Community discussions

MikroTik App
 
lotnybartek
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Wed Apr 16, 2014 3:22 pm

Telnet bruteforcers - firewall doesn't work - read my firewall config

Wed Dec 14, 2016 8:20 pm

hi RB2011 here.

i have 4 RB2011 - in all of them I'm using protection rules, read below:
# nov/30/2016 15:17:24 by RouterOS 6.37.1
# software id = 5N19-V7VV
#
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
d this subnet before enable it" disabled=yes list=bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
need this subnet before enable it" disabled=yes list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
\_need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
"MC, Class D, IANA # Check if you need this subnet before enable it" \
disabled=yes list=bogons
/ip firewall filter
add action=accept chain=forward comment="Allow DrayTek 2710 and Restaurant PC \
to communicate with 10.10.10.0 subnet" dst-address=192.168.1.0/24 \
src-address=10.10.10.1 src-mac-address=00:50:7F:56:AE:08
add action=accept chain=forward dst-address=192.168.1.0/24 src-address=\
10.10.10.3 src-mac-address=00:60:EF:06:74:EC
add action=drop chain=forward comment=LTE-1 disabled=yes src-address=\
10.10.10.2
add action=drop chain=forward comment=LTE-2 disabled=yes src-address=\
10.10.10.4-10.10.10.254
add action=drop chain=forward comment="Blocking traffic between subnets" \
dst-address=192.168.1.0/24 src-address=10.10.10.0/24
add action=drop chain=forward dst-address=10.0.0.0/24 src-address=\
10.10.10.0/24
add action=accept chain=forward comment=\
"Exclude ether 6 (DrayTek 2710) from FastTrack for simple queues" \
connection-state=established,related out-interface=ether6
add action=accept chain=forward in-interface=ether6
add action=fasttrack-connection chain=forward comment="LAN FastTrack" \
connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward comment="Drop Internet user USER" disabled=yes \
src-mac-address=50:E5:49:5D:E0:1C
add action=accept chain=input comment=PPTP disabled=yes dst-port=1723 \
protocol=tcp
add action=accept chain=input disabled=yes protocol=gre
add action=accept chain=input comment=SSTP disabled=yes dst-port=443 \
protocol=tcp
add action=accept chain=input comment=L2PT/IPSec dst-port=500 protocol=udp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=add-src-to-address-list address-list=Syn_Flooder \
address-list-timeout=30m chain=input comment=\
"Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
address-list-timeout=1w chain=input comment="Port Scanner Detect" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t\
o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \
src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" \
jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
bogons
add action=add-src-to-address-list address-list=spammers \
address-list-timeout=3h chain=forward comment=\
"Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
25,587 limit=/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
connection-state=""
add action=accept chain=input comment="Accept to related connections" \
connection-state=""
add action=accept chain=input comment="Full access to SUPPORT address list" \
src-address-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
icmp-options=8:0 limit=,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
protocol=icmp
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state="" dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state="" dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state="" dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state="" dst-port=22 \
protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input comment="drop telnet brute forcers" dst-port=23 \
protocol=tcp src-address-list=telnet_blacklist
add action=add-src-to-address-list address-list=telnet_blacklist \
address-list-timeout=1w3d chain=input connection-state="" dst-port=23 \
protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 \
address-list-timeout=1m chain=input connection-state="" dst-port=23 \
protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 \
address-list-timeout=1m chain=input connection-state="" dst-port=23 \
protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 \
address-list-timeout=1m chain=input connection-state="" dst-port=23 \
protocol=tcp
add action=drop chain=forward comment="drop telnet brute downstream" \
dst-port=23 protocol=tcp src-address-list=telnet_blacklist
add action=drop chain=input comment="drop rdp brute forcers" dst-port=3389 \
protocol=tcp src-address-list=rdp_blacklist
add action=add-src-to-address-list address-list=rdp_blacklist \
address-list-timeout=1w3d chain=input connection-state="" dst-port=3389 \
protocol=tcp src-address-list=rdp_stage3
add action=add-src-to-address-list address-list=rdp_stage3 \
address-list-timeout=1m chain=input connection-state="" dst-port=3389 \
protocol=tcp src-address-list=rdp_stage2
add action=add-src-to-address-list address-list=rdp_stage2 \
address-list-timeout=1m chain=input connection-state="" dst-port=3389 \
protocol=tcp src-address-list=rdp_stage1
add action=add-src-to-address-list address-list=rdp_stage1 \
address-list-timeout=1m chain=input connection-state="" dst-port=3389 \
protocol=tcp
add action=drop chain=forward comment="drop rdp brute downstream" dst-port=\
3389 protocol=tcp src-address-list=rdp_blacklist
add action=drop chain=input comment="drop winbox brute forcers" dst-port=8291 \
protocol=tcp src-address-list=winbox_blacklist
add action=add-src-to-address-list address-list=winbox_blacklist \
address-list-timeout=1w3d chain=input connection-state="" dst-port=8291 \
protocol=tcp src-address-list=winbox_stage3
add action=add-src-to-address-list address-list=winbox_stage3 \
address-list-timeout=1m chain=input connection-state="" dst-port=8291 \
protocol=tcp src-address-list=winbox_stage2
add action=add-src-to-address-list address-list=winbox_stage2 \
address-list-timeout=1m chain=input connection-state="" dst-port=8291 \
protocol=tcp src-address-list=winbox_stage1
add action=add-src-to-address-list address-list=winbox_stage1 \
address-list-timeout=1m chain=input connection-state="" dst-port=8291 \
protocol=tcp
add action=drop chain=forward comment="drop winbox brute downstream" \
dst-port=8291 protocol=tcp src-address-list=winbox_blacklist
add action=accept chain=input comment="Port dla Pulpit Managera" disabled=yes \
dst-port=9119 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment=NAT out-interface=pppoe-out1
add action=masquerade chain=srcnat comment="MIKROTIK LTE1 MASQUERADE" \
out-interface=lte1
add action=masquerade chain=srcnat comment="MIKROTIK ETHER1 IP" dst-address=\
10.0.0.1 out-interface=ether1 to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="MIKROTIK ETHER6 IP" dst-address=\
10.10.10.1 out-interface=ether6
add action=dst-nat chain=dstnat comment="Pulpit Menadzera Port 9091" \
dst-address-type=local dst-port=9091 protocol=tcp to-addresses=\
192.168.1.113 to-ports=9091
add action=dst-nat chain=dstnat comment=ScreenConnect dst-port=8040 protocol=\
tcp to-addresses=192.168.1.113 to-ports=8040
add action=dst-nat chain=dstnat dst-address-type=local dst-port=8041 \
protocol=tcp to-addresses=192.168.1.113 to-ports=8041
add action=dst-nat chain=dstnat comment="ePracownik Patron Port 1010" \
dst-address-type=local dst-port=1010 protocol=tcp to-addresses=\
192.168.1.113 to-ports=1010
add action=masquerade chain=srcnat comment=\
"ePracownik Patron Hairpin NAT dla wejsc z LAN" dst-address=192.168.1.113 \
dst-port=1010 out-interface=bridge1 protocol=tcp src-address=\
192.168.1.0/24
add action=masquerade chain=srcnat comment=\
"Pulpit Menadzera Hairpin NAT dla wejsc z LAN" dst-address=192.168.1.113 \
dst-port=9091 out-interface=bridge1 protocol=tcp src-address=\
192.168.1.0/24
add action=masquerade chain=srcnat comment=\
"ScreenConnect Hairpin NAT dla wejsc z LAN" dst-address=192.168.1.113 \
dst-port=8040 out-interface=bridge1 protocol=tcp src-address=\
192.168.1.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
Normally, abusers IPs are beeing added to the list and they are blocked. But on my 5th RB2011 nothing happens. Log is full of info about failed logins on telnet.

Anyone got a hint why it works on 4 RB2011 but not on 5th one?
 
marrold
Member
Member
Posts: 427
Joined: Wed Sep 04, 2013 10:45 am

Re: Telnet bruteforcers - firewall doesn't work - read my firewall config

Wed Dec 14, 2016 8:33 pm

You dont seem to have a default drop rule at the end of your filter rules?
 
lotnybartek
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Wed Apr 16, 2014 3:22 pm

Re: Telnet bruteforcers - firewall doesn't work - read my firewall config

Wed Dec 14, 2016 9:14 pm

Hmm, it's not this I think. I've checked rule by rule between routers and they are the same. I'm lost here.
 
lotnybartek
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Wed Apr 16, 2014 3:22 pm

Re: Telnet bruteforcers - firewall doesn't work - read my firewall config

Wed Dec 14, 2016 10:30 pm

Problem sorted.

I imported firewall again and now it works as expected.

Who is online

Users browsing this forum: vingjfg and 22 guests