1 Anexo(s)
Estão tentando invadir meu servidor???
Pessoal abri o a tela de log do meu servidor e me deparei com meu firewall dropando feito louco a minha placa de rede do link dedicado, e vários ip´s mas com o mesmo mac. Será que estão aprontando comigo? Se sim, alguém pode me dar uma dica para resolver o problema. Seguem a minah tela do log do meu MK.
Desde já gradeço
Re: Estão tentando invadir meu servidor???
Cara esse log é um report de uma regra do seu firewall que esta filtrando a comunicação nas portas marcadas.
Se esta aparecendo isso, significa que esta funcionando :D
Re: Estão tentando invadir meu servidor???
Pelo que deu para entender, você esta sofrendo algo como syn flood, pode ser que alguém está tentando escanear as portas que estão abertas em seu Mikrotiki.
Agora seria interessante vc postar um export das regras de seu firewall > filters para que a gente possa ver do que se trata e o que realmente está sendo "dropado".
Re: Estão tentando invadir meu servidor???
Olá amigos segue regras do meu firewall:
/ip firewall filter
add action=accept chain=input comment="Accept established connections" \
connection-state=established disabled=no
add action=accept chain=input comment="Accept related connections" \
connection-state=related disabled=no
add action=drop chain=input comment="Drop invalid connections" \
connection-state=invalid disabled=no
add action=accept chain=input comment=UDP disabled=no protocol=udp
add action=accept chain=input comment="Allow limited pings" disabled=no limit=\
50/5s,2 protocol=icmp
add action=drop chain=input comment="Drop excess pings" disabled=no protocol=\
icmp
add action=drop chain=input comment="SSH for secure shell" disabled=no \
dst-port=22 protocol=tcp
add action=accept chain=input comment=winbox disabled=no dst-port=8291 \
protocol=tcp
add action=log chain=input comment="Log everything else" disabled=no \
log-prefix="DROP INPUT"
add action=drop chain=input comment="drop ssh bruteforcers" disabled=no \
dst-port=22 protocol=tcp src-address-list=black_list
add action=drop chain=input comment=\
"Drop Invalid connections ##### PROTE\C7\C3O DO ROUTER " \
connection-state=invalid disabled=no
add action=accept chain=input comment="Allow Established connections" \
connection-state=established disabled=no
add action=accept chain=input comment="Allow ICMP" disabled=no protocol=icmp
add action=drop chain=input comment="Drop everything else" disabled=no
add action=accept chain=input disabled=no in-interface=ether1-CLIENTES \
src-address=195.167.0.0/24
add action=drop chain=forward comment=\
"drop invalid connections ##### Prote\E7\E3o Customizada" \
connection-state=invalid disabled=no protocol=tcp
add action=accept chain=forward comment="allow already established connections" \
connection-state=established disabled=no
add action=accept chain=forward comment="allow related connections" \
connection-state=related disabled=no
add action=drop chain=forward comment=\
"##### Bloqueio de \"Bogon IP Addresses\"" disabled=no src-address=\
0.0.0.0/8
add action=drop chain=forward disabled=no dst-address=0.0.0.0/8
add action=drop chain=forward disabled=no src-address=127.0.0.0/8
add action=drop chain=forward disabled=no dst-address=127.0.0.0/8
add action=drop chain=forward disabled=no src-address=224.0.0.0/3
add action=drop chain=forward disabled=no dst-address=224.0.0.0/3
add action=jump chain=forward comment=\
"##### Marque \"jumps\" para novos \"chains\"" disabled=no jump-target=tcp \
protocol=tcp
add action=jump chain=forward disabled=no jump-target=udp protocol=udp
add action=jump chain=forward disabled=no jump-target=icmp protocol=icmp
add action=drop chain=tcp comment=\
"deny TFTP ##### Cria tcp chain e nega tcp portas entrada" disabled=no \
dst-port=69 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=\
111 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=\
135 protocol=tcp
add action=drop chain=tcp comment="deny NBT" disabled=no dst-port=137-139 \
protocol=tcp
add action=drop chain=tcp comment="deny cifs" disabled=no dst-port=445 \
protocol=tcp
add action=drop chain=tcp comment="deny NFS" disabled=no dst-port=2049 \
protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=\
12345-12346 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=20034 \
protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" disabled=no dst-port=3133 \
protocol=tcp
add action=drop chain=tcp comment="deny DHCP" disabled=no dst-port=67-68 \
protocol=tcp
add action=drop chain=udp comment=\
"deny TFTP \r\
\n \r\
\n##### Nega udp portas entrada udp chain:" disabled=no dst-port=69 \
protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=\
111 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=\
135 protocol=udp
add action=drop chain=udp comment="deny NBT" disabled=no dst-port=137-139 \
protocol=udp
add action=drop chain=udp comment="deny NFS" disabled=no dst-port=2049 \
protocol=udp
add action=drop chain=udp comment="deny BackOriffice" disabled=no dst-port=3133 \
protocol=udp
add action=accept chain=icmp comment=\
"echo reply ##### Permite todos needed icmp codes in icmp chain:" \
disabled=no icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" disabled=no \
icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" disabled=no \
icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" \
disabled=no icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow source quench" disabled=no \
icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment="allow echo request" disabled=no \
icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" disabled=no \
icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" disabled=no \
icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types" disabled=no
add action=drop chain=input comment=\
"drop ftp brute forcers ##### Somente 10 FTP login incorrect" disabled=no \
dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" disabled=no \
dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
disabled=no protocol=tcp
add action=drop chain=input comment=\
"drop ssh brute forcers ##### Somente 10 SSH login incorrect" disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-port=22 protocol=tcp
add action=drop chain=forward comment=\
"drop ssh brute downstream \r\
\n##### Bloqueio downstream access as well" disabled=no dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment=\
"Port scanners to list ##### Protege o Router para portas scanners" \
disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
disabled=no protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no \
protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no \
protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=no \
protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=no \
protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=no \
protocol=tcp
add action=drop chain=input comment="dropping port scanners" disabled=no \
src-address-list="port scanners"
add action=drop chain=tcp comment="##### Protect DDoS" disabled=no dst-port=53 \
in-interface=ether13-LINK protocol=tcp
add action=drop chain=udp comment="DROPAGEM ATAQUE SIP SYNFLOOD" disabled=no \
dst-port=5060 in-interface=ether13-LINK protocol=udp
add action=add-src-to-address-list address-list=blocked-addr \
address-list-timeout=1d chain=input connection-limit=3,32 disabled=no \
protocol=tcp
add action=tarpit chain=input connection-limit=3,32 disabled=no protocol=tcp \
src-address-list=blocked-addr
add action=jump chain=forward comment="SYN Flood protect" connection-state=new \
disabled=no jump-target=SYN-Protect protocol=tcp
add action=accept chain=SYN-Protect connection-state=new disabled=no limit=\
400,5 protocol=tcp
add action=drop chain=SYN-Protect connection-limit=0,32 connection-state=new \
disabled=no protocol=tcp
Re: Estão tentando invadir meu servidor???
Citação:
Postado originalmente por
Diangellys
Olá amigos segue regras do meu firewall:
/ip firewall filter
add action=accept chain=input comment="Accept established connections" \
connection-state=established disabled=no
add action=accept chain=input comment="Accept related connections" \
connection-state=related disabled=no
add action=drop chain=input comment="Drop invalid connections" \
connection-state=invalid disabled=no
add action=accept chain=input comment=UDP disabled=no protocol=udp
add action=accept chain=input comment="Allow limited pings" disabled=no limit=\
50/5s,2 protocol=icmp
add action=drop chain=input comment="Drop excess pings" disabled=no protocol=\
icmp
add action=drop chain=input comment="SSH for secure shell" disabled=no \
dst-port=22 protocol=tcp
add action=accept chain=input comment=winbox disabled=no dst-port=8291 \
protocol=tcp
add action=log chain=input comment="Log everything else" disabled=no \
log-prefix="DROP INPUT"
add action=drop chain=input comment="drop ssh bruteforcers" disabled=no \
dst-port=22 protocol=tcp src-address-list=black_list
add action=drop chain=input comment=\
"Drop Invalid connections ##### PROTE\C7\C3O DO ROUTER " \
connection-state=invalid disabled=no
add action=accept chain=input comment="Allow Established connections" \
connection-state=established disabled=no
add action=accept chain=input comment="Allow ICMP" disabled=no protocol=icmp
add action=drop chain=input comment="Drop everything else" disabled=no
add action=accept chain=input disabled=no in-interface=ether1-CLIENTES \
src-address=195.167.0.0/24
add action=drop chain=forward comment=\
"drop invalid connections ##### Prote\E7\E3o Customizada" \
connection-state=invalid disabled=no protocol=tcp
add action=accept chain=forward comment="allow already established connections" \
connection-state=established disabled=no
add action=accept chain=forward comment="allow related connections" \
connection-state=related disabled=no
add action=drop chain=forward comment=\
"##### Bloqueio de \"Bogon IP Addresses\"" disabled=no src-address=\
0.0.0.0/8
add action=drop chain=forward disabled=no dst-address=0.0.0.0/8
add action=drop chain=forward disabled=no src-address=127.0.0.0/8
add action=drop chain=forward disabled=no dst-address=127.0.0.0/8
add action=drop chain=forward disabled=no src-address=224.0.0.0/3
add action=drop chain=forward disabled=no dst-address=224.0.0.0/3
add action=jump chain=forward comment=\
"##### Marque \"jumps\" para novos \"chains\"" disabled=no jump-target=tcp \
protocol=tcp
add action=jump chain=forward disabled=no jump-target=udp protocol=udp
add action=jump chain=forward disabled=no jump-target=icmp protocol=icmp
add action=drop chain=tcp comment=\
"deny TFTP ##### Cria tcp chain e nega tcp portas entrada" disabled=no \
dst-port=69 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=\
111 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=\
135 protocol=tcp
add action=drop chain=tcp comment="deny NBT" disabled=no dst-port=137-139 \
protocol=tcp
add action=drop chain=tcp comment="deny cifs" disabled=no dst-port=445 \
protocol=tcp
add action=drop chain=tcp comment="deny NFS" disabled=no dst-port=2049 \
protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=\
12345-12346 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=20034 \
protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" disabled=no dst-port=3133 \
protocol=tcp
add action=drop chain=tcp comment="deny DHCP" disabled=no dst-port=67-68 \
protocol=tcp
add action=drop chain=udp comment=\
"deny TFTP \r\
\n \r\
\n##### Nega udp portas entrada udp chain:" disabled=no dst-port=69 \
protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=\
111 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=\
135 protocol=udp
add action=drop chain=udp comment="deny NBT" disabled=no dst-port=137-139 \
protocol=udp
add action=drop chain=udp comment="deny NFS" disabled=no dst-port=2049 \
protocol=udp
add action=drop chain=udp comment="deny BackOriffice" disabled=no dst-port=3133 \
protocol=udp
add action=accept chain=icmp comment=\
"echo reply ##### Permite todos needed icmp codes in icmp chain:" \
disabled=no icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" disabled=no \
icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" disabled=no \
icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" \
disabled=no icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow source quench" disabled=no \
icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment="allow echo request" disabled=no \
icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" disabled=no \
icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" disabled=no \
icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types" disabled=no
add action=drop chain=input comment=\
"drop ftp brute forcers ##### Somente 10 FTP login incorrect" disabled=no \
dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" disabled=no \
dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
disabled=no protocol=tcp
add action=drop chain=input comment=\
"drop ssh brute forcers ##### Somente 10 SSH login incorrect" disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-port=22 protocol=tcp
add action=drop chain=forward comment=\
"drop ssh brute downstream \r\
\n##### Bloqueio downstream access as well" disabled=no dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment=\
"Port scanners to list ##### Protege o Router para portas scanners" \
disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
disabled=no protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no \
protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no \
protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=no \
protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=no \
protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=no \
protocol=tcp
add action=drop chain=input comment="dropping port scanners" disabled=no \
src-address-list="port scanners"
add action=drop chain=tcp comment="##### Protect DDoS" disabled=no dst-port=53 \
in-interface=ether13-LINK protocol=tcp
add action=drop chain=udp comment="DROPAGEM ATAQUE SIP SYNFLOOD" disabled=no \
dst-port=5060 in-interface=ether13-LINK protocol=udp
add action=add-src-to-address-list address-list=blocked-addr \
address-list-timeout=1d chain=input connection-limit=3,32 disabled=no \
protocol=tcp
add action=tarpit chain=input connection-limit=3,32 disabled=no protocol=tcp \
src-address-list=blocked-addr
add action=jump chain=forward comment="SYN Flood protect" connection-state=new \
disabled=no jump-target=SYN-Protect protocol=tcp
add action=accept chain=SYN-Protect connection-state=new disabled=no limit=\
400,5 protocol=tcp
add action=drop chain=SYN-Protect connection-limit=0,32 connection-state=new \
disabled=no protocol=tcp
Então, bem como eu suspeitei...
é um syn flood...
basta analisar o host de origem para identificar de onde possa estar vindo...
mas fique tranquilo que esta sendo filtrado pelo seu firewall!