MikroTik

Posted: **Wed Dec 22, 2004 2:11 pm**

Please can anyone help me how to block Blaster and anyother know worm/virus from sending trafic to and from my network.

Thanks you

Posted: **Wed Dec 22, 2004 2:13 pm**

drop tcp port 137 and 445, and udp port 137-139.

Posted: **Thu Dec 23, 2004 3:41 pm**

Good, I tried it but all of a sudden i am get a Mising Plug-in error for winbox.

This is what I have:-

1. The MT has two interfaces bridged
2. The MT is only used to monitor and shape bandwidth

Now I want to create a Firewall Chain that would caused all traffic that are suspected to have virus/worm to be dropped and logged.

I saw soemthing like that on demo.mt.lv - Virus. I dont know if those ports specified there are real and if the firewall chain would work?

Please I am confused, blaster has eaten up my over 512kbps VSAT uplink and its costing me a hell of money.

Thank you

Posted: **Tue Jan 04, 2005 7:25 pm**

here is code from demo.mt.lv , only thing to keep on mind is to change web proxy port if use 3128 (otherwise it wil be block web trafic).

ip firewall add name=virus
ip firewall rule input add in-interface=all action=jump \ jump-target=virus comment="!!! Check for well-known viruses !!!"
ip firewall rule forward add in-interface=all action=jump \ jump-target=virus comment="!!! Check for well-known viruses !!!"

ip firewall rule virus add dst-address=:135-139 protocol=tcp action=drop comment="Drop Blaster Worm." 
ip firewall rule virus add dst-address=:135-139 protocol=udp action=drop comment="Drop Messenger Worm."
ip firewall rule virus add dst-address=:445 protocol=tcp action=drop comment="Drop Blaster Worm."
ip firewall rule virus add dst-address=:445 protocol=udp action=drop comment="Drop Blaster Worm."
ip firewall rule virus add dst-address=:593 protocol=tcp action=drop comment=".........."
ip firewall rule virus add dst-address=:1024-1030 protocol=tcp action=drop comment=".........."
ip firewall rule virus add dst-address=:1080 protocol=tcp action=drop comment="Drop MyDoom"
ip firewall rule virus add dst-address=:1214 protocol=tcp action=drop comment=".........."
ip firewall rule virus add dst-address=:1363 protocol=tcp action=drop comment="ndm requester"
ip firewall rule virus add dst-address=:1364 protocol=tcp action=drop comment="ndm server"
ip firewall rule virus add dst-address=:1368 protocol=tcp action=drop comment="screen cast"
ip firewall rule virus add dst-address=:1373 protocol=tcp action=drop comment="hromgrafx"
ip firewall rule virus add dst-address=:1377 protocol=tcp action=drop comment="cichlid"
ip firewall rule virus add dst-address=:1433-1434 protocol=tcp action=drop comment="Worm"
ip firewall rule virus add dst-address=:2745 protocol=tcp action=drop comment="Bagle Virus"
ip firewall rule virus add dst-address=:2283 protocol=tcp action=drop comment="Drop Dumaru.Y"
ip firewall rule virus add dst-address=:2535 protocol=tcp action=drop comment="Drop Beagle"
ip firewall rule virus add dst-address=:3127-3128 protocol=tcp action=drop comment="Drop MyDoom"
ip firewall rule virus add dst-address=:3410 protocol=tcp action=drop comment="Drop Backdoor OptixPro"
ip firewall rule virus add dst-address=:4444 protocol=tcp action=drop comment="Worm"
ip firewall rule virus add dst-address=:4444 protocol=udp action=drop comment="Worm"
ip firewall rule virus add dst-address=:5554 protocol=tcp action=drop comment="Drop Sasser"
ip firewall rule virus add dst-address=:8866 protocol=tcp action=drop comment="Drop Beagle.B"
ip firewall rule virus add dst-address=:10000 protocol=tcp action=drop comment="Drop Dumaru.Y"
ip firewall rule virus add dst-address=:10080 protocol=tcp action=drop comment="Drop MyDoom.B"
ip firewall rule virus add dst-address=:12345 protocol=tcp action=drop comment="Drop NetBus"
ip firewall rule virus add dst-address=:17300 protocol=tcp action=drop comment="Drop Kuang2"
ip firewall rule virus add dst-address=:27374 protocol=tcp action=drop comment="Drop SubSeven"
ip firewall rule virus add dst-address=:65506 protocol=tcp action=drop comment="Drop PhatBot, Agobot, Gaobot"

Posted: **Tue Jan 04, 2005 9:00 pm**

Not the quick answer you need, but for the long term I suggest encouraging your users to install AVG Free Anti-Virus software. It is completely free of charge and has solved many virus problems with my users.

'Hope that helps.

Posted: **Tue Jan 04, 2005 9:48 pm**

Will this setting work on a public interface and not drop any legitimate traffic ?? Please advise

Posted: **Tue Jan 04, 2005 9:49 pm**

Will this setting work on a public interface and not drop any legitimate traffic ?? Please advise

Posted: **Wed Jan 05, 2005 2:28 am**

I can vouch for AVG, it's kept several organisations I know virus-free for 3+ years since we used it.
A very small "gotcha", AVG6 ran on Windows-anything, the new AVG7 (6 about to be canned) won't run on a server. Not a huge cost though, and it works.

General point (possibly should be in BETA section):
It seems ISPs are relying on routers such as MT to block excessive traffic from viruses and P2P applications. End users rely on apps such as AVG, etc which update regularly - but a "smart router" could do the same for the ISP, protecting all users + service provision.
Thought: some sort of script that would "apply" sensible traffic rules (bandwidth use, ports) which can be automatically be pasted to routers in an ISP/WISP network?
Some sort of semi-automatic download? with some "switches" that differentiate the role of router in the network, scale, etc?
Or a "panic kit" of scripts that could be downloaded for certian virus cases?

Is that feasible? ...

Regards

Posted: **Wed Jan 05, 2005 10:08 am**

Will this setting work on a public interface and not drop any legitimate traffic ?? Please advise

i tried it and it is looking good. (had to allow 3128/tcp for squid in rule 18)

Posted: **Thu Jan 13, 2005 7:18 pm**

Hi all,

Where can I get AVG free anti-virus software. Will appreciate if you can point me to download site.

Thanks.

Tony

Posted: **Thu Jan 13, 2005 7:35 pm**

http://free.grisoft.com

MikroTik

Virus Problem

Virus Problem

here is code from demo.mt.lv

work

work

Re: work