This is only needed if you have one or more port open to internet.
I do use this filter rules to block users that tries any non open port on my router for 24 hours, to some protect the already open ports.
So if a user tries to access my router on port 8291, it will end up in a address list for blocked user and will be blocked at all port, even 443 that is open for all. This way user of this IP will not find any open port. Users that tries a non open port on my router has nothing there to do so 100% block.
This needs to be the last two filter rules.
/ip firewall filter
add action=add-src-to-address-list address-list=FW_Block_unkown_port address-list-timeout=1d chain=input comment= "Add IP of user to access list if they have tried port that is not open." in-interface=ether1 log-prefix=FI_AS_port-test
add action=drop chain=input comment="Drop packets that has not been allowed or dropped before." in-interface=ether1 log=yes log-prefix=FI_D_port-test
First line adds IP to the access list FW_Block_unkown_port
Second line then drop the packet.
This way packet from that IP are only logget first time it hits.
Top line simple:
/ip firewall raw
add action=drop chain=prerouting comment="Drop user that has tried ports that are not open and has been added to block list" in-interface=ether1 src-address-list=FW_Block_unkown_port
Top line more advanced (What I do use):
/ip firewall filter
add action=jump chain=input comment="Drop user that has tried ports that are not open and has bin added to block list. Limit TARPIT to prevent DDOS CPU problems" in-interface=ether1 jump-target=TARPIT protocol=tcp src-address-list=FW_Block_unkown_port
add action=tarpit chain=TARPIT limit=10,5:packet protocol=tcp
add action=drop chain=TARPIT protocol=tcp
/ip firewall raw
add action=drop chain=prerouting in-interface=ether1 protocol=!tcp src-address-list=FW_Block_unkown_port
Fist line. Jumps to TARPIT chain if IP is in access list FW_Block_unkown_port
Second line. Send packet to tarpit to slow down the user attack to the router. This may use some resource, so it only used until limit hits.
Third line. Drop rest of TCP attack..
Fourth and fifth line. Drop all other than TCP attack.
To not block my self out, I do use port knock. Access list for allow port knock user, must be above block access list.
My block access list does contains from 5000 to 10000 IP address at all time. (no problem for an hEX router)
Around 50% are sent to tarpit and blocked, rest are blocked directly.
Since last reboot (18 days ago)
86000 IP blocked (only counted each IP once every 24 hour)
30 000 000 packets sent to tarpit chain
15 000 000 packets tarpited
15 000 000 tcp packets dropped
750 000 udp pcakets dropped
Suggestion and improvements are always welcome
----------------------------------------------------------------------------------------
Use Splunk> to log/monitor your MikroTik Router(s). See link below.
MikroTik->Splunk