Scribd Logo
Upload

Welcome to Scribd!

  • Block Virus Dimikrotik

    Uploaded by

    IKADEKDWI
    13 views4 pages
    block virus

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    block virus

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as txt, pdf, or txt
    13 views4 pages

    Block Virus Dimikrotik

    Uploaded by

    IKADEKDWI
    block virus

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as txt, pdf, or txt
    of 4

    Blok virus di mikrotik

    Blok virus di mikrotik


    Several Block for filter
    o Block Bogus IP Address
    o Drop SSH brute forcers
    o Port Scanners to list
    o Filter FTP to Box
    o Separate Protocol into Chains
    UDP :: Blocking UDP Packet
    TCP :: Bloking TCP Packet
    ICMP :: Limited Ping Flood
    o Allow Broadcast Traffic
    o Connection State

    ## Basic Configuration -
    Begin
    / ip firewall filter
    add chain=forward src-address=0.0.0.0/8 action=drop comment=Block_ Bogus_IP_Addre
    ss disabled=no
    add chain=forward dst-address=0.0.0.0/8 action=drop comment= disabled=no
    add chain=forward src-address=127.0.0.0/8 action=drop comment= disabled=no
    add chain=forward dst-address=127.0.0.0/8 action=drop comment= disabled=no
    add chain=forward src-address=224.0.0.0/3 action=drop comment= disabled=no
    add chain=forward dst-address=224.0.0.0/3 action=drop comment= disabled=no
    add chain=forward src-address=255.255.255.255/3 action=drop comment= disabled=no
    add chain=forward dst-address=0.0.0.0/3 action=drop comment= disabled=no
    add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=d
    rop comment=Drop_SSH_brute_forcers disabled=no
    add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=s
    sh_stage3 action=add-src-to-address-list address-list=ssh_blacklist address-list
    -timeout=1w3d comment= disabled=no
    add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=s
    sh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-ti
    meout=1m comment= disabled=no
    add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=s
    sh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-ti
    meout=1m comment= disabled=no
    add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-
    address-list address-list=ssh_stage1 address-list-timeout=1m comment= disabled=no
    add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list addres
    s-list=port scanners address-list-timeout=2w comment=Port_Scanners_to_list disabled
    =no
    add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-s
    rc-to-address-list address-list=port scanners
    address-list-timeout=2w comment= disabled=no
    add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list
    address-list=port scanners address-list-timeout=2w comment= disabled=no
    add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list
    address-list=port scanners address-list-timeout=2w comment= disabled=no
    add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src
    -to-address-list address-list=port scanners address-list-timeout=2w comment= disable
    d=no
    add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to
    -address-list address-list=port_scannersaddress-list-timeout=2w comment= disabled=no
    add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-
    src-to-address-list address-list=port_scanners address-list-timeout=2w comment= disa
    bled=no
    add chain=input src-address-list=port scanners action=drop comment= disabled=no
    add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=d
    rop comment=Filter FTP to Box disabled=no
    add chain=output protocol=tcp content=530 Login incorrect dst-limit=1/1m,9,dst-add
    ress/1m action=accept comment= disabled=no
    add chain=output protocol=tcp content=530_Login_incorrect action=add-dst-to-addres
    s-list address-list=ftp_blacklist address-list-timeout=3h comment= disabled=no
    add chain=forward protocol=tcp action=jump jump-target=tcp comment= Separate_Prot
    ocol_into_Chains disabled=no
    add chain=forward protocol=udp action=jump jump-target=udp comment= disabled=no
    add chain=forward protocol=icmp action=jump jump-target=icmp comment= disabled=no
    add chain=udp protocol=udp dst-port=69 action=drop comment=Blocking_UDP_Packet dis
    abled=no
    add chain=udp protocol=udp dst-port=111 action=drop comment= disabled=no
    add chain=udp protocol=udp dst-port=135 action=drop comment= disabled=no
    add chain=udp protocol=udp dst-port=137-139 action=drop comment= disabled=no
    add chain=udp protocol=udp dst-port=2049 action=drop comment= disabled=no
    add chain=udp protocol=udp dst-port=3133 action=drop comment= disabled=no
    add chain=tcp protocol=tcp dst-port=69 action=drop comment=Bloking_TCP_Packet disa
    bled=no
    add chain=tcp protocol=tcp dst-port=111 action=drop comment= disabled=no
    add chain=tcp protocol=tcp dst-port=119 action=drop comment= disabled=no
    add chain=tcp protocol=tcp dst-port=135 action=drop comment= disabled=no
    add chain=tcp protocol=tcp dst-port=137-139 action=drop comment= disabled=no
    add chain=tcp protocol=tcp dst-port=445 action=drop comment= disabled=no
    add chain=tcp protocol=tcp dst-port=2049 action=drop comment= disabled=no
    add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment= disabled=no
    add chain=tcp protocol=tcp dst-port=20034 action=drop comment= disabled=no
    add chain=tcp protocol=tcp dst-port=3133 action=drop comment= disabled=no
    add chain=tcp protocol=tcp dst-port=67-68 action=drop comment= disabled=no
    add chain=icmp protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept commen
    t=Limited Ping Flood disabled=no
    add chain=icmp protocol=icmp icmp-options=3:3 limit=5,5 action=accept comment= dis
    abled=no
    add chain=icmp protocol=icmp icmp-options=3:4 limit=5,5 action=accept comment= dis
    abled=no
    add chain=icmp protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept commen
    t= disabled=no
    add chain=icmp protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept comme
    nt= disabled=no
    add chain=icmp protocol=icmp action=drop comment= disabled=no
    add chain=input dst-address-type=broadcast action=accept comment=Allow_Broadcast_
    Traffic disabled=no
    add chain=input connection-state=established action=accept comment=Connection_Sta
    te disabled=no
    add chain=input connection-state=related action=accept comment= disabled=no
    add chain=input connection-state=invalid action=drop comment= disabled=no
    /ip firewall filter
    add chain=input action=drop protocol=tcp in-interface=Wlan-omni dst-port=135-139
    ,445
    add chain=input action=drop protocol=udp in-interface=wlan-omni dst-port=135-139
    ,445
    add chain=forward action=drop protocol=tcp in-interface=wlan-omni dst-port=25,13
    5,137-139,445,593,1025,4691,5933
    add chain=forward action=drop protocol=udp in-interface=wlan-omni dst-port=25,13
    5,137-139,445,593,1025,4691,5933
    add chain=forward action=drop p2p=bit-torrent
    add chain=forward action=accept connection-state=established
    add chain=forward action=accept connection-state=related
    add chain=forward action=drop connection-state=invalid
    grabus: ether 3 iku interface kearah client
    port untuk BitTorrent(officialy port:6881-6889)
    /ip firewall filter
    add action=add-src-to-address-list address-list=DDOS address-list-timeout=15s \
    chain=input comment= disabled=no dst-port=1337 protocol=tcp
    add action=add-src-to-address-list address-list=DDOS address-list-timeout=15m \
    chain=input comment= disabled=no dst-port=7331 protocol=tcp src-address-list=knock
    add action=add-src-to-address-list address-list=port scanners address-list-timeout
    =2w \ chain=input comment=Port scanners to list disabled=no protocol=tcp psd=21,3
    s,3,1
    add action=add-src-to-address-list address-list=port scanners address-list-timeout
    =2w \ chain=input comment=SYN/FIN scan disabled=no protocol=tcp tcp-flags=fin,syn
    add action=add-src-to-address-list address-list=port scanners address-list-timeout
    =2w \ chain=input comment=SYN/RST scan disabled=no protocol=tcp tcp-flags=syn,rst
    add action=add-src-to-address-list address-list=port scanners address-list-timeout
    =2w \ chain=input disabled=no tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp
    \ comment=FIN/PSH/URG scan
    add action=add-src-to-address-list address-list=port scanners address-list-timeout
    =2w \ chain=input disabled=no protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg \
    comment=ALL/ALL scan
    add action=add-src-to-address-list address-list=port scanners address-list-timeout
    =2w \ chain=input tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg comment=NMAP NULL scan \
    disabled=no protocol=tcp
    add action=add-src-to-address-list address-list=port scanners address-list-timeout
    =2w \ chain=input comment=NMAP FIN Stealth scan disabled=no protocol=tcp
    add action=accept chain=input comment=ANTI NETCUT disabled=no dst-port=0-65535 \ p
    rotocol=tcp src-address=61.213.183.1-61.213.183.254
    add action=accept chain=input comment=ANTI NETCUT disabled=no dst-port=0-65535 \ p
    rotocol=tcp src-address=67.195.134.1-67.195.134.254
    add action=accept chain=input comment=ANTI NETCUT disabled=no dst-port=0-65535 \ p
    rotocol=tcp src-address=68.142.233.1-68.142.233.254
    add action=accept chain=input comment=ANTI NETCUT disabled=no dst-port=0-65535 \ p
    rotocol=tcp src-address=68.180.217.1-68.180.217.254
    add action=accept chain=input comment=ANTI NETCUT disabled=no dst-port=0-65535 \ p
    rotocol=tcp src-address=203.84.204.1-203.84.204.254
    add action=accept chain=input comment=ANTI NETCUT disabled=no dst-port=0-65535 \ p
    rotocol=tcp src-address=69.63.176.1-69.63.176.254
    add action=accept chain=input comment=ANTI NETCUT disabled=no dst-port=0-65535 \ p
    rotocol=tcp src-address=69.63.181.1-69.63.181.254
    add action=accept chain=input comment=ANTI NETCUT disabled=no dst-port=0-65535 \ p
    rotocol=tcp src-address=63.245.209.1-63.245.209.254
    add action=accept chain=input comment=ANTI NETCUT disabled=no dst-port=0-65535 \ p
    rotocol=tcp src-address=63.245.213.1-63.245.213.254
    blok mac add client untuk tidak berubah 2 mac add ap
    / ip firewall filter
    add chain=forward action=drop src-address=x.x.x.x src-mac-address=!yy:yy:yy:yy:y
    y:yy comment= disabled=no
    / ip firewall filter
    add chain=forward action=drop src-address=!x.x.x.x src-mac-address=yy:yy:yy:yy:y
    y:yy comment= disabled=no
    contoh
    / ip firewall filter
    add chain=forward action=drop src-address=10.44.44.2 src-mac-address=00:27:19:fe
    :2f:00 comment=client_genjik1? disabled=no
    add chain=forward action=drop src-address=10.44.44.3 src-mac-address=00:27:19:fe
    :2f:00 comment=client_genjik2? disabled=no
    add chain=forward action=drop src-address=10.44.44.4 src-mac-address=00:27:19:fe
    :2f:00 comment=client_genjik3? disabled=no
    add chain=forward action=drop src-address=10.44.44.5 src-mac-address=00:27:19:fe
    :2f:00 comment=client_genjik4? disabled=no
    add chain=forward action=drop src-address=10.44.45.2 src-mac-address=00:25:86:f2
    :74:aa comment=client_sarpo disabled=no

    You might also like