Community discussions

MikroTik App
 
User avatar
swa69er
just joined
Topic Author
Posts: 19
Joined: Sat Jan 02, 2021 11:54 am

defcon firewall + custom firewall where to put?

Sat May 07, 2022 10:43 am

Last week my MT bricked. I check there are some attack in the network.
First netcut, dhcp failed, and some open port 4444 used by malware

I'm not networking professional, I found some firewall article that can protect my MT

First advanced defcon firewall from MT
https://help.mikrotik.com/docs/display/ ... d+Firewall

Second my custom firewall
/ip firewall filter
add action=accept chain=input comment="allow OpenVPN" dst-port=1194 protocol=\
    tcp
add action=accept chain=input comment="BRUTEFORCE WINBOX" connection-state=\
    new dst-limit=1/1m,2,src-and-dst-addresses/1m40s dst-port=8291 protocol=\
    tcp
add action=add-src-to-address-list address-list=BRUTEFORCE-WINBOX \
    address-list-timeout=1w chain=input connection-state=new dst-port=8291 \
    log=yes log-prefix=BRUTEFORCE-WINBOX protocol=tcp
add action=add-src-to-address-list address-list=PORT-SCANNER \
    address-list-timeout=2w chain=input comment="PORT SCANNER" log=yes \
    log-prefix="PORT SCANNER" protocol=tcp psd=21,3s,3,1 src-address-list=\
    !ADMIN-PC
add action=add-src-to-address-list address-list=PORT-SCANNER \
    address-list-timeout=2w chain=forward log=yes log-prefix="PORT SCANNER" \
    protocol=tcp psd=21,3s,3,1 src-address-list=!ADMIN-PC
add action=add-src-to-address-list address-list=PORT-SCANNER \
    address-list-timeout=2w chain=input comment="NMAP FIN STEALTH SCAN" log=\
    yes log-prefix="PORT SCANNER" protocol=tcp tcp-flags=\
    fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=PORT-SCANNER \
    address-list-timeout=2w chain=input comment="SYN/FIN SCAN" log=yes \
    log-prefix="PORT SCANNER" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=PORT-SCANNER \
    address-list-timeout=2w chain=input comment="SYN/RST SCAN" log=yes \
    log-prefix="PORT SCANNER" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=PORT-SCANNER \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG SCAN" log=yes \
    log-prefix="PORT SCANNER" protocol=tcp tcp-flags=\
    fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=PORT-SCANNER \
    address-list-timeout=2w chain=input comment="ALL/ALL SCAN" log=yes \
    log-prefix="PORT SCANNER" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=PROXY-SOCKS-EXPLOIT \
    address-list-timeout=5m chain=forward comment="PROXY SOCKS EXPLOIT" \
    dst-port=8000,3128,1080,4145 in-interface=bridge-WAN log=yes log-prefix=\
    "PROXY SOCKS EXPLOIT" protocol=tcp
add action=add-src-to-address-list address-list=SSH-BLACKLIST \
    address-list-timeout=2w chain=input comment="SSH BLACKLIST" \
    connection-state=new dst-port=22 log=yes log-prefix="SSH BLACKLIST" \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp
add action=accept chain=output comment="FTP BLACKLIST" content=\
    "530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=FTP-BLACKLIST \
    address-list-timeout=3h chain=output content="530 Login incorrect" log=\
    yes log-prefix="FTP BLACKLIST" protocol=tcp
add action=add-src-to-address-list address-list=TORRENTERS \
    address-list-timeout=1d chain=forward comment=TORRENT-1 layer7-protocol=torrent log=yes log-prefix=TORRENTERS src-address-list=\
    !ADMIN-PC
add action=add-src-to-address-list address-list=TORRENTERS \
    address-list-timeout=2m chain=forward comment=TORRENT-2 layer7-protocol=\
    layer7-bittorrent-exp log=yes log-prefix=TORRENTERS src-address-list=\
    !ADMIN-PC

/ip firewall raw
add action=add-src-to-address-list address-list=NETCUT address-list-timeout=\
    1w chain=prerouting comment=NETCUT content=.arcai.com log=yes log-prefix=\
    NETCUT
add action=drop chain=prerouting src-address-list=NETCUT
add action=drop chain=prerouting comment="NETCUT PING" in-interface=\
    bridge-KOST protocol=icmp
add action=drop chain=prerouting in-interface=bridge-PUB protocol=icmp
add action=drop chain=prerouting comment=BRUTEFORCE-WINBOX dst-port=8291 \
    log-prefix=BRUTEFORCE-WINBOX protocol=tcp src-address-list=\
    BRUTEFORCE-WINBOX
add action=drop chain=prerouting comment="PORT SCANNER" src-address-list=\
    PORT-SCANNER
add action=drop chain=prerouting comment="PROXY SOCKS EXPLOIT" log-prefix=\
    "DROP PROXY SOCKS : " src-address-list=PROXY-SOCKS-EXPLOIT
add action=drop chain=prerouting comment="SSH BLACKLIST" src-address-list=\
    SSH-BLACKLIST
add action=drop chain=prerouting comment="FTP BLACKLIST" src-address-list=\
    FTP-BLACKLIST
add action=drop chain=prerouting comment=TORRENT dst-port=\
    !0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=tcp \
    src-address-list=TORRENTERS
add action=drop chain=prerouting dst-port=\
    !0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=udp \
    src-address-list=TORRENTERS
add action=drop chain=prerouting comment="DROP ACTIVE DIRECTORY" dst-port=445 \
    log-prefix="drop 445 : " protocol=tcp
add action=drop chain=prerouting comment="DROP TCPMUX" dst-port=1 log-prefix=\
    "drop 445 : " protocol=tcp
add action=drop chain=prerouting comment="DROP NETBIOS" dst-port=137-139 \
    log-prefix="drop 445 : " protocol=tcp
add action=drop chain=prerouting dst-port=137-139 log-prefix="drop 445 : " \
    protocol=udp
add action=drop chain=prerouting comment="DROP DNS & WEBPROXY" dst-port=\
    8080,53 in-interface=bridge-WAN protocol=tcp
add action=drop chain=prerouting dst-port=53 in-interface=bridge-WAN \
    protocol=udp
and some blocked list of ports that used by malware

Question is simple, should I put after defcon or before defcon?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11452
Joined: Thu Mar 03, 2016 10:23 pm

Re: defcon firewall + custom firewall where to put?

Sat May 07, 2022 12:13 pm

Preferably after default configuration as curernt default config is pretty safe. The last rule in default config drops anything not coming in from LAN.
So when adapting default config beware that most guides found on net (mikrotik's own included) predate the current config, hence it's not wise to simply copy-paste rules, one has to think about what particular rule aims to achieve and see if default rules don't do it already. And if they don't, how to implement the rule most efficiently.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: defcon firewall + custom firewall where to put?

Sat May 07, 2022 4:13 pm

Concur, start with the default firewall rules, then slowly improve as you start to understand what each rule does.
Suggested link - viewtopic.php?t=180838

1 - FIrst and foremost NETINSTALL the firmware you want to use recommend ver6 LONG TERM 6.48.6 I think if using ver6. If your router was at all suspected of hacking attempts, netinstall puts a fresh firmware that will not contain any bad code. Ensure you copy (download an export file) your current config as a guide.
2 - avoid all the bloatware rules on the internet and you tube - the link above will get you safely to drop all rules at the end of the input and forward chain.
3 - dont allow access to the router from the internet (input chain) unless its a VPN port!
4 - change the default password right away
 
User avatar
swa69er
just joined
Topic Author
Posts: 19
Joined: Sat Jan 02, 2021 11:54 am

Re: defcon firewall + custom firewall where to put?

Sun May 08, 2022 9:35 am

Preferably after default configuration as curernt default config is pretty safe. The last rule in default config drops anything not coming in from LAN.
So when adapting default config beware that most guides found on net (mikrotik's own included) predate the current config, hence it's not wise to simply copy-paste rules, one has to think about what particular rule aims to achieve and see if default rules don't do it already. And if they don't, how to implement the rule most efficiently.
https://help.mikrotik.com/docs/display/ ... d+Firewall
is this outdated?

Suggested link - viewtopic.php?t=180838
very helpful article, thank you
do you have any idea about bogon IP?
I found out my network send bogon IP
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11452
Joined: Thu Mar 03, 2016 10:23 pm

Re: defcon firewall + custom firewall where to put?

Sun May 08, 2022 10:54 am


Not syntactically, so you can follow this article. The problem is that it doesn't build from default firewall rule set and that can cause the confusion which prompted you to come here and ask the question you asked. Many of the rest of cook books base on older firewall config defaults, which were less secure as shipped. And some added methods are either convoluted or needless with modern defaults (or both).

One thing that many users (even experienced ones) don't realize is that there are two types of default configurations with one sub type available on ROS:
  1. None firewall on "pro line" of devices. This includes CCR devices, CRS devices and a few high-end RB devices (e.g. RB1100 et.al.). Many of articles aim at these devices and should be taken as hints as to what to configure. It still needs a knowledgeable firewall admin to do things right.
    1. Pretty secure firewall on the rest of devices ... if these are reset to factory defaults or initially configured to some of predefined configuration profiles. Mind that focus of this firewall rule set is aimed at protecting device itself and local network from attacks from WAN. Which is mostly fine for SOHO installation. It doesn't focus on protecting device or internet hosts from attacks originating from LAN though. Quite a few firewall cook books add rules which add this kind of protection.
    2. sub type: IPv6 firewall under ROS v6 is a problematic thing. IPv6 is optional package in ROS v6 and optional packages don't enforce their own default config when installed. If user simply installs IPv6 package, firewall for IPv6 remains non existing (router and LAN are wide open). Then there are two options: reset (whole) router config to defaults (this gets default IPv6 firewall rules instated) but device needs to be re-customized again (don't even think of using binary backup to restore config, that would wipe IPv6 firewall again) or manually add IPv6 firewall rules by looking at /system default-config print output (this option does not exist for devices mentioned in bullet #1)

Who is online

Users browsing this forum: No registered users and 8 guests