Community discussions

 
User avatar
koolandrew
just joined
Topic Author
Posts: 18
Joined: Tue Dec 06, 2011 7:20 pm
Location: Toronto
Contact:

Firewall using dynamic address lists

Tue Oct 23, 2018 6:44 pm

I have an issue with the Mikrotik capturing new activity on the router, and sending it to the proper lists. Can someone please comment on this situation.

I am trying to capture many types of hacking attempts by simply creating a Hacker list, and i have two issues.

1. It puts in Whitelist ips into the Hacker Category, so does that mean i should have the Hacker rule above the Whitelist rule, I had to add dont include Whitelist in the source address list.
2. If we list several ports either with commas or ranges, it doesnt seem to capture the "Hacker" rule, as i am capturing telnet hackers below using "Black List (Telnet)" . I have highlighted the two rules in question.

When i check the address lists, there is nothing under Hacker and a whole bunch under "Black List (Telnet)"

I changed the port knocking ports for security reasons.

/ip firewall filter
add action=passthrough chain=forward comment=\
"special dummy rule to allow fasttrack counters"
add action=accept chain=forward comment=Whitelist connection-state="" \
log-prefix=Whitelist src-address-list=Whitelist
add action=accept chain=input comment=Whitelist connection-state="" \
src-address-list=Whitelist
add action=add-src-to-address-list address-list=Temporary \
address-list-timeout=30s chain=input comment="Port Knocking" dst-port=\
41690 protocol=tcp
add action=add-src-to-address-list address-list=Whitelist \
address-list-timeout=1h chain=input dst-port=16907 protocol=tcp \
src-address-list=Temporary
add action=accept chain=input protocol=tcp src-address-list=Whitelist
add action=drop chain=forward comment=Hacker connection-state="" \
src-address-list=Hacker
add action=drop chain=input comment=Hacker connection-state="" \
src-address-list=Hacker
add action=drop chain=forward comment="Hacked PC or Virus" connection-state=\
"" src-address-list="Hacked PC or Virus"
add action=drop chain=input comment="Hacked PC or Virus" connection-state="" \
src-address-list="Hacked PC or Virus"
add action=drop chain=forward comment="Black List (Telnet)" connection-state=\
"" src-address-list="Black List (Telnet)"
add action=drop chain=input comment="Black List (Telnet)" connection-state="" \
src-address-list="Black List (Telnet)"
add action=jump chain=input comment=Hacker connection-state="" jump-target=\
"Hacker TCP Chain" protocol=tcp src-address-list=Whitelist
add action=add-dst-to-address-list address-list=Hacker address-list-timeout=\
none-dynamic chain="Hacker TCP Chain" connection-state=new dst-port=\
21,22,23,24,25,143,8291,64312 protocol=tcp src-address-list=!Whitelist

add action=add-dst-to-address-list address-list="Hacker Stage 1" \
address-list-timeout=30s chain="Hacker TCP Chain" connection-state=new \
disabled=yes dst-port=21,22,23,24,25,143,8291,64312 protocol=tcp
add action=return chain="Hacker TCP Chain" connection-state=""
add action=jump chain=forward comment="Find out if a PC is using unsecure emai\
l ports - so we can identify it and run antivirus" connection-state="" \
jump-target="Hacker TCP Chain" protocol=tcp src-address-list=Whitelist
add action=add-src-to-address-list address-list="Hacked PC" \
address-list-timeout=none-dynamic chain="Hacker TCP Chain" comment=\
"Block Hacked PC - this will also get a complaint from the user" \
connection-state=new dst-port=21-25,143,8291,64312 protocol=tcp \
src-address-list="Hacked PC Stage 1"
add action=add-src-to-address-list address-list="Hacked PC Stage 1" \
address-list-timeout=30s chain="Hacker TCP Chain" comment="Mail Hack" \
connection-state=new dst-port=21-25,143,8291,64312 protocol=tcp
add action=return chain="Hacker TCP Chain" connection-state=""
add action=drop chain=forward comment="Drop Invalid Connections" \
connection-state=invalid log-prefix=i
add action=drop chain=input comment="Drop Invalid Connections" \
connection-state=invalid
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=output comment="Section Break" log-prefix=outbound \
out-interface="Lan Data Network"
add action=accept chain=output comment="Section Break" log-prefix=\
outbound-wan
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
add action=accept chain=forward comment="default configuration" \
connection-state=established
add action=jump chain=input comment="Jump to TSG SSH Chain" jump-target=\
"TSG SSH Chain"
add action=add-src-to-address-list address-list="Black List (SSH)" \
address-list-timeout=none-dynamic chain="TSG SSH Chain" comment=\
"Add intial attempt to SSH Stage 1 to Black List" connection-state=new \
dst-port=22 log=yes protocol=tcp
add action=return chain="TSG SSH Chain" comment="Return From TSG SSH Chain"
add action=jump chain=input comment="Jump to TSG Telnet Chain" jump-target=\
"TSG Telnet Chain"
add action=add-src-to-address-list address-list="Black List (Telnet)" \
address-list-timeout=none-dynamic chain="TSG Telnet Chain" comment=\
"Add Intial attempt to Telnet Stage 1 to Black List" connection-state=new \
dst-port=23 protocol=tcp

add action=return chain="TSG Telnet Chain" comment=\
"Return From TSG Telnet Chain"
add action=jump chain=input comment="Jump to TSG Winbox Chain" jump-target=\
"TSG Winbox Chain"
add action=add-src-to-address-list address-list="Black List (Winbox)" \
address-list-timeout=none-dynamic chain="TSG Winbox Chain" comment=\
"Transfer repeated attempts from Winbox Stage 3 to Black-List" \
connection-state=new dst-port=8291 protocol=tcp src-address-list=\
"Winbox Stage 3"
add action=add-src-to-address-list address-list="Winbox Stage 3" \
address-list-timeout=1m chain="TSG Winbox Chain" comment=\
"Add succesive attempts to Winbox Stage 3" connection-state=new dst-port=\
8291 protocol=tcp src-address-list="Winbox Stage 2"
add action=add-src-to-address-list address-list="Winbox Stage 2" \
address-list-timeout=1m chain="TSG Winbox Chain" comment=\
"Add succesive attempts to Winbox Stage 2" connection-state=new dst-port=\
8291 protocol=tcp src-address-list="Winbox Stage 1"
add action=add-src-to-address-list address-list="Winbox Stage 1" \
address-list-timeout=1m chain="TSG Winbox Chain" comment=\
"Add Intial attempt to Winbox Stage 1" connection-state=new dst-port=8291 \
protocol=tcp
add action=return chain="TSG Winbox Chain" comment=\
"Return From TSG Winbox Chain"

Who is online

Users browsing this forum: No registered users and 7 guests