MikroTik

Hello everyone, I saw this on Mikrotik Wiki on how to help prevent people from using Port Scanners to find out what ports we use on our routers.
My Question is if I use this rule (Below), and use the Forward Chain command, will this automatically drop those IPs that are trying to scan on our network ?

Drop port scanners

To protect the Router from port scanners, we can record the IPs of hackers who try to scan your box. Using this address list we can drop connection from those IP

in /ip firewall filter

add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no

Various combinations of TCP flags can also indicate port scanner activity.

add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"

add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan"

add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan"

add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"

add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"

add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"

Then you can drop those IPs:

add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no

Similarly, you can drop these port scanners in the forward chain, but using the above rules with "chain=forward".

Try to keep it simple is a good rule of thumb.
For example this is the only rule I sometimes use........
add action=add-src-to-address-list address-list=Port_Scanner \
address-list-timeout=1w chain=input comment="Port Scanner Detect" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
src-address-list=Port_Scanner


What this is basically saying is that at a certain rate of repeated attempts (# of attempts within a finite period of time) on any TCP traffic- all ports,
add that address to the list for one week and then drop the list. Simple and effective for basic port scan defense.
Whether its worth it or no not sometimes is debated.

I have the following rules on my router:
In short, if a person tries one port that is not open on my router, block him for 24 hour on all port. They has nothing to do on my router.
Strict rule, and you can block your self out. To prevent block my self out, I have an white list rule for my work to unlock my self.

In some more detail..
First time a user enters. Rule #5 does nothing, since he is not in the block list FW_Block_user_try_unkown_port
Then he travels down and if no rules allow him to enter he hits rule #15 where he is added to FW_Block_user_try_unkown_port
Rules #16 is just to drop the user and log him. (only log him one times of first hits)

Second time a user enters. Since he is in the block list, he will be blocked at rule #5, no logging.

I have around 1500 IP in the access list at all time.

Thank you all so much, this really helps me out a lot. Going to try these, thanks