Jump to content
  • 0

dns flood помощ

wowefect

Запитване от wowefect,

 Сподели

Въпрос

6 отговори на този въпрос

Recommended Posts

  • 1
  • Администратор
JohnTRIVOLTA Изгряваща звезда

JohnTRIVOLTA

Отговорено
  • Администратор
Отговорено (Редактирано) 

/ip firewall filter
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port scanners to list " \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
    tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" \
    src-address-list="port scanners"
add action=drop chain=forward comment="Drop FTP brute forcers" dst-port=21 \
    protocol=tcp src-address-list=ftp_blacklist
add chain=forward content="530 Login incorrect" dst-limit=\
    1/1m,3,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=4w2d chain=forward content="530 Login incorrect" \
    protocol=tcp
add action=drop chain=forward comment="Drop SSH brute forcers" \
    src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=4w2d chain=forward connection-state=new dst-port=\
    22,23 in-interface=ether1 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=4w2d chain=forward connection-state=new dst-port=\
    22,23 in-interface=ether2 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=5m chain=forward connection-state=new dst-port=22,23 \
    in-interface=ether1 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=5m chain=forward connection-state=new dst-port=22,23 \
    in-interface=ether2 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=5m chain=forward connection-state=new dst-port=22,23 \
    in-interface=ether1 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=5m chain=forward connection-state=new dst-port=22,23 \
    in-interface=ether2 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=5m chain=forward connection-state=new dst-port=22,23 \
    in-interface=ether1 protocol=tcp
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=5m chain=forward connection-state=new dst-port=22,23 \
    in-interface=ether2 protocol=tcp
add action=drop chain=input comment="Drop Winbox brute forcers" \
    src-address-list="Winbox Black List"
add action=add-src-to-address-list address-list="Winbox Black List" \
    address-list-timeout=4w2d chain=input connection-state=new dst-port=\
    8291,1723 in-interface=ether1 protocol=tcp src-address-list=\
    "Winbox Stage 3"
add action=add-src-to-address-list address-list="Winbox Black List" \
    address-list-timeout=4w2d chain=input connection-state=new dst-port=\
    8291,1723 in-interface=ether2 protocol=tcp src-address-list=\
    "Winbox Stage 3"
add action=add-src-to-address-list address-list="Winbox Stage 3" \
    address-list-timeout=5m chain=input connection-state=new dst-port=\
    8291,1723 in-interface=ether1 protocol=tcp src-address-list=\
    "Winbox Stage 2"
add action=add-src-to-address-list address-list="Winbox Stage 3" \
    address-list-timeout=5m chain=input connection-state=new dst-port=\
    8291,1723 in-interface=ether2 protocol=tcp src-address-list=\
    "Winbox Stage 2"
add action=add-src-to-address-list address-list="Winbox Stage 2" \
    address-list-timeout=5m chain=input connection-state=new dst-port=\
    8291,1723 in-interface=ether1 protocol=tcp src-address-list=\
    "Winbox Stage 1"
add action=add-src-to-address-list address-list="Winbox Stage 2" \
    address-list-timeout=5m chain=input connection-state=new dst-port=\
    8291,1723 in-interface=ether2 protocol=tcp src-address-list=\
    "Winbox Stage 1"
add action=add-src-to-address-list address-list="Winbox Stage 1" \
    address-list-timeout=5m chain=input connection-state=new dst-port=\
    8291,1723 in-interface=ether1 protocol=tcp
add action=add-src-to-address-list address-list="Winbox Stage 1" \
    address-list-timeout=5m chain=input connection-state=new dst-port=\
    8291,1723 in-interface=ether2 protocol=tcp
add action=log chain=input comment="Log invalid connections" \
    connection-state=invalid log-prefix=INVALID
add action=drop chain=input comment="Drop Invalid connections" \
    connection-state=invalid
add chain=input comment=AllowVPN_SSTP dst-port=443 in-interface=ether1 \
    protocol=tcp
add chain=input comment=AllowVPN_L2 dst-port=1701 in-interface=ether1 \
    protocol=udp
add chain=input comment=AllowVPN_L2 dst-port=500 in-interface=ether1 \
    protocol=udp
add chain=input comment=AllowVPN_L2 dst-port=4500 in-interface=ether1 \
    protocol=udp
add chain=input comment=AllowVPN_PPtP disabled=yes dst-port=1723 \
    in-interface=ether1 protocol=tcp
add chain=input comment=AllowVPN_PPtP disabled=yes in-interface=ether1 \
    protocol=gre
add chain=input comment="Allow WinBox" dst-port=8291 protocol=tcp
add chain=input comment="Allow Established connections" connection-state=\
    established
add chain=input comment="Allow ICMP" protocol=icmp
add chain=input in-interface=!ether1 src-address=XX.XX.XX.0/24
add chain=input in-interface=!ether2 src-address=YY.YY.YY.0/24
add action=drop chain=input comment="Drop everything else"
add action=drop chain=forward comment="drop invalid connections" \
    connection-state=invalid protocol=tcp
add chain=forward comment="allow already established connections" \
    connection-state=established
add chain=forward comment="allow related connections" connection-state=\
    related
add action=drop chain=forward src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=drop chain=tcp comment="deny TFTP" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 \
    protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 \
    protocol=tcp
add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 \
    protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 protocol=\
    tcp
add action=drop chain=tcp comment="deny DHCP" dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="deny TFTP" dst-port=69 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 \
    protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 \
    protocol=udp
add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp
add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol=\
    udp
add chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add chain=icmp comment="host unreachable fragmentation required" \
    icmp-options=3:4 protocol=icmp
add chain=icmp comment="allow source quench" icmp-options=4:0 protocol=icmp
add chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"

Тези правила ползвам основно и нямам проблеми , които и аз имах в началото! На теб ти трябват от правилото за AllowWinBox надолу , а тези нагоре са за мои нужди или малко така оптимизиране, наблюдение и анализ ! А да не забравя че има дублиране на правила заради двата WAN интерфейса! Трябва ти и по горно правило "Drop invalid connection" , като този DNS флуд ще пада на Drop everything else .

Редактирано от JohnTRIVOLTA
Адрес на коментара
Сподели в други сайтове
  • 0
  • Администратор
JohnTRIVOLTA Изгряваща звезда

JohnTRIVOLTA

Отговорено
  • Администратор
Отговорено
Преди 3 часа, andman написа:

Просто махни отметката Allow Remote Requests

По-скоро да ползва други DNSи , като публичните ню google, opendns. level3dns и т.н.!

Адрес на коментара
Сподели в други сайтове
  • 0
wispnet Новак

wispnet

Отговорено
Отговорено

ако махне отметката allow remote requests ако клиентите са с статични ип-та ще стане много интересно като спрат да им зареждат страничките :)

Адрес на коментара
Сподели в други сайтове
  • 0
  • Администратор
111111 Изгряваща звезда

111111

Отговорено
  • Администратор
Отговорено
Преди 2 часа, wispnet написа:

ако махне отметката allow remote requests ако клиентите са с статични ип-та ще стане много интересно като спрат да им зареждат страничките :)

ще спрат ако ползват локалния ДНС

ако са с отдалечен ще ползват forward chain-a

Харесай поста ^^^
acer.gif htc.gifsigpic4024_2.gif

Форумът е за взаимопомощ а не за свършване на чужда работа

ɹɐǝɥ uɐɔ noʎ ǝɹoɯ ǝɥʇ 'ǝɯoɔǝq noʎ ɹǝʇǝınb ǝɥʇ

Адрес на коментара
Сподели в други сайтове

Създайте нов акаунт или се впишете, за да коментирате

За да коментирате, трябва да имате регистрация

Създайте акаунт

Присъединете се към нашата общност. Регистрацията става бързо!

Регистрация на нов акаунт

Вход

Имате акаунт? Впишете се оттук.

Вписване
 Сподели
Go to question listing

  • Потребители разглеждащи страницата   0 потребители

    • No registered users viewing this page.
×
×
  • Създай нов...

Important Information

By using this site, you agree to our Terms of Use.

  I accept