Página 1 de 4 1234 ÚltimoÚltimo
+ Responder ao Tópico



  1. Pessoal abri o a tela de log do meu servidor e me deparei com meu firewall dropando feito louco a minha placa de rede do link dedicado, e vários ip´s mas com o mesmo mac. Será que estão aprontando comigo? Se sim, alguém pode me dar uma dica para resolver o problema. Seguem a minah tela do log do meu MK.
    Desde já gradeço
    Miniaturas de Anexos Miniaturas de Anexos Clique na imagem para uma versão maior

Nome:	         Firewall-LOG.jpg
Visualizações:	198
Tamanho: 	197,8 KB
ID:      	46651  
    Última edição por Diangellys; 30-06-2013 às 18:18.

  2. Cara esse log é um report de uma regra do seu firewall que esta filtrando a comunicação nas portas marcadas.

    Se esta aparecendo isso, significa que esta funcionando



  3. Pelo que deu para entender, você esta sofrendo algo como syn flood, pode ser que alguém está tentando escanear as portas que estão abertas em seu Mikrotiki.

    Agora seria interessante vc postar um export das regras de seu firewall > filters para que a gente possa ver do que se trata e o que realmente está sendo "dropado".

  4. Olá amigos segue regras do meu firewall:

    /ip firewall filter
    add action=accept chain=input comment="Accept established connections" \
    connection-state=established disabled=no
    add action=accept chain=input comment="Accept related connections" \
    connection-state=related disabled=no
    add action=drop chain=input comment="Drop invalid connections" \
    connection-state=invalid disabled=no
    add action=accept chain=input comment=UDP disabled=no protocol=udp
    add action=accept chain=input comment="Allow limited pings" disabled=no limit=\
    50/5s,2 protocol=icmp
    add action=drop chain=input comment="Drop excess pings" disabled=no protocol=\
    icmp
    add action=drop chain=input comment="SSH for secure shell" disabled=no \
    dst-port=22 protocol=tcp
    add action=accept chain=input comment=winbox disabled=no dst-port=8291 \
    protocol=tcp
    add action=log chain=input comment="Log everything else" disabled=no \
    log-prefix="DROP INPUT"
    add action=drop chain=input comment="drop ssh bruteforcers" disabled=no \
    dst-port=22 protocol=tcp src-address-list=black_list
    add action=drop chain=input comment=\
    "Drop Invalid connections ##### PROTE\C7\C3O DO ROUTER " \
    connection-state=invalid disabled=no
    add action=accept chain=input comment="Allow Established connections" \
    connection-state=established disabled=no
    add action=accept chain=input comment="Allow ICMP" disabled=no protocol=icmp
    add action=drop chain=input comment="Drop everything else" disabled=no
    add action=accept chain=input disabled=no in-interface=ether1-CLIENTES \
    src-address=195.167.0.0/24
    add action=drop chain=forward comment=\
    "drop invalid connections ##### Prote\E7\E3o Customizada" \
    connection-state=invalid disabled=no protocol=tcp
    add action=accept chain=forward comment="allow already established connections" \
    connection-state=established disabled=no
    add action=accept chain=forward comment="allow related connections" \
    connection-state=related disabled=no
    add action=drop chain=forward comment=\
    "##### Bloqueio de \"Bogon IP Addresses\"" disabled=no src-address=\
    0.0.0.0/8
    add action=drop chain=forward disabled=no dst-address=0.0.0.0/8
    add action=drop chain=forward disabled=no src-address=127.0.0.0/8
    add action=drop chain=forward disabled=no dst-address=127.0.0.0/8
    add action=drop chain=forward disabled=no src-address=224.0.0.0/3
    add action=drop chain=forward disabled=no dst-address=224.0.0.0/3
    add action=jump chain=forward comment=\
    "##### Marque \"jumps\" para novos \"chains\"" disabled=no jump-target=tcp \
    protocol=tcp
    add action=jump chain=forward disabled=no jump-target=udp protocol=udp
    add action=jump chain=forward disabled=no jump-target=icmp protocol=icmp
    add action=drop chain=tcp comment=\
    "deny TFTP ##### Cria tcp chain e nega tcp portas entrada" disabled=no \
    dst-port=69 protocol=tcp
    add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=\
    111 protocol=tcp
    add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=\
    135 protocol=tcp
    add action=drop chain=tcp comment="deny NBT" disabled=no dst-port=137-139 \
    protocol=tcp
    add action=drop chain=tcp comment="deny cifs" disabled=no dst-port=445 \
    protocol=tcp
    add action=drop chain=tcp comment="deny NFS" disabled=no dst-port=2049 \
    protocol=tcp
    add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=\
    12345-12346 protocol=tcp
    add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=20034 \
    protocol=tcp
    add action=drop chain=tcp comment="deny BackOriffice" disabled=no dst-port=3133 \
    protocol=tcp
    add action=drop chain=tcp comment="deny DHCP" disabled=no dst-port=67-68 \
    protocol=tcp
    add action=drop chain=udp comment=\
    "deny TFTP \r\
    \n \r\
    \n##### Nega udp portas entrada udp chain:" disabled=no dst-port=69 \
    protocol=udp
    add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=\
    111 protocol=udp
    add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=\
    135 protocol=udp
    add action=drop chain=udp comment="deny NBT" disabled=no dst-port=137-139 \
    protocol=udp
    add action=drop chain=udp comment="deny NFS" disabled=no dst-port=2049 \
    protocol=udp
    add action=drop chain=udp comment="deny BackOriffice" disabled=no dst-port=3133 \
    protocol=udp
    add action=accept chain=icmp comment=\
    "echo reply ##### Permite todos needed icmp codes in icmp chain:" \
    disabled=no icmp-options=0:0 protocol=icmp
    add action=accept chain=icmp comment="net unreachable" disabled=no \
    icmp-options=3:0 protocol=icmp
    add action=accept chain=icmp comment="host unreachable" disabled=no \
    icmp-options=3:1 protocol=icmp
    add action=accept chain=icmp comment="host unreachable fragmentation required" \
    disabled=no icmp-options=3:4 protocol=icmp
    add action=accept chain=icmp comment="allow source quench" disabled=no \
    icmp-options=4:0 protocol=icmp
    add action=accept chain=icmp comment="allow echo request" disabled=no \
    icmp-options=8:0 protocol=icmp
    add action=accept chain=icmp comment="allow time exceed" disabled=no \
    icmp-options=11:0 protocol=icmp
    add action=accept chain=icmp comment="allow parameter bad" disabled=no \
    icmp-options=12:0 protocol=icmp
    add action=drop chain=icmp comment="deny all other types" disabled=no
    add action=drop chain=input comment=\
    "drop ftp brute forcers ##### Somente 10 FTP login incorrect" disabled=no \
    dst-port=21 protocol=tcp src-address-list=ftp_blacklist
    add action=accept chain=output content="530 Login incorrect" disabled=no \
    dst-limit=1/1m,9,dst-address/1m protocol=tcp
    add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=output content="530 Login incorrect" \
    disabled=no protocol=tcp
    add action=drop chain=input comment=\
    "drop ssh brute forcers ##### Somente 10 SSH login incorrect" disabled=no \
    dst-port=22 protocol=tcp src-address-list=ssh_blacklist
    add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new disabled=no \
    dst-port=22 protocol=tcp src-address-list=ssh_stage3
    add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new disabled=no \
    dst-port=22 protocol=tcp src-address-list=ssh_stage2
    add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new disabled=no \
    dst-port=22 protocol=tcp src-address-list=ssh_stage1
    add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new disabled=no \
    dst-port=22 protocol=tcp
    add action=drop chain=forward comment=\
    "drop ssh brute downstream \r\
    \n##### Bloqueio downstream access as well" disabled=no dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
    add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment=\
    "Port scanners to list ##### Protege o Router para portas scanners" \
    disabled=no protocol=tcp psd=21,3s,3,1
    add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    disabled=no protocol=tcp
    add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no \
    protocol=tcp
    add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no \
    protocol=tcp
    add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=no \
    protocol=tcp
    add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=no \
    protocol=tcp
    add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=no \
    protocol=tcp
    add action=drop chain=input comment="dropping port scanners" disabled=no \
    src-address-list="port scanners"
    add action=drop chain=tcp comment="##### Protect DDoS" disabled=no dst-port=53 \
    in-interface=ether13-LINK protocol=tcp
    add action=drop chain=udp comment="DROPAGEM ATAQUE SIP SYNFLOOD" disabled=no \
    dst-port=5060 in-interface=ether13-LINK protocol=udp
    add action=add-src-to-address-list address-list=blocked-addr \
    address-list-timeout=1d chain=input connection-limit=3,32 disabled=no \
    protocol=tcp
    add action=tarpit chain=input connection-limit=3,32 disabled=no protocol=tcp \
    src-address-list=blocked-addr
    add action=jump chain=forward comment="SYN Flood protect" connection-state=new \
    disabled=no jump-target=SYN-Protect protocol=tcp
    add action=accept chain=SYN-Protect connection-state=new disabled=no limit=\
    400,5 protocol=tcp
    add action=drop chain=SYN-Protect connection-limit=0,32 connection-state=new \
    disabled=no protocol=tcp



  5. Citação Postado originalmente por Diangellys Ver Post
    Olá amigos segue regras do meu firewall:

    /ip firewall filter
    add action=accept chain=input comment="Accept established connections" \
    connection-state=established disabled=no
    add action=accept chain=input comment="Accept related connections" \
    connection-state=related disabled=no
    add action=drop chain=input comment="Drop invalid connections" \
    connection-state=invalid disabled=no
    add action=accept chain=input comment=UDP disabled=no protocol=udp
    add action=accept chain=input comment="Allow limited pings" disabled=no limit=\
    50/5s,2 protocol=icmp
    add action=drop chain=input comment="Drop excess pings" disabled=no protocol=\
    icmp
    add action=drop chain=input comment="SSH for secure shell" disabled=no \
    dst-port=22 protocol=tcp
    add action=accept chain=input comment=winbox disabled=no dst-port=8291 \
    protocol=tcp
    add action=log chain=input comment="Log everything else" disabled=no \
    log-prefix="DROP INPUT"
    add action=drop chain=input comment="drop ssh bruteforcers" disabled=no \
    dst-port=22 protocol=tcp src-address-list=black_list
    add action=drop chain=input comment=\
    "Drop Invalid connections ##### PROTE\C7\C3O DO ROUTER " \
    connection-state=invalid disabled=no
    add action=accept chain=input comment="Allow Established connections" \
    connection-state=established disabled=no
    add action=accept chain=input comment="Allow ICMP" disabled=no protocol=icmp
    add action=drop chain=input comment="Drop everything else" disabled=no
    add action=accept chain=input disabled=no in-interface=ether1-CLIENTES \
    src-address=195.167.0.0/24
    add action=drop chain=forward comment=\
    "drop invalid connections ##### Prote\E7\E3o Customizada" \
    connection-state=invalid disabled=no protocol=tcp
    add action=accept chain=forward comment="allow already established connections" \
    connection-state=established disabled=no
    add action=accept chain=forward comment="allow related connections" \
    connection-state=related disabled=no
    add action=drop chain=forward comment=\
    "##### Bloqueio de \"Bogon IP Addresses\"" disabled=no src-address=\
    0.0.0.0/8
    add action=drop chain=forward disabled=no dst-address=0.0.0.0/8
    add action=drop chain=forward disabled=no src-address=127.0.0.0/8
    add action=drop chain=forward disabled=no dst-address=127.0.0.0/8
    add action=drop chain=forward disabled=no src-address=224.0.0.0/3
    add action=drop chain=forward disabled=no dst-address=224.0.0.0/3
    add action=jump chain=forward comment=\
    "##### Marque \"jumps\" para novos \"chains\"" disabled=no jump-target=tcp \
    protocol=tcp
    add action=jump chain=forward disabled=no jump-target=udp protocol=udp
    add action=jump chain=forward disabled=no jump-target=icmp protocol=icmp
    add action=drop chain=tcp comment=\
    "deny TFTP ##### Cria tcp chain e nega tcp portas entrada" disabled=no \
    dst-port=69 protocol=tcp
    add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=\
    111 protocol=tcp
    add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=\
    135 protocol=tcp
    add action=drop chain=tcp comment="deny NBT" disabled=no dst-port=137-139 \
    protocol=tcp
    add action=drop chain=tcp comment="deny cifs" disabled=no dst-port=445 \
    protocol=tcp
    add action=drop chain=tcp comment="deny NFS" disabled=no dst-port=2049 \
    protocol=tcp
    add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=\
    12345-12346 protocol=tcp
    add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=20034 \
    protocol=tcp
    add action=drop chain=tcp comment="deny BackOriffice" disabled=no dst-port=3133 \
    protocol=tcp
    add action=drop chain=tcp comment="deny DHCP" disabled=no dst-port=67-68 \
    protocol=tcp
    add action=drop chain=udp comment=\
    "deny TFTP \r\
    \n \r\
    \n##### Nega udp portas entrada udp chain:" disabled=no dst-port=69 \
    protocol=udp
    add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=\
    111 protocol=udp
    add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=\
    135 protocol=udp
    add action=drop chain=udp comment="deny NBT" disabled=no dst-port=137-139 \
    protocol=udp
    add action=drop chain=udp comment="deny NFS" disabled=no dst-port=2049 \
    protocol=udp
    add action=drop chain=udp comment="deny BackOriffice" disabled=no dst-port=3133 \
    protocol=udp
    add action=accept chain=icmp comment=\
    "echo reply ##### Permite todos needed icmp codes in icmp chain:" \
    disabled=no icmp-options=0:0 protocol=icmp
    add action=accept chain=icmp comment="net unreachable" disabled=no \
    icmp-options=3:0 protocol=icmp
    add action=accept chain=icmp comment="host unreachable" disabled=no \
    icmp-options=3:1 protocol=icmp
    add action=accept chain=icmp comment="host unreachable fragmentation required" \
    disabled=no icmp-options=3:4 protocol=icmp
    add action=accept chain=icmp comment="allow source quench" disabled=no \
    icmp-options=4:0 protocol=icmp
    add action=accept chain=icmp comment="allow echo request" disabled=no \
    icmp-options=8:0 protocol=icmp
    add action=accept chain=icmp comment="allow time exceed" disabled=no \
    icmp-options=11:0 protocol=icmp
    add action=accept chain=icmp comment="allow parameter bad" disabled=no \
    icmp-options=12:0 protocol=icmp
    add action=drop chain=icmp comment="deny all other types" disabled=no
    add action=drop chain=input comment=\
    "drop ftp brute forcers ##### Somente 10 FTP login incorrect" disabled=no \
    dst-port=21 protocol=tcp src-address-list=ftp_blacklist
    add action=accept chain=output content="530 Login incorrect" disabled=no \
    dst-limit=1/1m,9,dst-address/1m protocol=tcp
    add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=output content="530 Login incorrect" \
    disabled=no protocol=tcp
    add action=drop chain=input comment=\
    "drop ssh brute forcers ##### Somente 10 SSH login incorrect" disabled=no \
    dst-port=22 protocol=tcp src-address-list=ssh_blacklist
    add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new disabled=no \
    dst-port=22 protocol=tcp src-address-list=ssh_stage3
    add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new disabled=no \
    dst-port=22 protocol=tcp src-address-list=ssh_stage2
    add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new disabled=no \
    dst-port=22 protocol=tcp src-address-list=ssh_stage1
    add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new disabled=no \
    dst-port=22 protocol=tcp
    add action=drop chain=forward comment=\
    "drop ssh brute downstream \r\
    \n##### Bloqueio downstream access as well" disabled=no dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
    add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment=\
    "Port scanners to list ##### Protege o Router para portas scanners" \
    disabled=no protocol=tcp psd=21,3s,3,1
    add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    disabled=no protocol=tcp
    add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no \
    protocol=tcp
    add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no \
    protocol=tcp
    add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=no \
    protocol=tcp
    add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=no \
    protocol=tcp
    add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=no \
    protocol=tcp
    add action=drop chain=input comment="dropping port scanners" disabled=no \
    src-address-list="port scanners"
    add action=drop chain=tcp comment="##### Protect DDoS" disabled=no dst-port=53 \
    in-interface=ether13-LINK protocol=tcp
    add action=drop chain=udp comment="DROPAGEM ATAQUE SIP SYNFLOOD" disabled=no \
    dst-port=5060 in-interface=ether13-LINK protocol=udp
    add action=add-src-to-address-list address-list=blocked-addr \
    address-list-timeout=1d chain=input connection-limit=3,32 disabled=no \
    protocol=tcp
    add action=tarpit chain=input connection-limit=3,32 disabled=no protocol=tcp \
    src-address-list=blocked-addr
    add action=jump chain=forward comment="SYN Flood protect" connection-state=new \
    disabled=no jump-target=SYN-Protect protocol=tcp
    add action=accept chain=SYN-Protect connection-state=new disabled=no limit=\
    400,5 protocol=tcp
    add action=drop chain=SYN-Protect connection-limit=0,32 connection-state=new \
    disabled=no protocol=tcp

    Então, bem como eu suspeitei...
    é um syn flood...
    basta analisar o host de origem para identificar de onde possa estar vindo...
    mas fique tranquilo que esta sendo filtrado pelo seu firewall!






Tópicos Similares

  1. estão tentando invadir meu servidor???
    Por ruanserver no fórum Servidores de Rede
    Respostas: 8
    Último Post: 17-01-2014, 10:42
  2. ESTÃO TENTANDO INVADIR MEU SERVIDOR?
    Por dvse1 no fórum Redes
    Respostas: 4
    Último Post: 13-09-2010, 07:10
  3. Será que estão tentando invadir meu MK?
    Por gotch no fórum Redes
    Respostas: 19
    Último Post: 14-03-2007, 22:23
  4. Alguem tentando invadir meu Mikrotik?
    Por Arcanjo_tc no fórum Redes
    Respostas: 4
    Último Post: 31-12-2006, 11:00
  5. Estão tendando invadir meu sistema!!!
    Por alexandresamorim no fórum Servidores de Rede
    Respostas: 33
    Último Post: 12-07-2005, 08:25

Visite: BR-Linux ·  VivaOLinux ·  Dicas-L