13May/081
Drop Port Scanner
Untuk memprotek router dari port scanner, kita bisa menyimpan IP hacker yang mencoba scan mikrotik anda. Menggunakan address-list kita bisa drop koneksi dari IP-IP yang terindikasi sebagai port scanner.
di /ip firewall filter
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no
Kombinasi dari TCP flags bisa diindikasikan aktifitas dari port scanner.
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan"
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan"
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"
Kemudian anda bisa drop IP tersebut :
add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
Dengan cara yang sama, anda bisa drop port scanner dalam chain forward, ganti kode diatas dengan "chain=forward".
May 12th, 2010 - 11:11
mas rule diatas tuh nanti bagi IP yg terdeteksi port scanner dimikrotik akan otomatis membt adress list. dengan nama “port scanners” trus didrop yah.
awalnya saya kira kita membt daftar adress listnya sendiri. cmiiw.