ROS firewall 求教

hkd

師兄們 求救,
請指教一下點set 個ROS firewall, 萬個唔該，d人好無聊不停咁試
anyway 最後在我慢慢remote 修改期間俾人走左入黎password  都過埋我.

1) 只allow lan side access  e.g. 192.168.10.0/24
2) Allow pptp/ipsec VPN
3) 做 Port forward 443 去 192.168.10.100
DROP all other connection.
我無set DROP all other connection, 就work , 但個login page 重係度俾人撞
一set 左DROP,   vpn 就唔得，我知一定set 錯野

有無師兄能paste 段command 用用,  十萬個唔該

炎冬

師兄們 求救,
請指教一下點set 個ROS firewall, 萬個唔該，d人好無聊不停咁試
anyway 最後在我慢慢 ...
hkd 發表於 2012-8-31 15:06

要做port forward
pptp 要做tcp, port 1723
l2tp 要做udp, port 500, 1701, 4500

炎冬

另外呢個是用來block ftp brute forcers, 你可以改改D rule用來block其他野

1. add action=drop chain=input comment="drop ftp brute forcers" disabled=no \
   
2.     dst-port=21 in-interface=ether1-gateway protocol=tcp src-address-list=\
   
3.     ftp_blacklist
   
4. add action=accept chain=output comment="drop ftp brute forcers" content=\
   
5.     "530 Login incorrect" disabled=no dst-limit=1/1m,5,dst-address/2m protocol=\
   
6.     tcp
   
7. add action=add-dst-to-address-list address-list=ftp_blacklist \
   
8.     address-list-timeout=0s chain=output comment="drop ftp brute forcers" \
   
9.     content="530 Login incorrect" disabled=no protocol=tcp
   
10. add action=accept chain=input disabled=no dst-port=21 in-interface=\
    
11.     ether1-gateway protocol=tcp

複製代碼

hkd

thx 炎冬兄

VR2VDT

回復 1# hkd
1, you should setup very secure password, e.g. at least 8 characters, upper+lower case letters+numeric characters.
2, firewall filter rules are running one by one. Don't place "DROP all other connection" before other rules. Otherwise, the other rules will not run.
3, accept necessary service ports you run on ROS router, e.g. Winbox, SSH, PPTP, L2TP/IPSec, etc...
Below is my filter rules ..

1. /ip firewall filter
   
2. add chain=input comment="default configuration" protocol=icmp
   
3. add chain=input comment="default configuration" connection-state=established
   
4. add chain=input comment="default configuration" connection-state=related
   
5. add action=add-src-to-address-list address-list=blocked-addr \
   
6.     address-list-timeout=1d chain=input comment="SYN Flood protect" \
   
7.     connection-limit=100,32 protocol=tcp
   
8. add action=tarpit chain=input comment="SYN Flood protect" connection-limit=\
   
9.     3,32 protocol=tcp src-address-list=blocked-addr
   
10. add action=jump chain=forward comment="SYN Flood protect (default disable)" \
    
11.     connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
    
12. add chain=SYN-Protect comment="SYN Flood protect" connection-state=new limit=\
    
13.     400,5 protocol=tcp tcp-flags=syn
    
14. add action=log chain=SYN-Protect comment="SYN Flood protect" \
    
15.     connection-state=new protocol=tcp tcp-flags=syn
    
16. add action=drop chain=SYN-Protect comment="SYN Flood protect" \
    
17.     connection-state=new protocol=tcp tcp-flags=syn
    
18. add action=log chain=input comment=L2TP/IPSec dst-port=500 protocol=udp
    
19. add chain=input comment=L2TP/IPSec dst-port=500 protocol=udp
    
20. add action=log chain=input comment=L2TP/IPSec dst-port=1701 protocol=udp
    
21. add chain=input comment=L2TP/IPSec dst-port=1701 protocol=udp
    
22. add action=log chain=input comment=L2TP/IPSec dst-port=4500 protocol=udp
    
23. add chain=input comment=L2TP/IPSec dst-port=4500 protocol=udp
    
24. add action=log chain=input comment=L2TP/IPSec protocol=ipsec-esp
    
25. add chain=input comment=L2TP/IPSec protocol=ipsec-esp
    
26. add action=log chain=input comment="PPTP VPN" dst-port=1723 protocol=tcp
    
27. add chain=input comment="PPTP VPN" dst-port=1723 protocol=tcp
    
28. add action=log chain=input dst-port=8291 protocol=tcp
    
29. add chain=input dst-port=8291 protocol=tcp
    
30. add action=log chain=input comment="drop ssh brute forcers" dst-port=22 \
    
31.     protocol=tcp src-address-list=ssh_blacklist
    
32. add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
    
33.     protocol=tcp src-address-list=ssh_blacklist
    
34. add action=add-src-to-address-list address-list=ssh_blacklist \
    
35.     address-list-timeout=1w3d chain=input comment="drop ssh brute forcers" \
    
36.     connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
    
37. add action=add-src-to-address-list address-list=ssh_stage3 \
    
38.     address-list-timeout=10m chain=input comment="drop ssh brute forcers" \
    
39.     connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
    
40. add action=add-src-to-address-list address-list=ssh_stage2 \
    
41.     address-list-timeout=10m chain=input comment="drop ssh brute forcers" \
    
42.     connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
    
43. add action=add-src-to-address-list address-list=ssh_stage1 \
    
44.     address-list-timeout=10m chain=input comment="drop ssh brute forcers" \
    
45.     connection-state=new dst-port=22 protocol=tcp
    
46. add action=log chain=forward comment="drop ssh brute downstream" dst-port=22 \
    
47.     protocol=tcp src-address-list=ssh_blacklist
    
48. add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 \
    
49.     protocol=tcp src-address-list=ssh_blacklist
    
50. add action=log chain=input dst-port=22 protocol=tcp
    
51. add chain=input dst-port=22 protocol=tcp
    
52. add action=log chain=input comment="drop ftp brute forcers" dst-port=21 \
    
53.     protocol=tcp src-address-list=ftp_blacklist
    
54. add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
    
55.     protocol=tcp src-address-list=ftp_blacklist
    
56. add chain=output comment="drop ftp brute forcers" content=\
    
57.     "530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
    
58. add action=add-dst-to-address-list address-list=ftp_blacklist \
    
59.     address-list-timeout=3h chain=output comment="drop ftp brute forcers" \
    
60.     content="530 Login incorrect" protocol=tcp
    
61. add chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
    
62. add chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
    
63. add chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
    
64. add chain=icmp comment="host unreachable fragmentation required" \
    
65.     icmp-options=3:4 protocol=icmp
    
66. add chain=icmp comment="allow source quench" icmp-options=4:0 protocol=icmp
    
67. add chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
    
68. add chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
    
69. add chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
    
70. add action=drop chain=icmp comment="deny all other types"
    
71. add action=log chain=input comment="Reject PING from external" protocol=icmp
    
72. add action=drop chain=input comment="Reject PING from external" protocol=icmp
    
73. add action=log chain=input comment="Port scanners to list " protocol=tcp psd=\
    
74.     21,3s,3,1
    
75. add action=add-src-to-address-list address-list="port scanners" \
    
76.     address-list-timeout=2w chain=input comment="Port scanners to list" \
    
77.     in-interface=!ether2-master-local protocol=tcp psd=21,3s,3,1
    
78. add action=log chain=input comment="NMAP FIN Stealth scan" protocol=tcp \
    
79.     tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
    
80. add action=add-src-to-address-list address-list="port scanners" \
    
81.     address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    
82.     in-interface=!ether2-master-local protocol=tcp tcp-flags=\
    
83.     fin,!syn,!rst,!psh,!ack,!urg
    
84. add action=log chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=\
    
85.     fin,syn
    
86. add action=add-src-to-address-list address-list="port scanners" \
    
87.     address-list-timeout=2w chain=input comment="SYN/FIN scan" in-interface=\
    
88.     !ether2-master-local protocol=tcp tcp-flags=fin,syn
    
89. add action=log chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=\
    
90.     syn,rst
    
91. add action=add-src-to-address-list address-list="port scanners" \
    
92.     address-list-timeout=2w chain=input comment="SYN/RST scan" in-interface=\
    
93.     !ether2-master-local protocol=tcp tcp-flags=syn,rst
    
94. add action=log chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=\
    
95.     fin,psh,urg,!syn,!rst,!ack
    
96. add action=add-src-to-address-list address-list="port scanners" \
    
97.     address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" \
    
98.     in-interface=!ether2-master-local protocol=tcp tcp-flags=\
    
99.     fin,psh,urg,!syn,!rst,!ack
    
100. add action=log chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=\
     
101.     fin,syn,rst,psh,ack,urg
     
102. add action=add-src-to-address-list address-list="port scanners" \
     
103.     address-list-timeout=2w chain=input comment="ALL/ALL scan" in-interface=\
     
104.     !ether2-master-local protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
     
105. add action=log chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=\
     
106.     !fin,!syn,!rst,!psh,!ack,!urg
     
107. add action=add-src-to-address-list address-list="port scanners" \
     
108.     address-list-timeout=2w chain=input comment="NMAP NULL scan" \
     
109.     in-interface=!ether2-master-local protocol=tcp tcp-flags=\
     
110.     !fin,!syn,!rst,!psh,!ack,!urg
     
111. add action=log chain=input comment="dropping port scanners" src-address-list=\
     
112.     "port scanners"
     
113. add action=drop chain=input comment="dropping port scanners" \
     
114.     src-address-list="port scanners"
     
115. add action=drop chain=input comment="default configuration" in-interface=\
     
116.     ether1-gateway

複製代碼

hkd

回復 5# VR2VDT


    thx 晒,
我開頭重以為部機壞左，無啦啦話我password 錯，因為我初學開頭淨插左wan 上到網得閒至用另一條線remote 去set下玩下，連password 都無set，轉個頭就俾人set 埋password.

                0        Aug/31/2012 00:59:03        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                1        Aug/31/2012 00:59:04        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                2        Aug/31/2012 00:59:05        memory        system, error, critical        login failure for user info from 210.51.20.51 via ssh       
                3        Aug/31/2012 00:59:05        memory        system, error, critical        login failure for user demuji from 210.51.20.51 via ssh       
                4        Aug/31/2012 00:59:06        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                5        Aug/31/2012 00:59:06        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                6        Aug/31/2012 00:59:07        memory        system, error, critical        login failure for user diskbook from 210.51.20.51 via ssh       
                7        Aug/31/2012 00:59:07        memory        system, error, critical        login failure for user diskbook from 210.51.20.51 via ssh       
                8        Aug/31/2012 00:59:08        memory        system, error, critical        login failure for user diskbook from 210.51.20.51 via ssh       
                9        Aug/31/2012 00:59:09        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                10        Aug/31/2012 00:59:09        memory        system, error, critical        login failure for user firefox from 210.51.20.51 via ssh       
                11        Aug/31/2012 00:59:10        memory        system, error, critical        login failure for user user0 from 210.51.20.51 via ssh       
                12        Aug/31/2012 00:59:10        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                13        Aug/31/2012 00:59:11        memory        system, error, critical        login failure for user mysql0 from 210.51.20.51 via ssh       
                14        Aug/31/2012 00:59:11        memory        system, error, critical        login failure for user user0 from 210.51.20.51 via ssh       
                15        Aug/31/2012 00:59:12        memory        system, error, critical        login failure for user backup from 210.51.20.51 via ssh       
                16        Aug/31/2012 00:59:12        memory        system, error, critical        login failure for user backup from 210.51.20.51 via ssh       
                17        Aug/31/2012 00:59:13        memory        system, error, critical        login failure for user firefox from 210.51.20.51 via ssh       
                18        Aug/31/2012 00:59:14        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                19        Aug/31/2012 00:59:14        memory        system, error, critical        login failure for user user0 from 210.51.20.51 via ssh       
                20        Aug/31/2012 00:59:15        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                21        Aug/31/2012 00:59:16        memory        system, error, critical        login failure for user swsgest from 210.51.20.51 via ssh       
                22        Aug/31/2012 00:59:16        memory        system, error, critical        login failure for user megafile from 210.51.20.51 via ssh       
                23        Aug/31/2012 00:59:17        memory        system, error, critical        login failure for user i-heart from 210.51.20.51 via ssh       
                24        Aug/31/2012 00:59:17        memory        system, error, critical        login failure for user i-heart from 210.51.20.51 via ssh       
                25        Aug/31/2012 00:59:18        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                26        Aug/31/2012 00:59:18        memory        system, error, critical        login failure for user bash from 210.51.20.51 via ssh       
                27        Aug/31/2012 00:59:19        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                28        Aug/31/2012 00:59:19        memory        system, error, critical        login failure for user taz from 210.51.20.51 via ssh       
                29        Aug/31/2012 00:59:20        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                30        Aug/31/2012 00:59:21        memory        system, error, critical        login failure for user PruncuTz from 210.51.20.51 via ssh       
                31        Aug/31/2012 00:59:21        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                32        Aug/31/2012 00:59:22        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                33        Aug/31/2012 00:59:22        memory        system, error, critical        login failure for user paulb from 210.51.20.51 via ssh       
                34        Aug/31/2012 00:59:23        memory        system, error, critical        login failure for user michael from 210.51.20.51 via ssh       
                35        Aug/31/2012 00:59:23        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                36        Aug/31/2012 00:59:24        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                37        Aug/31/2012 00:59:24        memory        system, error, critical        login failure for user lday from 210.51.20.51 via ssh       
                38        Aug/31/2012 00:59:28        memory        system, error, critical        login failure for user nagios from 210.51.20.51 via ssh       
                39        Aug/31/2012 00:59:28        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                40        Aug/31/2012 00:59:29        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                41        Aug/31/2012 00:59:30        memory        system, error, critical        login failure for user svn from 210.51.20.51 via ssh       
                42        Aug/31/2012 00:59:30        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                43        Aug/31/2012 00:59:31        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                44        Aug/31/2012 00:59:31        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                45        Aug/31/2012 00:59:32        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                46        Aug/31/2012 00:59:32        memory        system, error, critical        login failure for user joyko from 210.51.20.51 via ssh       
                47        Aug/31/2012 00:59:33        memory        system, error, critical        login failure for user user0 from 210.51.20.51 via ssh       
                48        Aug/31/2012 00:59:33        memory        system, error, critical        login failure for user bin from 210.51.20.51 via ssh       
                49        Aug/31/2012 00:59:34        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh       
                50        Aug/31/2012 00:59:35        memory        system, error, critical        login failure for user sshserver from 210.51.20.51 via ssh       
                51        Aug/31/2012 00:59:35        memory        system, error, critical        login failure for user root from 210.51.20.51 via ssh

pnp1010

回復 1# hkd


    我就
1) BLK咗無用既PORT
2) 改 LOGIN "ADMIN" 轉做"ADMIN_0001"，當然冇咗"ADMIN"
再加簡單既FIREWALL RULE
世界變得清淨晒!!