Board logo

標題: ROS firewall 求教 [打印本頁]
作者: hkd    時間: 2012-8-31 15:06     標題: ROS firewall 求教

本帖最後由 hkd 於 2012-8-31 15:11 編輯

師兄們 求救,
請指教一下點set 個ROS firewall, 萬個唔該,d人好無聊不停咁試
anyway 最後在我慢慢remote 修改期間俾人走左入黎password  都過埋我.

1) 只allow lan side access  e.g. 192.168.10.0/24
2) Allow pptp/ipsec VPN
3) 做 Port forward 443 去 192.168.10.100
DROP all other connection.
我無set DROP all other connection, 就work , 但個login page 重係度俾人撞
一set 左DROP,   vpn 就唔得,我知一定set 錯野

有無師兄能paste 段command 用用,  十萬個唔該
作者: 炎冬    時間: 2012-8-31 15:25

師兄們 求救,
請指教一下點set 個ROS firewall, 萬個唔該,d人好無聊不停咁試
anyway 最後在我慢慢 ...
hkd 發表於 2012-8-31 15:06


要做port forward
pptp 要做tcp, port 1723
l2tp 要做udp, port 500, 1701, 4500
作者: 炎冬    時間: 2012-8-31 15:32

另外呢個是用來block ftp brute forcers, 你可以改改D rule用來block其他野
  1. add action=drop chain=input comment="drop ftp brute forcers" disabled=no \
  2.     dst-port=21 in-interface=ether1-gateway protocol=tcp src-address-list=\
  3.     ftp_blacklist
  4. add action=accept chain=output comment="drop ftp brute forcers" content=\
  5.     "530 Login incorrect" disabled=no dst-limit=1/1m,5,dst-address/2m protocol=\
  6.     tcp
  7. add action=add-dst-to-address-list address-list=ftp_blacklist \
  8.     address-list-timeout=0s chain=output comment="drop ftp brute forcers" \
  9.     content="530 Login incorrect" disabled=no protocol=tcp
  10. add action=accept chain=input disabled=no dst-port=21 in-interface=\
  11.     ether1-gateway protocol=tcp
複製代碼
作者: hkd    時間: 2012-8-31 15:51

thx 炎冬兄
作者: VR2VDT    時間: 2012-8-31 16:00

回復 1# hkd
1, you should setup very secure password, e.g. at least 8 characters, upper+lower case letters+numeric characters.
2, firewall filter rules are running one by one. Don't place "DROP all other connection" before other rules. Otherwise, the other rules will not run.
3, accept necessary service ports you run on ROS router, e.g. Winbox, SSH, PPTP, L2TP/IPSec, etc...
Below is my filter rules ..
  1. /ip firewall filter
  2. add chain=input comment="default configuration" protocol=icmp
  3. add chain=input comment="default configuration" connection-state=established
  4. add chain=input comment="default configuration" connection-state=related
  5. add action=add-src-to-address-list address-list=blocked-addr \
  6.     address-list-timeout=1d chain=input comment="SYN Flood protect" \
  7.     connection-limit=100,32 protocol=tcp
  8. add action=tarpit chain=input comment="SYN Flood protect" connection-limit=\
  9.     3,32 protocol=tcp src-address-list=blocked-addr
  10. add action=jump chain=forward comment="SYN Flood protect (default disable)" \
  11.     connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
  12. add chain=SYN-Protect comment="SYN Flood protect" connection-state=new limit=\
  13.     400,5 protocol=tcp tcp-flags=syn
  14. add action=log chain=SYN-Protect comment="SYN Flood protect" \
  15.     connection-state=new protocol=tcp tcp-flags=syn
  16. add action=drop chain=SYN-Protect comment="SYN Flood protect" \
  17.     connection-state=new protocol=tcp tcp-flags=syn
  18. add action=log chain=input comment=L2TP/IPSec dst-port=500 protocol=udp
  19. add chain=input comment=L2TP/IPSec dst-port=500 protocol=udp
  20. add action=log chain=input comment=L2TP/IPSec dst-port=1701 protocol=udp
  21. add chain=input comment=L2TP/IPSec dst-port=1701 protocol=udp
  22. add action=log chain=input comment=L2TP/IPSec dst-port=4500 protocol=udp
  23. add chain=input comment=L2TP/IPSec dst-port=4500 protocol=udp
  24. add action=log chain=input comment=L2TP/IPSec protocol=ipsec-esp
  25. add chain=input comment=L2TP/IPSec protocol=ipsec-esp
  26. add action=log chain=input comment="PPTP VPN" dst-port=1723 protocol=tcp
  27. add chain=input comment="PPTP VPN" dst-port=1723 protocol=tcp
  28. add action=log chain=input dst-port=8291 protocol=tcp
  29. add chain=input dst-port=8291 protocol=tcp
  30. add action=log chain=input comment="drop ssh brute forcers" dst-port=22 \
  31.     protocol=tcp src-address-list=ssh_blacklist
  32. add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
  33.     protocol=tcp src-address-list=ssh_blacklist
  34. add action=add-src-to-address-list address-list=ssh_blacklist \
  35.     address-list-timeout=1w3d chain=input comment="drop ssh brute forcers" \
  36.     connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
  37. add action=add-src-to-address-list address-list=ssh_stage3 \
  38.     address-list-timeout=10m chain=input comment="drop ssh brute forcers" \
  39.     connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
  40. add action=add-src-to-address-list address-list=ssh_stage2 \
  41.     address-list-timeout=10m chain=input comment="drop ssh brute forcers" \
  42.     connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
  43. add action=add-src-to-address-list address-list=ssh_stage1 \
  44.     address-list-timeout=10m chain=input comment="drop ssh brute forcers" \
  45.     connection-state=new dst-port=22 protocol=tcp
  46. add action=log chain=forward comment="drop ssh brute downstream" dst-port=22 \
  47.     protocol=tcp src-address-list=ssh_blacklist
  48. add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 \
  49.     protocol=tcp src-address-list=ssh_blacklist
  50. add action=log chain=input dst-port=22 protocol=tcp
  51. add chain=input dst-port=22 protocol=tcp
  52. add action=log chain=input comment="drop ftp brute forcers" dst-port=21 \
  53.     protocol=tcp src-address-list=ftp_blacklist
  54. add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
  55.     protocol=tcp src-address-list=ftp_blacklist
  56. add chain=output comment="drop ftp brute forcers" content=\
  57.     "530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
  58. add action=add-dst-to-address-list address-list=ftp_blacklist \
  59.     address-list-timeout=3h chain=output comment="drop ftp brute forcers" \
  60.     content="530 Login incorrect" protocol=tcp
  61. add chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
  62. add chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
  63. add chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
  64. add chain=icmp comment="host unreachable fragmentation required" \
  65.     icmp-options=3:4 protocol=icmp
  66. add chain=icmp comment="allow source quench" icmp-options=4:0 protocol=icmp
  67. add chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
  68. add chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
  69. add chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
  70. add action=drop chain=icmp comment="deny all other types"
  71. add action=log chain=input comment="Reject PING from external" protocol=icmp
  72. add action=drop chain=input comment="Reject PING from external" protocol=icmp
  73. add action=log chain=input comment="Port scanners to list " protocol=tcp psd=\
  74.     21,3s,3,1
  75. add action=add-src-to-address-list address-list="port scanners" \
  76.     address-list-timeout=2w chain=input comment="Port scanners to list" \
  77.     in-interface=!ether2-master-local protocol=tcp psd=21,3s,3,1
  78. add action=log chain=input comment="NMAP FIN Stealth scan" protocol=tcp \
  79.     tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
  80. add action=add-src-to-address-list address-list="port scanners" \
  81.     address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
  82.     in-interface=!ether2-master-local protocol=tcp tcp-flags=\
  83.     fin,!syn,!rst,!psh,!ack,!urg
  84. add action=log chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=\
  85.     fin,syn
  86. add action=add-src-to-address-list address-list="port scanners" \
  87.     address-list-timeout=2w chain=input comment="SYN/FIN scan" in-interface=\
  88.     !ether2-master-local protocol=tcp tcp-flags=fin,syn
  89. add action=log chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=\
  90.     syn,rst
  91. add action=add-src-to-address-list address-list="port scanners" \
  92.     address-list-timeout=2w chain=input comment="SYN/RST scan" in-interface=\
  93.     !ether2-master-local protocol=tcp tcp-flags=syn,rst
  94. add action=log chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=\
  95.     fin,psh,urg,!syn,!rst,!ack
  96. add action=add-src-to-address-list address-list="port scanners" \
  97.     address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" \
  98.     in-interface=!ether2-master-local protocol=tcp tcp-flags=\
  99.     fin,psh,urg,!syn,!rst,!ack
  100. add action=log chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=\
  101.     fin,syn,rst,psh,ack,urg
  102. add action=add-src-to-address-list address-list="port scanners" \
  103.     address-list-timeout=2w chain=input comment="ALL/ALL scan" in-interface=\
  104.     !ether2-master-local protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
  105. add action=log chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=\
  106.     !fin,!syn,!rst,!psh,!ack,!urg
  107. add action=add-src-to-address-list address-list="port scanners" \
  108.     address-list-timeout=2w chain=input comment="NMAP NULL scan" \
  109.     in-interface=!ether2-master-local protocol=tcp tcp-flags=\
  110.     !fin,!syn,!rst,!psh,!ack,!urg
  111. add action=log chain=input comment="dropping port scanners" src-address-list=\
  112.     "port scanners"
  113. add action=drop chain=input comment="dropping port scanners" \
  114.     src-address-list="port scanners"
  115. add action=drop chain=input comment="default configuration" in-interface=\
  116.     ether1-gateway
複製代碼
作者: hkd    時間: 2012-8-31 16:16

本帖最後由 hkd 於 2012-8-31 16:18 編輯

回復 5# VR2VDT


    thx 晒,
我開頭重以為部機壞左,無啦啦話我password 錯,因為我初學開頭淨插左wan 上到網得閒至用另一條線remote 去set下玩下,連password 都無set,轉個頭就俾人set 埋password.

                0        Aug/31/2012 00:59:03        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                1        Aug/31/2012 00:59:04        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                2        Aug/31/2012 00:59:05        memory        system, error, critical        login failure for user info from 210.51.20.51 via ssh       
                3        Aug/31/2012 00:59:05        memory        system, error, critical        login failure for user demuji from 210.51.20.51 via ssh       
                4        Aug/31/2012 00:59:06        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                5        Aug/31/2012 00:59:06        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                6        Aug/31/2012 00:59:07        memory        system, error, critical        login failure for user diskbook from 210.51.20.51 via ssh       
                7        Aug/31/2012 00:59:07        memory        system, error, critical        login failure for user diskbook from 210.51.20.51 via ssh       
                8        Aug/31/2012 00:59:08        memory        system, error, critical        login failure for user diskbook from 210.51.20.51 via ssh       
                9        Aug/31/2012 00:59:09        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                10        Aug/31/2012 00:59:09        memory        system, error, critical        login failure for user firefox from 210.51.20.51 via ssh       
                11        Aug/31/2012 00:59:10        memory        system, error, critical        login failure for user user0 from 210.51.20.51 via ssh       
                12        Aug/31/2012 00:59:10        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                13        Aug/31/2012 00:59:11        memory        system, error, critical        login failure for user mysql0 from 210.51.20.51 via ssh       
                14        Aug/31/2012 00:59:11        memory        system, error, critical        login failure for user user0 from 210.51.20.51 via ssh       
                15        Aug/31/2012 00:59:12        memory        system, error, critical        login failure for user backup from 210.51.20.51 via ssh       
                16        Aug/31/2012 00:59:12        memory        system, error, critical        login failure for user backup from 210.51.20.51 via ssh       
                17        Aug/31/2012 00:59:13        memory        system, error, critical        login failure for user firefox from 210.51.20.51 via ssh       
                18        Aug/31/2012 00:59:14        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                19        Aug/31/2012 00:59:14        memory        system, error, critical        login failure for user user0 from 210.51.20.51 via ssh       
                20        Aug/31/2012 00:59:15        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                21        Aug/31/2012 00:59:16        memory        system, error, critical        login failure for user swsgest from 210.51.20.51 via ssh       
                22        Aug/31/2012 00:59:16        memory        system, error, critical        login failure for user megafile from 210.51.20.51 via ssh       
                23        Aug/31/2012 00:59:17        memory        system, error, critical        login failure for user i-heart from 210.51.20.51 via ssh       
                24        Aug/31/2012 00:59:17        memory        system, error, critical        login failure for user i-heart from 210.51.20.51 via ssh       
                25        Aug/31/2012 00:59:18        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                26        Aug/31/2012 00:59:18        memory        system, error, critical        login failure for user bash from 210.51.20.51 via ssh       
                27        Aug/31/2012 00:59:19        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                28        Aug/31/2012 00:59:19        memory        system, error, critical        login failure for user taz from 210.51.20.51 via ssh       
                29        Aug/31/2012 00:59:20        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                30        Aug/31/2012 00:59:21        memory        system, error, critical        login failure for user PruncuTz from 210.51.20.51 via ssh       
                31        Aug/31/2012 00:59:21        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                32        Aug/31/2012 00:59:22        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                33        Aug/31/2012 00:59:22        memory        system, error, critical        login failure for user paulb from 210.51.20.51 via ssh       
                34        Aug/31/2012 00:59:23        memory        system, error, critical        login failure for user michael from 210.51.20.51 via ssh       
                35        Aug/31/2012 00:59:23        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                36        Aug/31/2012 00:59:24        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                37        Aug/31/2012 00:59:24        memory        system, error, critical        login failure for user lday from 210.51.20.51 via ssh       
                38        Aug/31/2012 00:59:28        memory        system, error, critical        login failure for user nagios from 210.51.20.51 via ssh       
                39        Aug/31/2012 00:59:28        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                40        Aug/31/2012 00:59:29        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                41        Aug/31/2012 00:59:30        memory        system, error, critical        login failure for user svn from 210.51.20.51 via ssh       
                42        Aug/31/2012 00:59:30        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                43        Aug/31/2012 00:59:31        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                44        Aug/31/2012 00:59:31        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                45        Aug/31/2012 00:59:32        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                46        Aug/31/2012 00:59:32        memory        system, error, critical        login failure for user joyko from 210.51.20.51 via ssh       
                47        Aug/31/2012 00:59:33        memory        system, error, critical        login failure for user user0 from 210.51.20.51 via ssh       
                48        Aug/31/2012 00:59:33        memory        system, error, critical        login failure for user bin from 210.51.20.51 via ssh       
                49        Aug/31/2012 00:59:34        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                50        Aug/31/2012 00:59:35        memory        system, error, critical        login failure for user sshserver from 210.51.20.51 via ssh       
                51        Aug/31/2012 00:59:35        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh
作者: pnp1010    時間: 2012-8-31 18:44

回復 1# hkd


    我就
1) BLK咗無用既PORT
2) 改 LOGIN "ADMIN" 轉做"ADMIN_0001",當然冇咗"ADMIN"
再加簡單既FIREWALL RULE
世界變得清淨晒!!




歡迎光臨 電腦領域 HKEPC Hardware (https://www.hkepc.com/forum/) Powered by Discuz! 7.2