Boa noite
sou iniciante em mk e tenho um pequeno provedor com mk, eu uso pppoe e hotspot para fazer autenticaçao dos clientes.
Gostaria de saber de voçes que tem muita experiencia o que devo fazer e quais regras usar para manter a segurança no provedor.
-Tenho que colocar alguma regra de bloqueio de port scan ou virus ?
-
02-01-2013, 20:48 #1
- Ingresso
- Oct 2011
- Posts
- 47
Regras de segurança no mk
-
02-01-2013, 21:27 #2
- Ingresso
- Jun 2008
- Localização
- Rio de Janeiro
- Posts
- 147
Re: Regras de segurança no mk
Paulo é sempre bom você ter essas regras para que venha se proteger de eventuais problemas.
Postado originalmente por paulosjbv
Da uma pesquisada aqui no forum que você acha o pessoal postando varias regras de firewall ai é só você ir testando e adaptando para sua rede.
-
02-01-2013, 21:32 #3
- Ingresso
- Oct 2011
- Posts
- 47
Re: Regras de segurança no mk
entao
achei varias mas gostaria de saber quais devo usar.
ex: eu na minha opiniao nao devemos colocar regras de bloqueio de virus no router pois pode deixa-lo lento ou mesmo barrrar algum serviço basico, mas tem gente usando será que estou errado?
uma regra que achei interessante foi a de bloquear port scan até coloquei aqui mas fui testar um por scan na minha maquina e vi que nao bloqueou entao gostaria de saber quais sao e se as regras funcionan mesmo.
-
02-01-2013, 21:43 #4
- Ingresso
- Oct 2011
- Posts
- 47
Re: Regras de segurança no mk
o que acham de fazermos uma lista com regras basicas de segurança onde protegesse o router e todos pudeseem usar ? isso é possivel ?
-
02-01-2013, 23:13 #5 Re: Regras de segurança no mk
Ai vai algumas para voce ver
http://wiki.mikrotik.com/wiki/DoS_attack_protection
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter Neste link veja sobre Router Protection
as regras de virus que voce achar na net tem que ter cuidado pois pode estar barrando portas de serviços que voce ou seu cliente precise.
-
02-01-2013, 23:35 #6
- Ingresso
- Jul 2009
- Localização
- Dourados - MS
- Posts
- 618
Re: Regras de segurança no mk
Bom, vamos tentar melhorar bem essas regras que vou postar.
/ip firewall address-list
add address=177.XX.YY.12 comment="" disabled=no list=SERVIDOR
add address=177.XX.YY.19 comment="" disabled=no list=SERVIDOR
add address=0.0.0.0/8 comment="illegal addresses" disabled=no list=illegal-addr
add address=127.0.0.0/8 comment="" disabled=no list=illegal-addr
add address=224.0.0.0/3 comment="" disabled=no list=illegal-addr
add address=10.0.0.0/8 comment="" disabled=no list=illegal-addr
add address=172.16.0.0/12 comment="" disabled=no list=illegal-addr
add address=192.168.0.0/16 comment="" disabled=no list=illegal-addr
add address=177.XX.YY.0/20 comment="my local network" disabled=no list=local-addr
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=drop chain=forward comment="Barrando SPAM" disabled=yes dst-port=587 protocol=tcp src-address=!177.XX.YY.0/20
add action=accept chain=forward comment="Allow traffic between wired and wireless networks" disabled=no in-interface=Local out-interface=Local
add action=jump chain=forward comment="Sanity Check Forward" disabled=no jump-target=sanity-check
add action=jump chain=sanity-check comment="Deny illegal NAT traversal" disabled=no jump-target=drop packet-mark=nat-traversal
add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d chain=sanity-check comment="Block port scans" disabled=no protocol=tcp psd=20,3s,3,1
add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d chain=sanity-check comment="Block TCP Null scan" disabled=no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d chain=sanity-check comment="Block TCP Xmas scan" disabled=no protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=jump chain=sanity-check comment="" disabled=no jump-target=drop protocol=tcp src-address-list=blocked-addr
add action=jump chain=sanity-check comment="Drop TCP RST" disabled=no jump-target=drop protocol=tcp tcp-flags=rst
add action=jump chain=sanity-check comment="Drop TCP SYN+FIN" disabled=no jump-target=drop protocol=tcp tcp-flags=fin,syn
add action=jump chain=sanity-check comment="Dropping invalid connections at once" connection-state=invalid disabled=no jump-target=drop
add action=accept chain=sanity-check comment="Accepting already established connections" connection-state=established disabled=no
add action=accept chain=sanity-check comment="Also accepting related connections" connection-state=related disabled=no
add action=jump chain=sanity-check comment="Drop all traffic that goes to multicast or broadcast addresses" disabled=no dst-address-type=broadcast,multicast jump-target=drop
add action=jump chain=sanity-check comment="Drop illegal destination addresses" disabled=no dst-address-list=illegal-addr dst-address-type=!local in-interface=Local jump-target=drop
add action=jump chain=sanity-check comment="Drop everything that goes from local interface but not from local address" disabled=no in-interface=Local jump-target=drop src-address-list=!local-addr
add action=jump chain=sanity-check comment="Drop illegal source addresses" disabled=no in-interface=Public jump-target=drop src-address-list=illegal-addr
add action=jump chain=sanity-check comment="Drop everything that goes from public interface but not to local address" disabled=no dst-address-list=!local-addr in-interface=Public jump-target=drop
add action=jump chain=sanity-check comment="Drop all traffic that comes from multicast or broadcast addresses" disabled=no jump-target=drop src-address-type=broadcast,multicast
add action=jump chain=forward comment="" disabled=no jump-target=restrict-tcp protocol=tcp
add action=jump chain=forward comment="" disabled=no jump-target=restrict-udp protocol=udp
add action=jump chain=forward comment="" disabled=no jump-target=restrict-ip
add action=reject chain=restrict-tcp comment="" connection-mark=auth disabled=no reject-with=icmp-network-unreachable
add action=jump chain=restrict-tcp comment="anti-spam policy" connection-mark=smtp disabled=no jump-target=smtp-first-drop
add action=add-src-to-address-list address-list=approved-smtp address-list-timeout=0s chain=smtp-first-drop comment="" disabled=no src-address-list=first-smtp
add action=return chain=smtp-first-drop comment="" disabled=no src-address-list=approved-smtp
add action=add-src-to-address-list address-list=first-smtp address-list-timeout=0s chain=smtp-first-drop comment="" disabled=no
add action=reject chain=smtp-first-drop comment="" disabled=no reject-with=icmp-network-unreachable src-address-list=!SERVIDOR
add action=jump chain=restrict-tcp comment="" connection-mark=other-tcp disabled=no jump-target=drop
add action=jump chain=restrict-udp comment="" connection-mark=other-udp disabled=no jump-target=drop
add action=jump chain=restrict-ip comment="" connection-mark=other disabled=no jump-target=drop
add action=accept chain=input comment="Allow local traffic (between router applications)" disabled=no dst-address-type=local src-address-type=local
add action=jump chain=input comment="DHCP protocol would not pass sanity checking, so enabling it explicitly before other checks" disabled=no dst-port=67 in-interface=Local jump-target=dhcp protocol=udp src-port=68
add action=jump chain=input comment="Sanity Check" disabled=no jump-target=sanity-check
add action=jump chain=input comment="Dropping packets not destined to the router itself, including all broadcast traffic" disabled=no dst-address-type=!local jump-target=drop
add action=accept chain=input comment="Allow pings, but at a very limited rate (5 packets per sec)" connection-mark=ping disabled=no limit=5,5
add action=jump chain=input comment="Allowing some services to be accessible from the local network" disabled=no in-interface=Local jump-target=local-services
add action=jump chain=input comment="Allowing some services to be accessible from the Internet" disabled=no in-interface=Public jump-target=public-services
add action=jump chain=input comment="" disabled=no jump-target=drop
add action=accept chain=dhcp comment="" disabled=no dst-address=255.255.255.255 src-address=0.0.0.0
add action=accept chain=dhcp comment="" disabled=no dst-address-type=local src-address=0.0.0.0
add action=accept chain=dhcp comment="" disabled=no dst-address-type=local src-address-list=local-addr
add action=accept chain=local-services comment="SSH (22/TCP)" connection-mark=ssh disabled=no
add action=accept chain=local-services comment=DNS connection-mark=dns disabled=no
add action=accept chain=local-services comment=Radius connection-mark=radius disabled=no
add action=accept chain=local-services comment="Winbox (8291/TCP)" connection-mark=winbox disabled=no
add action=log chain=local-services comment="Log & Drop Other Local Services" disabled=no log-prefix=""
add action=drop chain=local-services comment="" disabled=no
add action=accept chain=public-services comment="SSH (22/TCP)" connection-mark=ssh disabled=no
add action=accept chain=public-services comment="PPTP (1723/TCP)" connection-mark=pptp disabled=no
add action=accept chain=public-services comment="Winbox (8291/TCP)" connection-mark=winbox disabled=no
add action=accept chain=public-services comment="GRE for PPTP" connection-mark=gre disabled=no
add action=accept chain=public-services comment=Radius connection-mark=radius disabled=no
add action=log chain=public-services comment="Log & Drop Other Public Services" disabled=no log-prefix=""
add action=drop chain=public-services comment="" disabled=no
add action=log chain=drop comment="Log Everything that we drop" disabled=yes log-prefix=""
add action=drop chain=drop comment="" disabled=no
Continua...
-
03-01-2013, 00:13 #7
- Ingresso
- Jul 2009
- Localização
- Dourados - MS
- Posts
- 618
Re: Regras de segurança no mk
/ip firewall mangle
add action=jump chain=prerouting comment="" connection-state=new disabled=no jump-target=tcp-services protocol=tcp
add action=jump chain=prerouting comment="" connection-state=new disabled=no jump-target=udp-services protocol=udp
add action=jump chain=prerouting comment="" connection-state=new disabled=no jump-target=other-services
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=20-21 new-connection-mark=ftp passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=22 new-connection-mark=ssh passthrough=no protocol=tcp src-port=513-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=23 new-connection-mark=telnet passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=25 new-connection-mark=smtp passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=587 new-connection-mark=smtp passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=53 new-connection-mark=dns passthrough=no protocol=tcp src-port=53
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=53 new-connection-mark=dns passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=80 new-connection-mark=http passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=110 new-connection-mark=pop3 passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=113 new-connection-mark=auth passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=119 new-connection-mark=nntp passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=143 new-connection-mark=imap passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=161-162 new-connection-mark=snmp passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=443 new-connection-mark=https passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=465 new-connection-mark=smtps passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=993 new-connection-mark=imaps passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=995 new-connection-mark=pop3s passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=1723 new-connection-mark=pptp passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=2379 new-connection-mark=kgs passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=yes dst-port=3128 new-connection-mark=proxy passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=3389 new-connection-mark=win-ts passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=4242-4243 new-connection-mark=emule passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=1024-65535 new-connection-mark=overnet passthrough=no protocol=tcp src-port=4661-4662
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=1024-65535 new-connection-mark=emule passthrough=no protocol=tcp src-port=4711
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=5900-5901 new-connection-mark=vnc passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=6667-6669 new-connection-mark=irc passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=6881-6889 new-connection-mark=bittorrent passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=8080 new-connection-mark=http passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=8291 new-connection-mark=winbox passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=8728 new-connection-mark=api-mk passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no new-connection-mark=other-tcp passthrough=no protocol=tcp
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=53 new-connection-mark=dns passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=123 new-connection-mark=ntp passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=1701 new-connection-mark=l2tp passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=4665 new-connection-mark=emule passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=4672 new-connection-mark=emule passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=1024-65535 new-connection-mark=emule passthrough=no protocol=udp src-port=4672
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=12053 new-connection-mark=overnet passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=1024-65535 new-connection-mark=overnet passthrough=no protocol=udp src-port=12053
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=1024-65535 new-connection-mark=skype passthrough=no protocol=udp src-port=36725
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=1812-1813 new-connection-mark=radius passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment="" connection-state=new disabled=no new-connection-mark=other-udp passthrough=no protocol=udp
add action=mark-connection chain=other-services comment="" disabled=no icmp-options=8:0-255 new-connection-mark=ping passthrough=no protocol=icmp
add action=mark-connection chain=other-services comment="" disabled=no new-connection-mark=gre passthrough=no protocol=gre
add action=mark-connection chain=other-services comment="" disabled=no new-connection-mark=other passthrough=no
add action=mark-packet chain=prerouting comment="Detect NAT Traversal" disabled=no dst-address-list=nat-addr in-interface=Public new-packet-mark=nat-traversal passthrough=no
-
03-01-2013, 09:05 #8 Re: Regras de segurança no mk
o que não falta agora é regra, agora é colocar em um RB de teste e ir adequando a sua necessidade.
-
08-01-2013, 13:23 #9
- Ingresso
- Sep 2010
- Posts
- 361
Re: Regras de segurança no mk
Postado originalmente por farias
pra qual e a vesao essas regras ae amigo
Citação
