list=FW_Block_unkown_port address-list-timeout=1d chain=input comment=\
"Add IP of user to access list if they have tried port that is not open." in-interface=ether1 log-prefix=\
FI_AS_port-test

again do you mean any port that is not specifically stated as allowed as first rules?? which is accomplished by any trapping any source other than those expected..........

Okay the raw rule............ it also does nothing first pass but drops all other second pass attempts at non TCP ports.

SO, Why not TCP ports as well, or for that matter, tarpit all porst and dont use raw, OR or drop all at raw not just not non TCP.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Configuration to block users that tries to access router on non open port(s)

Sun Jan 22, 2023 9:54 pm

I am not sure if we talk about the same ;)

Nearly first thing written: This needs to be the last two filter rules.
So the port tester only adds IP that do not hit any other open/configured port above.
I have not written anything about Winbox. That is some you need to configure your self.
Tarpit config I have just copied from some else, not my work, and if I do log these setting, it seems to work as intended.

Her are the flow part. RouterOS always apply filter/rule from top to bottom (until it hit some that stops the process)

Top rule (use tarpit/drop) or use top rule block in raw.
Rule a
Rule b
Rule c
Rule d
.
.
(and then final two rules at the bottom of the config)
Second last action. Since IP does not hit any rule above. Add it to the Block list
Last action. Drop the IP and log the action

Next time same IP tries to enter the system, it will be blocked by the firs rule in raw or by the tarpit/drop section in filters.


----------------------------------------------------------------------------------------
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
Last edited by Jotne on Sun Feb 12, 2023 9:55 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Configuration to block users that tries to access router on non open port(s)

Mon Jan 23, 2023 4:02 am

Clear as mud, sorry tired, will try tomorrow.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Configuration to block users that tries to access router on non open port(s)

Tue Jan 24, 2023 5:58 pm

Hi jotne, care to send me an email and perhpas we can chat or at least type chat via skype or some other method................
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Configuration to block users that tries to access router on non open port(s)

Tue Jan 24, 2023 6:44 pm

Send me your mail on leroh22700@tingn.com


----------------------------------------------------------------------------------------
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
Last edited by Jotne on Sun Feb 12, 2023 9:55 pm, edited 1 time in total.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Configuration to block users that tries to access router on non open port(s)

Tue Jan 24, 2023 8:42 pm

Here is port scan over 6 month on a test router.
You can see scanning of ports goes in waves. Last week 16739 and 50093 new port that many IP tries to scan.
Graph shows port scan x100 with only unique IP pr day. So yesterday 12 000 IP tried port 16739 on the router.
.
port.png

----------------------------------------------------------------------------------------
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
You do not have the required permissions to view the files attached to this post.
Last edited by Jotne on Sun Feb 12, 2023 9:55 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Configuration to block users that tries to access router on non open port(s)

Wed Jan 25, 2023 8:42 pm

Sent but no answer, confirm received?
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Configuration to block users that tries to access router on non open port(s)

Wed Jan 25, 2023 8:57 pm

Hmm temp email does not work. Try one more to this: fifexoh151@fandua.com


----------------------------------------------------------------------------------------
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
Last edited by Jotne on Sun Feb 12, 2023 9:55 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Configuration to block users that tries to access router on non open port(s)

Wed Jan 25, 2023 10:08 pm

@Jotne... the mail is on the user forum profile...
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Configuration to block users that tries to access router on non open port(s)

Wed Jan 25, 2023 10:49 pm

I have not seen possible to get in contact with other using forum email, without posting it publicly. Private messages on the forum is turned off. PHPBB do supports it.


----------------------------------------------------------------------------------------
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
Last edited by Jotne on Sun Feb 12, 2023 9:55 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Configuration to block users that tries to access router on non open port(s)

Wed Jan 25, 2023 11:19 pm

What I mean is @anav has wrote his mail on his user profile, just click on his name... ;)

Now also the signatures are disabled...
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Configuration to block users that tries to access router on non open port(s)

Wed Jan 25, 2023 11:35 pm

Remember that if only 1 BOT finds one open door (or hung with a tarpit) it can still be the cause of a DDoS attack.

Or DDoS attack start for no reason, no matter if previous scan attempt is done.

The problem of automatically adding an IP address to a list may just cause the router to crash due to running out of memory
due to too many IPs being added to the list in the event of a DDoS attack.
And now with IPv6...................
The tarpit can also be counterproductive, because it causes connection initialization packets to be retransmitted continuosly for each connection under tarpit.
If are thousand of remote DDOSer remote packet retransmisson for tarpit can duplicate the attack...

Probably the classic drop-all-at-the-end is more suitable on DDoS attack if the bandwidth is sufficent or the ISP do his own work...

As ISP I have mitigation center.
If for some reason my network is under attack, the traffic instead of the usual 3ms latency go to 35/45ms because all is routed trough the cloudflare center than have power to filter any DDoS attack...
I can't reveal other detail for N.D.A. but ask your ISP to use similar features...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Configuration to block users that tries to access router on non open port(s)

Thu Jan 26, 2023 5:59 pm

So rextended can you say in conclusion that
using RAW or using TARPIT are actually useless in a REAL SCENARIO for DDOS attack?

So regardless of any particular router setup, one config is no better than another, is another way of saying it.


If we can agree on that, then lets ignore that scenario as it doesnt matter if we DO or we DO NOT implement jotnes schema.
So lets focus on kiddie hacker or something less than a botnet attack.

Is there space then, for Jotnes setup. In summary there is a subset of situations where the approach is viable (useful and effective without loading the router)

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Let me put it in terms of understanding. :-)
So if drinking italian wine wont stop colon cancer but it will prevent pimples, should we drink it?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Configuration to block users that tries to access router on non open port(s)

Thu Jan 26, 2023 6:02 pm

RAW can be useful only for block fixed address lists (no realtime, but upgradeables)
or fixed services if the device on LAN have Public IPs and is wanted to limit that services only from fixed external IP pools.

Tarpit can not be compared with RAW, is like compare apple with bottle.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Configuration to block users that tries to access router on non open port(s)

Thu Jan 26, 2023 6:11 pm

As ISP I have mitigation center.
If for some reason my network is under attack, the traffic instead of the usual 3ms latency go to 35/45ms because all is routed trough the cloudflare center than have power to filter any DDoS attack...
I can't reveal other detail for N.D.A. but ask your ISP to use similar features...
We have that embedded in our backbone too (stays "local" with us). When customers order "lines" with us they can easily purchase volumetric/protocol/application DDoS protection.
Pricing is based on the capacity of their line.
We see some pretty big attacks over the last years. Rapidly increasing in power too!
No way you can deal with that as a customer with your "on prem" router ;-)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Configuration to block users that tries to access router on non open port(s)

Thu Jan 26, 2023 6:26 pm

RAW can be useful only for block fixed address lists (no realtime, but upgradeables)
or fixed services if the device on LAN have Public IPs and is wanted to limit that services only from fixed external IP pools.

Tarpit can not be compared with RAW, is like compare apple with bottle.
Sometimes I think you are Sindy in disguise............. or his twin brother. SO OBTUSE and TECHNICAL........
Never giving me the answers I am looking for LOL
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Configuration to block users that tries to access router on non open port(s)

Thu Jan 26, 2023 6:43 pm

PS

It was never intention to make this as an DDoS prevention tools.
Small home routers do not have enough power to handle a big attack.

But if we can make this better, it may help more people.


----------------------------------------------------------------------------------------
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
Last edited by Jotne on Sun Feb 12, 2023 9:55 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Configuration to block users that tries to access router on non open port(s)

Thu Jan 26, 2023 7:47 pm

So what are we preventing or improving upon with enough difference CPU, performance, customer experience, that the
add action=drop chain=input comment="Drop all Else" rule, does not handle already adequately???
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Configuration to block users that tries to access router on non open port(s)

Thu Jan 26, 2023 8:54 pm

Simple answer.

If you try a port on my router, why the hell should you see any other stuff on my router.
Trying any port that are not open and you will be blocked for a set off time.
This will prevent the user/script from trying any other attack for that period.

This may be how a port scanner script work.
1. Scan a range of port (or all) on a router.
2. Make a list of the open ports.
3. Use different tools for attacking the open port.
a. RDP
b. HTTP(s)
c. FTP
d. SSH
e. ohter
4. Entering and misuse the router or destroy it.

Why else do I see 1000-10000 different IP a day tries port that are not open on my router?
Port blocking are not the final solution to prevent attack, but may help just a some.
Other securing prevention are also needed.......


----------------------------------------------------------------------------------------
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
Last edited by Jotne on Sun Feb 12, 2023 9:55 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Configuration to block users that tries to access router on non open port(s)

Thu Jan 26, 2023 9:34 pm

Okay so we are saying there is enough fly by nite hackers that are not associated with botnets that ping off public IPs................. that peaks your interest.

Again the question I have is......
So what are we preventing or improving upon with enough difference CPU, performance, customer experience, that the
add action=drop chain=input comment="Drop all Else" rule, does not handle already adequately???
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Configuration to block users that tries to access router on non open port(s)

Thu Jan 26, 2023 9:53 pm

Both of you mix concept.

For example:

open port(s).

Where? On the RouterBOARD/RouterOS?
Is the simplified raw/pre -> conn-track -> mange/pre -> dst-nat -> routing -> mangle/INPUT -> filter/INPUT chain involved

Where? On one device inside the LAN?
Is the simplified raw/pre -> conn-track -> mange/pre -> dst-nat -> routing -> mangle/FORWARD -> filter/FORWARD chain involved

If on both chain drop-all-at-the-end is present, the rules for leave the ports open must declared BEFORE.

And a "scanner" can detect that ports open and call all the friend for the party attack.

Instead, if one is not so idiot to leave 80 open on RouterOS or on internal LAN, if some scanner try to open the port 80, it go directly on blacklist,
but that blaclist act directly on raw/prerouting, before both input and forward chain,
and this deprives the port scanner of the ability to see any open ports in tcp and udp, the ping, etc.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Configuration to block users that tries to access router on non open port(s)

Thu Jan 26, 2023 10:07 pm

Meow..........

Is a language I dont speak, but
If I had to guess and read between the meows, Rextended I think is saying if you dont have any open ports, the additional rules are not required.

So if one does have ports open LIKE MOST DO, and have a server going, are the additional rules at least helpful??

You know where I stand............... MT produces a package for zero trust cloudflare tunnel for all devices and problem solved.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Configuration to block users that tries to access router on non open port(s)

Thu Jan 26, 2023 10:11 pm

is saying if you dont have any open ports, the additional rules are not required.
Voila!
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Configuration to block users that tries to access router on non open port(s)

Thu Jan 26, 2023 10:50 pm

I thought that was obvious, so I now have added to the first post:

"This is only needed if you have one or more port open to internet."

:mrgreen: :mrgreen:


----------------------------------------------------------------------------------------
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
Last edited by Jotne on Sun Feb 12, 2023 9:54 pm, edited 1 time in total.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Configuration to block users that tries to access router on non open port(s)

Thu Jan 26, 2023 11:46 pm

It was never intention to make this as an DDoS prevention tools.
Small home routers do not have enough power to handle a big attack.
DDoS protection normally cannot be done at home, not because the router does not have enough CPU power, but because the line does not have enough capacity.
Typical home lines of 100-1000 Mbit/s are completely saturated by a typical DDoS attack, and no amount of filtering at the home side of the line will help.

But: be careful with the generic method of "put anyone who tries portscanning me on a blocklist", I have quite some experience with that and I have regularly seen spoofed packets e.g. a TELNET from 8.8.8.8 to your address, then you block 8.8.8.8 and when that happens to be your DNS service you DoS yourself.
(similar for other wellknown services like 1.1.1.1)
This is especially bad when you filter in the "raw" chain, rather than in the forward/input chains after an "accept established/related" rule.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Configuration to block users that tries to access router on non open port(s)

Thu Jan 26, 2023 11:54 pm

Too funny, that is a good one.........
Well we can all point fingers at who recommended that firewall list thing !!!
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Configuration to block users that tries to access router on non open port(s)

Fri Jan 27, 2023 7:58 am

I have used tn several routers for many year, and never have had any problem. Yes you can spoofe and IP, and yes you can do DDoS.
Best ting to do is to not have internett at all ;)
PS original Idea are not mine, just added more stuff to it like the tarpit, logging etc.


----------------------------------------------------------------------------------------
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
Last edited by Jotne on Sun Feb 12, 2023 9:54 pm, edited 2 times in total.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Configuration to block users that tries to access router on non open port(s)

Fri Jan 27, 2023 8:13 am

On one test site I do run Cowrie (a honeypot server). There its easy to see that all that hits SSH and Telnet port are not humans, but scripts that do the same all over.
1. Search for open ports
2. Find a suitable open server with weak password.
3. Download a script/bin file that work for the current os (x86/arm/arc/mips etc)
4. Try to run the script and install a botnet on your host

This happens 200+ times a day.
So if you have an open port 443/22/21, you need to protect your self. If not some one will enter and abuse your system in one way or another.
God password, patching/update your server, limit who can access (if that is possible), and port blocking.
By logging all that one IP tries, you can see that portscan of some or in worst case all port are part of the attack.
I also do see that many blocks IP form Russia and China, but the are small in number compare to US.
Percent country IP blocked last 7 days.
1. 10.3% Philippines
2. 9.8 % South Africa
3. 8.2% USA
4. 6.9% India
.
.
x. 2.0% China
.
.

Here are just the latest SSH/Telnet attack.
.
Telnet.png

----------------------------------------------------------------------------------------
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
You do not have the required permissions to view the files attached to this post.
Last edited by Jotne on Sun Feb 12, 2023 9:54 pm, edited 1 time in total.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Configuration to block users that tries to access router on non open port(s)

Fri Jan 27, 2023 11:09 am

I have used tn several routers for many year, and never have had any problem. Yes you can spoofe and IP, and yes you can do DDoS.
Well, I only mention it because I have a similar autoblock system, and at some point I suddenly noticed 8.8.8.8 was blocked and I started logging the traffic that caused blocks to see why that happened. Then I saw it happen for 1.1.1.1 as well.
It is not a DDoS. It is just some practical jokers who found that they can make people DoS themselves.
My internet network is a /16 so probably I catch way more junk than you do. But I do not have ports like telnet or ssh open to internet anyway.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Configuration to block users that tries to access router on non open port(s)

Fri Jan 27, 2023 5:42 pm

You can add a an access list above the block filter list and add IP that never should be blocked, like 8.8.8.8 etc.
But as an ISP, you would never know what IP clients are using as DNS etc, so many not work prefect.


----------------------------------------------------------------------------------------
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk

Who is online

Users browsing this forum: No registered users and 4 guests