First netcut, dhcp failed, and some open port 4444 used by malware
I'm not networking professional, I found some firewall article that can protect my MT
First advanced defcon firewall from MT
https://help.mikrotik.com/docs/display/ ... d+Firewall
Second my custom firewall
Code: Select all
/ip firewall filter
add action=accept chain=input comment="allow OpenVPN" dst-port=1194 protocol=\
tcp
add action=accept chain=input comment="BRUTEFORCE WINBOX" connection-state=\
new dst-limit=1/1m,2,src-and-dst-addresses/1m40s dst-port=8291 protocol=\
tcp
add action=add-src-to-address-list address-list=BRUTEFORCE-WINBOX \
address-list-timeout=1w chain=input connection-state=new dst-port=8291 \
log=yes log-prefix=BRUTEFORCE-WINBOX protocol=tcp
add action=add-src-to-address-list address-list=PORT-SCANNER \
address-list-timeout=2w chain=input comment="PORT SCANNER" log=yes \
log-prefix="PORT SCANNER" protocol=tcp psd=21,3s,3,1 src-address-list=\
!ADMIN-PC
add action=add-src-to-address-list address-list=PORT-SCANNER \
address-list-timeout=2w chain=forward log=yes log-prefix="PORT SCANNER" \
protocol=tcp psd=21,3s,3,1 src-address-list=!ADMIN-PC
add action=add-src-to-address-list address-list=PORT-SCANNER \
address-list-timeout=2w chain=input comment="NMAP FIN STEALTH SCAN" log=\
yes log-prefix="PORT SCANNER" protocol=tcp tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=PORT-SCANNER \
address-list-timeout=2w chain=input comment="SYN/FIN SCAN" log=yes \
log-prefix="PORT SCANNER" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=PORT-SCANNER \
address-list-timeout=2w chain=input comment="SYN/RST SCAN" log=yes \
log-prefix="PORT SCANNER" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=PORT-SCANNER \
address-list-timeout=2w chain=input comment="FIN/PSH/URG SCAN" log=yes \
log-prefix="PORT SCANNER" protocol=tcp tcp-flags=\
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=PORT-SCANNER \
address-list-timeout=2w chain=input comment="ALL/ALL SCAN" log=yes \
log-prefix="PORT SCANNER" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=PROXY-SOCKS-EXPLOIT \
address-list-timeout=5m chain=forward comment="PROXY SOCKS EXPLOIT" \
dst-port=8000,3128,1080,4145 in-interface=bridge-WAN log=yes log-prefix=\
"PROXY SOCKS EXPLOIT" protocol=tcp
add action=add-src-to-address-list address-list=SSH-BLACKLIST \
address-list-timeout=2w chain=input comment="SSH BLACKLIST" \
connection-state=new dst-port=22 log=yes log-prefix="SSH BLACKLIST" \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=accept chain=output comment="FTP BLACKLIST" content=\
"530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=FTP-BLACKLIST \
address-list-timeout=3h chain=output content="530 Login incorrect" log=\
yes log-prefix="FTP BLACKLIST" protocol=tcp
add action=add-src-to-address-list address-list=TORRENTERS \
address-list-timeout=1d chain=forward comment=TORRENT-1 layer7-protocol=torrent log=yes log-prefix=TORRENTERS src-address-list=\
!ADMIN-PC
add action=add-src-to-address-list address-list=TORRENTERS \
address-list-timeout=2m chain=forward comment=TORRENT-2 layer7-protocol=\
layer7-bittorrent-exp log=yes log-prefix=TORRENTERS src-address-list=\
!ADMIN-PC
/ip firewall raw
add action=add-src-to-address-list address-list=NETCUT address-list-timeout=\
1w chain=prerouting comment=NETCUT content=.arcai.com log=yes log-prefix=\
NETCUT
add action=drop chain=prerouting src-address-list=NETCUT
add action=drop chain=prerouting comment="NETCUT PING" in-interface=\
bridge-KOST protocol=icmp
add action=drop chain=prerouting in-interface=bridge-PUB protocol=icmp
add action=drop chain=prerouting comment=BRUTEFORCE-WINBOX dst-port=8291 \
log-prefix=BRUTEFORCE-WINBOX protocol=tcp src-address-list=\
BRUTEFORCE-WINBOX
add action=drop chain=prerouting comment="PORT SCANNER" src-address-list=\
PORT-SCANNER
add action=drop chain=prerouting comment="PROXY SOCKS EXPLOIT" log-prefix=\
"DROP PROXY SOCKS : " src-address-list=PROXY-SOCKS-EXPLOIT
add action=drop chain=prerouting comment="SSH BLACKLIST" src-address-list=\
SSH-BLACKLIST
add action=drop chain=prerouting comment="FTP BLACKLIST" src-address-list=\
FTP-BLACKLIST
add action=drop chain=prerouting comment=TORRENT dst-port=\
!0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=tcp \
src-address-list=TORRENTERS
add action=drop chain=prerouting dst-port=\
!0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=udp \
src-address-list=TORRENTERS
add action=drop chain=prerouting comment="DROP ACTIVE DIRECTORY" dst-port=445 \
log-prefix="drop 445 : " protocol=tcp
add action=drop chain=prerouting comment="DROP TCPMUX" dst-port=1 log-prefix=\
"drop 445 : " protocol=tcp
add action=drop chain=prerouting comment="DROP NETBIOS" dst-port=137-139 \
log-prefix="drop 445 : " protocol=tcp
add action=drop chain=prerouting dst-port=137-139 log-prefix="drop 445 : " \
protocol=udp
add action=drop chain=prerouting comment="DROP DNS & WEBPROXY" dst-port=\
8080,53 in-interface=bridge-WAN protocol=tcp
add action=drop chain=prerouting dst-port=53 in-interface=bridge-WAN \
protocol=udpQuestion is simple, should I put after defcon or before defcon?
