This is just a quick "oneliner" draft I'm running, YMMV, do not just blindly copy paste!
You need to select your WAN interface and make sure you're not actually running these services or alter ports.
Feel free to add as many ports as you like to broaden the "honeypot".
Basically blacklists (on WAN interface) anything trying to connect to TCP / UDP:
- 1433 - Microsoft SQL Server
- 8080 - alternative HTTP port
- 21 - File Transfer Protocol (FTP)
- 5060 - Session Initiation Protocol (SIP)
- 5061 - Asterisk, Freeswitch, Vonage (IPBX)
- 5900 - Virtual Network Computing (VNC)
- 25 - Simple Mail Transfer Protocol (SMTP)
- 110 - Post Office Protocol - Version 3 (POP3)
- 1723 - Point-to-Point Tunneling Protocol Virtual Private Networking (PPTP VPN)
- 1337 - DNS / Shadyshell
- 10000 - Multiple / Webmin
- 5800 - Virtual Network Computing (VNC)
- 44443 - ColdFusion / Siteminder
- 16993 - Intel(R) AMT SOAP/HTTPS
In addition, in light of recent events, you might want to add 8291 - Winbox and 23 - Telnet to the list
Code: Select all
/ip firewall filter
add action=add-src-to-address-list address-list=Artillery-blacklist address-list-timeout=336h13m chain=input comment="Artillery Blacklist TCP" connection-state=new dst-port=1433,8080,21,5060,5061,5900,25,53,110,1723,1337,10000,5800,44443,16993 \
in-interface=ether1-WAN log=yes log-prefix="Artillery-blacklist TCP" protocol=tcp src-address-list=!whitelist tcp-flags=""
add action=add-src-to-address-list address-list=Artillery-blacklist address-list-timeout=336h13m chain=input comment="Artillery Blacklist UDP" dst-port=123,53,5060,5061,3478 in-interface=ether1-WAN log=yes log-prefix="Artillery-blacklist UDP" protocol=\
udp src-address-list=!whitelist tcp-flags=""
add action=drop chain=input in-interface=ether1-WAN src-address-list=Artillery-blacklist comment="Drop Artillery Blacklist Input"
add action=drop chain=forward in-interface=ether1-WAN src-address-list=Artillery-blacklist comment="Drop Artillery Blacklist Forward"