Cara Pengamanan Mikrotik dari Scan Winbox dan Neighbour
Kadang
kala para ISP atau penyedia jasa layanan tidak terlalu jeli untuk
melindungi customernya. Terutama ketika melindungi router pelanggan yang
menggunakan Mikrotik RouterOS(tm). Dengan menjalankan IP >>
Neighbor kita bisa melihat router mikrotik lainnya yang secara fisik
terhubung dengan router kita melalui jaringan di provider kita.
Untuk itu kita bisa melindunginya dengan berbagai cara misalnya memblok scan dari winbox dan neighbor kita. Berikut adalah cara yang paling mudah :
Untuk itu kita bisa melindunginya dengan berbagai cara misalnya memblok scan dari winbox dan neighbor kita. Berikut adalah cara yang paling mudah :
Code:
admin@mikrotik] interface bridge> filter print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; block discovery mikrotik
chain=forward in-interface=ether1 mac-protocol=ip dst-port=5678
ip-protocol=udp action=drop
1 ;;; block discovery mikrotik
chain=input in-interface=ether1 mac-protocol=ip dst-port=5678
ip-protocol=udp action=drop
2 ;;; block discovery mikrotik
chain=output mac-protocol=ip dst-port=5678 ip-protocol=udp action=drop
3 ;;; block discovery mikrotik
chain=input in-interface=ether1 mac-protocol=ip dst-port=8291
ip-protocol=tcp action=drop
4 ;;; block winbox mikrotik
chain=forward in-interface=ether1 mac-protocol=ip dst-port=8291
ip-protocol=tcp action=drop
5 ;;; block request DHCP
chain=input mac-protocol=ip dst-port=68 ip-protocol=udp action=drop
6 ;;; block request DHCP
chain=forward mac-protocol=ip dst-port=68 ip-protocol=udp action=drop
7 ;;; block request DHCP
chain=output mac-protocol=ip dst-port=68 ip-protocol=udp action=drop
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; block discovery mikrotik
chain=forward in-interface=ether1 mac-protocol=ip dst-port=5678
ip-protocol=udp action=drop
1 ;;; block discovery mikrotik
chain=input in-interface=ether1 mac-protocol=ip dst-port=5678
ip-protocol=udp action=drop
2 ;;; block discovery mikrotik
chain=output mac-protocol=ip dst-port=5678 ip-protocol=udp action=drop
3 ;;; block discovery mikrotik
chain=input in-interface=ether1 mac-protocol=ip dst-port=8291
ip-protocol=tcp action=drop
4 ;;; block winbox mikrotik
chain=forward in-interface=ether1 mac-protocol=ip dst-port=8291
ip-protocol=tcp action=drop
5 ;;; block request DHCP
chain=input mac-protocol=ip dst-port=68 ip-protocol=udp action=drop
6 ;;; block request DHCP
chain=forward mac-protocol=ip dst-port=68 ip-protocol=udp action=drop
7 ;;; block request DHCP
chain=output mac-protocol=ip dst-port=68 ip-protocol=udp action=drop
Dengan
perintah tersebut kita bisa menutup beberapa scan terutama yang
menggunakan winbox dan ip neighbor. Port diatas adalah bagian dari share
Mikrotik RouterOS yang memang di perlukan untuk monitoring.
Untuk bisa router mencatat semua IP para scanner dan kemudian dimasukkan kedalam daftar IP Address dan dinamakan dalam group "port scanner", berikut rule pada firewall-nya :
Untuk bisa router mencatat semua IP para scanner dan kemudian dimasukkan kedalam daftar IP Address dan dinamakan dalam group "port scanner", berikut rule pada firewall-nya :
Code:
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment=”Port scanners to list ” disabled=no
address-list-timeout=2w comment=”Port scanners to list ” disabled=no
Untuk menindaklajuti rule diatas, berikut rule utk mendropkannya :
Code:
add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
Otomatis Mikrotik akan memainkan rule tsb.
Tambahan rule sebelum menggunakan aturan 2 :
Tambahan rule sebelum menggunakan aturan 2 :
Code:
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list=”port scanners”
address-list-timeout=2w comment=”NMAP FIN Stealth scan”
add chain=input protocol=tcp tcp-flags=fin,syn
action=add-src-to-address-list address-list=”port scanners”
address-list-timeout=2w comment=”SYN/FIN scan”
add chain=input protocol=tcp tcp-flags=syn,rst
action=add-src-to-address-list address-list=”port scanners”
address-list-timeout=2w comment=”SYN/RST scan”
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
action=add-src-to-address-list address-list=”port scanners”
address-list-timeout=2w comment=”FIN/PSH/URG scan”
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
action=add-src-to-address-list address-list=”port scanners”
address-list-timeout=2w comment=”ALL/ALL scan”
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list=”port scanners”
address-list-timeout=2w comment=”NMAP NULL scan”
action=add-src-to-address-list address-list=”port scanners”
address-list-timeout=2w comment=”NMAP FIN Stealth scan”
add chain=input protocol=tcp tcp-flags=fin,syn
action=add-src-to-address-list address-list=”port scanners”
address-list-timeout=2w comment=”SYN/FIN scan”
add chain=input protocol=tcp tcp-flags=syn,rst
action=add-src-to-address-list address-list=”port scanners”
address-list-timeout=2w comment=”SYN/RST scan”
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
action=add-src-to-address-list address-list=”port scanners”
address-list-timeout=2w comment=”FIN/PSH/URG scan”
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
action=add-src-to-address-list address-list=”port scanners”
address-list-timeout=2w comment=”ALL/ALL scan”
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list=”port scanners”
address-list-timeout=2w comment=”NMAP NULL scan”
Tidak ada komentar:
Posting Komentar