Mikrotik: drop ports scanners + honeypot

4
(2)

To protect the Router from port scanners, we can record the IPs of hackers who try to scan your box. Using this address list we can drop connection

from those IP.

Notice Title

Updated version + honeypot

/ip firewall filter
add action=add-src-to-address-list address-list="Hacker Scanners" \
    address-list-timeout=30d0h0m chain=input comment="Port Scanners" \
    in-interface=bridgeWAN protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="Hacker Scanners" \
    address-list-timeout=30d0h0m chain=input comment="NMAP FIN Stealth scan" \
    in-interface=bridgeWAN protocol=tcp tcp-flags=\
    fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Hacker Scanners" \
    address-list-timeout=30d0h0m chain=input comment="SYN/FIN scan" \
    in-interface=bridgeWAN protocol=tcp tcp-flags=\
    fin,syn
add action=add-src-to-address-list address-list="Hacker Scanners" \
    address-list-timeout=30d0h0m chain=input comment="SYN/RST scan" \
    in-interface=bridgeWAN protocol=tcp tcp-flags=\
    syn,rst
add action=add-src-to-address-list address-list="Hacker Scanners" \
    address-list-timeout=30d0h0m chain=input comment="FIN/PSH/URG scan" \
    in-interface=bridgeWAN protocol=tcp tcp-flags=\
    fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="Hacker Scanners" \
    address-list-timeout=30d0h0m chain=input comment="ALL/ALL scan" \
    in-interface=bridgeWAN protocol=tcp tcp-flags=\
    fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="Hacker Scanners" \
    address-list-timeout=30d0h0m chain=input comment="NMAP NULL scan" \
    in-interface=bridgeWAN protocol=tcp tcp-flags=\
    !fin,!syn,!rst,!psh,!ack,!urg
/ip firewall raw
add action=drop chain=prerouting in-interface=bridgeWAN src-address-list="Hacker Scanners"

bridgeWAN – interface name for provider WAN (maybe ether1 in default configurations)

These rules for honeypot for some services. In my case protect router from scanning rdp,ftp,ssh and sip

/ip firewall filter
add action=add-src-to-address-list address-list="Honeypot Hacker" \
    address-list-timeout=30d0h0m chain=input comment="block honeypot ssh rdp winbox" \
    connection-state=new dst-port=22,3389,8291,80,443 in-interface=\
    bridgeWAN protocol=tcp
add action=add-src-to-address-list address-list="Honeypot Hacker" \
    address-list-timeout=30d0h0m chain=input comment=\
    "block honeypot asterisk" connection-state=new dst-port=5060,53 \
    in-interface=bridgeWAN protocol=udp
/ip firewall raw
add action=drop chain=prerouting in-interface=bridgeWAN src-address-list=\
    "Honeypot Hacker"

This works with rules above.

Similar Posts:

2,038

How useful was this post?

Click on a star to rate it!

Average rating 4 / 5. Vote count: 2

No votes so far! Be the first to rate this post.

1 thought on “Mikrotik: drop ports scanners + honeypot”

  1. Hallo
    Very useful the honeypot rule, but i have a problem.
    I add only the following rule:
    /ip firewall filter
    add action=add-src-to-address-list address-list=”Honeypot Hacker” \
    address-list-timeout=30d0h0m chain=input comment=”block honeypot ssh rdp winbox” \
    connection-state=new dst-port=21,22,3389,80,443,1194,6667,69,554 in-interface-list=\
    WAN protocol=tcp
    and always block my ip (from my fritz) with port 5060. Why this happen?
    I dont use any honeypot rule with udp and port 5060.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top