最简单的彻底禁止公网访问SSH FTP端口
1
2
|
/ip
firewall filter
add chain=input protocol=tcp dst-port=21-22 src-address-list=!allow-addresses action=drop comment=
"禁止公网SSH & FTP"
disabled=no
|
使用IP列表来实现更灵活的策略,三分钟之内只能允许建立三次新会话,超过了就阻塞
1
2
3
4
5
6
7
8
|
/ip
firewall filter
add chain=input protocol=tcp dst-port=21,22,23,8291 src-address-list=login_blacklist action=drop comment=
"drop login brute forcers 1"
disabled=no
add chain=input protocol=tcp dst-port=21,22,23,8291 connection-state=new src-address-list=login_stage5 action=add-src-to-address-list address-list=login_blacklist address-list-timeout=1d comment=
"drop login brute forcers 2"
disabled=no
add chain=input protocol=tcp dst-port=21,22,23,8291 connection-state=new src-address-list=login_stage4 action=add-src-to-address-list address-list=login_stage5 address-list-timeout=1m comment=
"drop login brute forcers 3"
disabled=no
add chain=input protocol=tcp dst-port=21,22,23,8291 connection-state=new src-address-list=login_stage3 action=add-src-to-address-list address-list=login_stage4 address-list-timeout=1m comment=
"drop login brute forcers 4"
disabled=no
add chain=input protocol=tcp dst-port=21,22,23,8291 connection-state=new src-address-list=login_stage2 action=add-src-to-address-list address-list=login_stage3 address-list-timeout=1m comment=
"drop login brute forcers 5"
disabled=no
add chain=input protocol=tcp dst-port=21,22,23,8291 connection-state=new src-address-list=login_stage1 action=add-src-to-address-list address-list=login_stage2 address-list-timeout=1m comment=
"drop login brute forcers 6"
disabled=no
add chain=input protocol=tcp dst-port=21,22,23,8291 connection-state=new action=add-src-to-address-list address-list=login_stage1 address-list-timeout=1m comment=
"drop login brute forcers 7"
disabled=no
|
防端口扫描
1
2
3
4
5
6
7
8
9
|
/ip
firewall filter
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list=
"port scanners"
address-list-timeout=14d comment=
"Port scanners to list"
disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=
"port scanners"
address-list-timeout=14d comment=
"NMAP FIN Stealth scan"
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list=
"port scanners"
address-list-timeout=14d comment=
"SYN/FIN scan"
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list=
"port scanners"
address-list-timeout=14d comment=
"SYN/RST scan"
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list=
"port scanners"
address-list-timeout=14d comment=
"FIN/PSH/URG scan"
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list=
"port scanners"
address-list-timeout=14d comment=
"ALL/ALL scan"
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=
"port scanners"
address-list-timeout=14d comment=
"NMAP NULL scan"
add chain=input src-address-list=
"port scanners"
action=drop comment=
"dropping port scanners"
disabled=no
|