Monday, 14 April 2014

Mikrotik firewall Tools and Rules

It passed some time since I initially configured the firewall of my Mikrotik. So I invested some of my time to make it better. 

First get the list of connections:
/ip firewall connection

Study them little closer with the whois information that you will be able to get. For those connections that I didn't quite agree, because I didn't see any reason of existence, I did this:

/ip firewall filter add chain=forward src-address=0.0.0.0/0 dst-address=<ip>/<mask> action=drop

Note the direction here - it is from the source to the destination (meaning generally it is most likely in the internet). You can also change this to your preference - block it the other way. Take care because some services may stop functioning - so add comments and also don't forget the order of the rules - meaning which are on top, some might overrule others.

The other interesting tool we can use here is called torch, with it you can basically find which flow of traffic consumes most and possibly that could be an attack or just a permanent connection (example could be an smtp service outside of the company).

/tool torch

One other thing is that it is more convenient to use the connection state and torch from WinBox if you are going to monitor those things in real time, however the command line does the same, BUT here you can use it to copy paste the text - which contains valuable information for further analysis.

Under attack or not?

Well another logical thing here would be to check the resources taken from the device. You can check this from here

/system resource monitor

Final thoughts - close whatever you don't need as services from the router or limit them to the local network where possible and scan it from outside. You can do a scan for instance with 

Below you will find some material on SYN filtering, DoS attack rules etc. I gathered them from the references below in one place, hopefully it is useful for you. 

SYN filtering
Some advanced filtering can by applied to tcp packet state.

/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-state=new \
action=jump jump-target=SYN-Protect comment="SYN Flood protect" disabled=yes
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5 connection-state=new \
action=accept comment="" disabled=no
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-state=new \
action=drop comment="" disabled=no

For v6.x:

/ip settings set tcp-syncookies=yes

For older RouterOS versions:

/ip firewall connection tracking set tcp-syncookie=yes

_________________________________________________________________________________

add chain=input protocol=tcp psd=21,3s,3,1 action=drop comment="detect and drop port scan connections" disabled=no 
add chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list action=tarpit \
comment="suppress DoS attack" disabled=no 
add chain=input protocol=tcp connection-limit=10,32 action= add-src-to-address-list \
address-list=black_list  address-list-timeout=1d comment="detect DoS attack" disabled=no 

These rule’s are a little reactive to DoS and port scanning attempts, port scanning is dropped but a DoS attack is ‘tarpitted’ in that all connection’s are slowed down to increase the resource usage on the attackers device

_________________________________________________________________________________


add chain=input protocol=icmp action=jump jump-target=ICMP comment="jump to chain ICMP" disabled=no 

note this rule seems to be invalid - still haven't found why:
add chain=input action=jump jump-target=services comment="jump to chain services" disabled=no 

add chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept comment="0:0 and limit for 5pac/s" disabled=no 
add chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept comment="3:3 and limit for 5pac/s" disabled=no 
add chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept comment="3:4 and limit for 5pac/s" disabled=no 
add chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept comment="8:0 and limit for 5pac/s" disabled=no 
add chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept comment="11:0 and limit for 5pac/s" disabled=no 

add chain=ICMP protocol=icmp action=drop comment="Drop everything else" disabled=no 

These rules form the ‘ICMP’ chain which we jumped to from input, it limited various ICMP packet to stop people ping flooding you

_________________________________________________________________________________


Bruteforce login prevention

To stop SSH/FTP attacks on your router, follow this advice.
This configuration allows only 10 FTP login incorrect answers per minute
in /ip firewall filter

add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \
comment="drop ftp brute forcers"

add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m

add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \
address-list=ftp_blacklist address-list-timeout=3h

_________________________________________________________________________________


This will prevent a SSH brute forcer to be banned for 10 days after repetitive attempts. Change the timeouts as necessary.

in /ip firewall filter

add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

If you want to block downstream access as well, you need to block the with the forward chain:

add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute downstream" disabled=no

To view the contents of your Blacklist, go to "/ip firewall address-list" and type "print" to see the contents.

References: