Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /ip firewall filter
- add action=log chain=recent comment==RECENT= disabled=yes
- add action=add-src-to-address-list address-list=alst-BAN-MNGMT address-list-timeout=30m chain=recent comment="Stage #4 - ban action" log=yes log-prefix=banned-mngmt src-address-list=alst-RECENT-ST3
- add action=add-src-to-address-list address-list=alst-RECENT-ST3 address-list-timeout=1m chain=recent comment="Stage #3 - third connection match" src-address-list=alst-RECENT-ST2
- add action=add-src-to-address-list address-list=alst-RECENT-ST2 address-list-timeout=1m chain=recent comment="Stage #2 - second connection match" src-address-list=alst-RECENT-ST1
- add action=add-src-to-address-list address-list=alst-RECENT-ST1 address-list-timeout=1m20s chain=recent comment="Stage #1 - initial connection attempt"
- add action=accept chain=recent comment="Default rule"
- add action=log chain=mngmt comment==MNGMT= disabled=yes
- add action=accept chain=mngmt comment="Access :: Administrators" dst-limit=1/5m,9,src-address/5m src-address-list=alst-ADMIN
- add action=reject chain=mngmt log=yes protocol=tcp reject-with=tcp-reset src-address-list=alst-ADMIN
- add action=jump chain=mngmt comment="Default rule" dst-limit=1/5m,9,src-address/5m jump-target=recent protocol=tcp src-address-list=alst-LOCAL
- add action=drop chain=mngmt log-prefix=drop protocol=tcp
- add action=log chain=icmp comment==ICMP= disabled=yes
- add action=accept chain=icmp comment="Allow certain types of ICMP types" icmp-options=0 protocol=icmp
- add action=accept chain=icmp icmp-options=3:0-4 protocol=icmp
- add action=accept chain=icmp icmp-options=11 protocol=icmp
- add action=accept chain=icmp comment="Limit ICMP echo replies" dst-limit=300,50,src-address/1s icmp-options=8 protocol=icmp
- add action=drop chain=icmp comment="Default rule"
- add action=log chain=input comment==INPUT= disabled=yes
- add action=accept chain=input comment="Management :: Watchdog" dst-address=127.0.0.0/8 src-address-type=local
- add action=drop chain=input protocol=tcp src-address=127.0.0.0/8
- add action=jump chain=input comment="Management :: ICMP" jump-target=icmp protocol=icmp
- add action=jump chain=input comment="Management :: FTP,SSH,TELNET,WINBOX" connection-state=new dst-address-type=local dst-port=21,22,23,8291 jump-target=mngmt protocol=tcp
- add chain=input comment="Management :: SNMP,MDP,CAPSMAN" connection-state=new dst-address-type=local dst-port=161,5246,5247,5678 protocol=udp src-address-list=alst-LOCAL
- add action=accept chain=input comment="Established & related" connection-state=established,related
- add action=drop chain=input comment=Invalid connection-state=invalid
- add action=add-src-to-address-list address-list=alst-BAN-PSD address-list-timeout=1d chain=input comment="Other :: Portscanning detect" psd=21,5m,3,1
- add action=drop chain=input comment="Default rule"
- add action=log chain=output comment==OUTPUT= disabled=yes
- add action=accept chain=output comment="FTP :: Block password bruteforce" content="530 Login incorrect" dst-limit=1/1m,4,dst-address/1m protocol=tcp
- add action=add-dst-to-address-list address-list=alst-BAN-CLRTXT address-list-timeout=30m chain=output content="530 Login incorrect" dst-address-list=!alst-ADMIN log=yes log-prefix=banned-ftp protocol=tcp
- add action=accept chain=output comment="TELNET :: Block password bruteforce" content="Login failed, incorrect username or password" dst-limit=1/1m,4,dst-address/1m protocol=tcp
- add action=add-dst-to-address-list address-list=alst-BAN-CLRTXT address-list-timeout=30m chain=output content="Login failed, incorrect username or password" dst-address-list=!alst-ADMIN log=yes log-prefix=banned-telnet protocol=tcp
- add action=accept chain=output comment="Default rule" src-address-type=local
- add action=drop chain=output
- add action=log chain=forward comment==FORWARD= disabled=yes
- add action=drop chain=forward comment="Default rule"
- /ip firewall raw
- add action=drop chain=prerouting comment==DROP-SMB= dst-port=135,137-139,445 protocol=udp
- add action=drop chain=prerouting dst-port=1024-65535 protocol=udp src-port=137
- add action=drop chain=prerouting dst-port=135,139,445 protocol=tcp
- add action=drop chain=prerouting comment==DROP-BANNED-ANYWAY= src-address-list=alst-BAN-ANYWAY
- add action=drop chain=prerouting comment==DROP-BANNED-MNGMT= src-address-list=alst-BAN-MNGMT
- add action=drop chain=prerouting comment==DROP-BANNED-FTP-TELNET= dst-address-type=local dst-port=20,21,23 protocol=tcp src-address-list=alst-BAN-CLRTXT
- add action=drop chain=prerouting comment==DROP-BANNED-PSD= src-address-list=alst-BAN-PSD
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement