Mikrotik: drop ports scanners + honeypot

0
(0)

To protect the Router from port scanners, we can record the IPs of hackers who try to scan your box. Using this address list we can drop connection

from those IP.

Notice Title

Updated version + honeypot

/ip firewall filter
add action=add-src-to-address-list address-list="Hacker Scanners" \
    address-list-timeout=30d0h0m chain=input comment="Port Scanners" \
    in-interface=bridgeWAN protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="Hacker Scanners" \
    address-list-timeout=30d0h0m chain=input comment="NMAP FIN Stealth scan" \
    in-interface=bridgeWAN protocol=tcp tcp-flags=\
    fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Hacker Scanners" \
    address-list-timeout=30d0h0m chain=input comment="SYN/FIN scan" \
    in-interface=bridgeWAN protocol=tcp tcp-flags=\
    fin,syn
add action=add-src-to-address-list address-list="Hacker Scanners" \
    address-list-timeout=30d0h0m chain=input comment="SYN/RST scan" \
    in-interface=bridgeWAN protocol=tcp tcp-flags=\
    syn,rst
add action=add-src-to-address-list address-list="Hacker Scanners" \
    address-list-timeout=30d0h0m chain=input comment="FIN/PSH/URG scan" \
    in-interface=bridgeWAN protocol=tcp tcp-flags=\
    fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="Hacker Scanners" \
    address-list-timeout=30d0h0m chain=input comment="ALL/ALL scan" \
    in-interface=bridgeWAN protocol=tcp tcp-flags=\
    fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="Hacker Scanners" \
    address-list-timeout=30d0h0m chain=input comment="NMAP NULL scan" \
    in-interface=bridgeWAN protocol=tcp tcp-flags=\
    !fin,!syn,!rst,!psh,!ack,!urg
/ip firewall raw
add action=drop chain=prerouting in-interface=bridgeWAN src-address-list="Hacker Scanners"

bridgeWAN – interface name for provider WAN (maybe ether1 in default configurations)

These rules for honeypot for some services. In my case protect router from scanning rdp,ftp,ssh and sip

/ip firewall filter
add action=add-src-to-address-list address-list="Honeypot Hacker" \
    address-list-timeout=30d0h0m chain=input comment="block honeypot ssh rdp winbox" \
    connection-state=new dst-port=22,3389,8291,80,443 in-interface=\
    bridgeWAN protocol=tcp
add action=add-src-to-address-list address-list="Honeypot Hacker" \
    address-list-timeout=30d0h0m chain=input comment=\
    "block honeypot asterisk" connection-state=new dst-port=5060,53 \
    in-interface=bridgeWAN protocol=udp
/ip firewall raw
add action=drop chain=prerouting in-interface=bridgeWAN src-address-list=\
    "Honeypot Hacker"

This works with rules above.

Similar Posts:

38

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

Leave a Comment

Your email address will not be published.

Scroll to Top