Mengatasi system,error,critical login failure Mikrotik
Beberapa hari ini mikrotik di jaringan kami sering ada log merah yang tulisannya seperti berikut. echo: system,error,critical login failure for user master from 67.225.209.238 via ssh [admin@Sumo] > echo: system,error,critical login failure for user apache from 67.225.209.238 via ssh [admin@Sumo] > echo: system,error,critical login failure for user root from 67.225.209.238 via ssh [admin@Sumo] > echo: system,error,critical login failure for user root from 67.225.209.238 via ssh [admin@Sumo] > echo: system,error,critical login failure for user root from 67.225.209.238 via ssh [admin@Sumo] > echo: system,error,critical login failure for user root from 67.225.209.238 via ssh [admin@Sumo] > echo: system,error,critical login failure for user root from 67.225.209.238 via ssh [admin@Sumo] > echo: system,error,critical login failure for user admin from 67.225.209.238 via ssh [admin@Sumo] > echo: system,error,critical login failure for user admin from 67.225.209.238 via ssh [admin@Sumo] > echo: system,error,critical login failure for user admin from 67.225.209.238 via ssh [admin@Sumo] > echo: system,error,critical login failure for user admin from 67.225.209.238 via ssh kalau di cek IP adressnya ternyata dari luar negri. Namun setelah googling kesana kemari ternyata katanya log itu adalah log penyusup atau bisa di bilang ada yang coba hack mikrtoik kita. Dari forum mikrotik ternyata ada solusi ampuh untuk mengatasi hal ini. Berikut Rulenya yang bisa anda pasang di mikrotik anda untuk mengamankan mikrotik anda dari penyusup. Ini adalah rule yang saya dapat dari forum mikrotik. in /ip firewall filter add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \ comment="drop ftp brute forcers"
add chain=output action=accept protocol=tcp content="530 Login incorrect" dstlimit=1/1m,9,dst-address/1m add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \ address-list=ftp_blacklist address-list-timeout=3h
Setelah rule di atas tambahkan juga rule dibawah ini in /ip firewall filter add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \ comment="drop ssh brute forcers" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage3 action=add-src-to-address-list addresslist=ssh_blacklist \ address-list-timeout=10d comment="" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage2 action=add-src-to-address-list addresslist=ssh_stage3 \ address-list-timeout=1m comment="" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new src-addresslist=ssh_stage1 \ action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new action=add-srcto-address-list \ address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
Setelah itu terakir tambahkan rule berikut. /ip firewall filter add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \ comment="drop ssh brute downstream" disabled=no
Sumber http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention_%28FTP_%26_SSH%29 Semoga bermanfaat
Khusus buat temen-temen yang mempunyai network server menggunakan MikroTik, bagaimana kalian mencegah user yang mencoba login mikrotik, metode ini biasa dikenal dengan istilah bruteforce yaitu metode mencoba menebak username dan password sampai berulang-ulang. Bruteforce login mengkombinasikan beberapa karakter, yang telah di ambil dari database dan mencoba login pada server mikrotik anda, metode ini tidak hanya bisa dilakukan pada mikrotik tapi hampir semua jenis authentication baik website atau sejenisnya yang tidak dilindungi oleh firewall khusus Bruteforce. Langsung aja, untuk mencegah Bruteforce login pada server mikrotik silahkan copy configurasi berikut : Block Bruteforce FTP login Spoiler: /ip firewall filter add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \ comment="drop ftp brute forcers" add chain=output action=accept protocol=tcp content="530 Login incorrect" dstlimit=1/1m,9,dst-address/1m add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \ address-list=ftp_blacklist address-list-timeout=3h
Block SSH brute forcer login Spoiler: add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \ comment="drop ssh brute forcers" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=10d comment="" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m comment="" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \ action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \ address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
dan terkahir untuk memblock semua dari Ip yang didapatkan dari script diatas Spoiler: add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \ comment="drop ssh brute downstream" disabled=no
Cara mencegah NetCut di jaringan hotspot mikrotik 1. pake winbox aja biar gampang. 2. masuk ke IP > DHCP Server 3. pilih konfigurasi DHCP yang digunakan untuk hotspot anda, kalo' saya, menggunakan settingan default DHCP aja 4. di sini saya cuma mengganti waktu sewa IP menjadi 1 hari 5. dan yang paling penting, aktifkan opsi Add ARP for Leases, opsi ini untuk mencegah ARP Spoofing oleh NetCut lebih aman lagi, drop semua paket ICMP pada firewall, jadi tambahin aja (soalnya pernah baca, kalo NetCut itu menggunakan ICMP untuk apanyaaa gitu, eh satu lagi, kalo rule ini diterapkan, jangan bingung ya, soalnya ping pasti ga bisa !!!!) /ip firewall filter add action=accept chain=input protocol=icmp disabled=no comment="default configuration anti netcut, defaultnya accept" anti confliker / ip firewall filter add chain=forward protocol=udp src-port=135-139 action=drop comment=";;Block W32.Kido - Conficker" disabled=no add chain=forward protocol=udp dst-port=135-139 action=drop comment="" disabled=no add chain=forward protocol=udp src-port=445 action=drop comment="" disabled=no add chain=forward protocol=udp dst-port=445 action=drop comment="" disabled=no add chain=forward protocol=tcp src-port=135-139 action=drop comment="" disabled=no add chain=forward protocol=tcp dst-port=135-139 action=drop comment="" disabled=no add chain=forward protocol=tcp src-port=445 action=drop comment="" disabled=no add chain=forward protocol=tcp dst-port=445 action=drop comment="" disabled=no add chain=forward protocol=tcp dst-port=4691 action=drop comment="" disabled=no add chain=forward protocol=tcp dst-port=5933 action=drop comment="" disabled=no add chain=forward protocol=udp dst-port=5355 action=drop comment="Block LLMNR" disabled=no add chain=forward protocol=udp dst-port=4647 action=drop comment="" disabled=no add action=drop chain=forward comment="SMTP Deny" disabled=no protocol=tcp srcport=25 add action=drop chain=forward comment="" disabled=no dst-port=25 protocol=tcp Melindungi FTP Server Mikrotik Anda / ip firewall filter add chain=input in-interface=hotspot protocol=tcp dst-port=21 src-addresslist=ftp_blacklist action=drop comment="FTP Blacklist" / ip firewall filter add chain=output action=accept protocol=tcp content="530 Login incorrect" dstlimit=1/1m,9,dst-address/1m comment="accept 10 incorrect logins per minute"
/ ip firewall filter add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" address-list=ftp_blacklist address-list-timeout=3h comment="add to blacklist" Ingat, urutan diatas harus tepat...tidak boleh tertukar-tukar... Mari kita bahas satu persatu dari rule-rule diatas... / ip firewall filter add chain=input in-interface=ether1 protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop Rule pertama ini akan melakukan filtering untuk traffik yang berasal dari ether1 (silahkan dirubah sesuai kebutuhan), protocol TCP dengan port 21...dan IP asal traffik dicocokkan dengan addr-list ftp_blacklist (yang akan dicreate di rule berikutnya).... bila cocok / positif maka action drop akan dilakukan... Bila ada yang melakukan brute force attack untuk pertama kalinya, rule pertama ini tidak melakukan apa2...Namun apabila IP-nya telah tercatat, maka akan langsung di Drop. ------------------------------------# accept 10 incorrect logins per minute / ip firewall filter add chain=output action=accept protocol=tcp content="530 Login incorrect" dstlimit=1/1m,9,dst-address/1m Rule ini bertindak sebagai pengawas, apakah dari IP tertentu telah melakukan Login secara Incorrect sebanyak 9 kali dalam jangka waktu 1 menit....Jadi bila masih dalam batasan 9 kali dalam 1 menit maka masih akan diaccept...Nah apabila telah melampaui 9 kali, maka rule ini tidak akan apply dan akan lanjut ke rule setelahnya yakni... ------------------------------------#add to blacklist add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" address-list=blacklist address-list-timeout=3h Rule ini akan menambahkan IP sang penyerang ke dalam addr-list bernama ftp_blacklist...hanya itu yang dilakukan rule ini... Nah, pada saat percobaan yang ke-11 serangan ini akan di Drop oleh Rule yang Pertama.... dapet dari forum juga.... moga bermanfaat
Setting Firewall Mikrotik Untuk Menangkal Virus dan Netcut Dalam artikel kali akan membahas terkait sistem firewall dalam mikrotik terkhusus untuk menangkal virus dan netcut dalam jaringan lokal (local network). Berbagai serangan baik dari jaringan lokal maupun global merupakan sesuatu hal yang mengganggu sistem dan informasi yang sifatnya privacy, olehnya para administrator jaringan dituntut lebih memahami bagaimana memanagement keamanan sistem dalam perangkat jaringannya. Terkhusus pada perangkat jaringan yang satu ini, mikrotik dalam sistemnya memberikan fasilitas firewall dalam menangkal berbagai serangan. Bagaimana melakukan hal tersebut, berikut listing kode untuk setting firewall menangkal virus dan netcut : 1. Untuk langkah pertama login ke sistem mikrotik menggunakan winbox loader 2. Pada menu mikrotik pilih New Terminal kemudian ketikkan atau copas kode dibawah ini : /ip firewall filter add action=accept chain=input disabled=no dst-port=8291 protocol=tcp add action=drop chain=forward connection-state=invalid disabled=no add action=drop chain=virus disabled=no dst-port=135-139 protocol=tcp add action=drop chain=virus disabled=no dst-port=1433-1434 protocol=tcp add action=drop chain=virus disabled=no dst-port=445 protocol=tcp add action=drop chain=virus disabled=no dst-port=445 protocol=udp add action=drop chain=virus disabled=no dst-port=593 protocol=tcp add action=drop chain=virus disabled=no dst-port=1024-1030 protocol=tcp add action=drop chain=virus disabled=no dst-port=1080 protocol=tcp add action=drop chain=virus disabled=no dst-port=1214 protocol=tcp add action=drop chain=virus disabled=no dst-port=1363 protocol=tcp add action=drop chain=virus disabled=no dst-port=1364 protocol=tcp add action=drop chain=virus disabled=no dst-port=1368 protocol=tcp add action=drop chain=virus disabled=no dst-port=1373 protocol=tcp add action=drop chain=virus disabled=no dst-port=1377 protocol=tcp add action=drop chain=virus disabled=no dst-port=2745 protocol=tcp add action=drop chain=virus disabled=no dst-port=2283 protocol=tcp add action=drop chain=virus disabled=no dst-port=2535 protocol=tcp add action=drop chain=virus disabled=no dst-port=2745 protocol=tcp add action=drop chain=virus disabled=no dst-port=3127 protocol=tcp add action=drop chain=virus disabled=no dst-port=3410 protocol=tcp add action=drop chain=virus disabled=no dst-port=4444 protocol=tcp add action=drop chain=virus disabled=no dst-port=4444 protocol=udp add action=drop chain=virus disabled=no dst-port=5554 protocol=tcp add action=drop chain=virus disabled=no dst-port=8866 protocol=tcp add action=drop chain=virus disabled=no dst-port=9898 protocol=tcp add action=drop chain=virus disabled=no dst-port=10080 protocol=tcp add action=drop chain=virus disabled=no dst-port=12345 protocol=tcp add action=drop chain=virus disabled=no dst-port=17300 protocol=tcp add action=drop chain=virus disabled=no dst-port=27374 protocol=tcp
add action=drop chain=virus disabled=no dst-port=65506 protocol=tcp add action=jump chain=forward disabled=no jump-rel="nofollow" target=virus add action=drop chain=input connection-state=invalid disabled=no add action=accept chain=input disabled=no protocol=udp add action=accept chain=input disabled=no limit=50/5s,2 protocol=icmp add action=drop chain=input disabled=no protocol=icmp add action=accept chain=input disabled=no dst-port=21 protocol=tcp add action=accept chain=input disabled=no dst-port=22 protocol=tcp add action=accept chain=input disabled=no dst-port=23 protocol=tcp add action=accept chain=input disabled=no dst-port=80 protocol=tcp add action=accept chain=input disabled=no dst-port=8291 protocol=tcp add action=accept chain=input disabled=no dst-port=1723 protocol=tcp add action=accept chain=input disabled=no dst-port=23 protocol=tcp add action=accept chain=input disabled=no dst-port=80 protocol=tcp add action=accept chain=input disabled=no dst-port=1723 protocol=tcp add action=add-src-to-address-list address-list=DDOS address-list-timeout=15s chain=input disabled=no dst-port=1337 protocol=tcp add action=add-src-to-address-list address-list=DDOS address-list-timeout=15m chain=input disabled=no dst-port=7331 protocol=tcp src-address-list=knock add action=add-src-to-address-list address-list=”port-scanners” address-list-timeout=2w chain=input comment=”port-scanner” disabled=no protocol=tcp psd=21,3s,3,1 add action=add-src-to-address-list address-list=”port-scanners” address-list-timeout=2w chain=input comment=”SYN/FIN” disabled=no protocol=tcp tcp-flags=fin,syn add action=add-src-to-address-list address-list=”port-scanners” address-list-timeout=2w chain=input comment=”SYN/RST” disabled=no protocol=tcp tcp-flags=syn,rst add action=add-src-to-address-list address-list=”port-scanners” address-list-timeout=2w chain=input comment=”FIN/PSH/URG” disabled=no protocol=tcp tcp-flags=fin,psh,urg,!syn,! rst,!ack add action=add-src-to-address-list address-list=”port-scanners” address-list-timeout=2w chain=input comment=”ALL/ALL scan” disabled=no protocol=tcp tcpflags=fin,syn,rst,psh,ack,urg add action=add-src-to-address-list address-list=”port-scanners” address-list-timeout=2w chain=input comment=”NMAP” disabled=no protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg add action=accept chain=input comment=”ANTI-NETCUT” disabled=no dst-port=0-65535 protocol=tcp src-address=61.213.183.1-61.213.183.254 add action=accept chain=input comment=”ANTI-NETCUT” disabled=no dst-port=0-65535 protocol=tcp src-address=67.195.134.1-67.195.134.254
add action=accept chain=input comment=”ANTI-NETCUT” disabled=no dst-port=0-65535 protocol=tcp src-address=68.142.233.1-68.142.233.254 add action=accept chain=input comment=”ANTI-NETCUT” disabled=no dst-port=0-65535 protocol=tcp src-address=68.180.217.1-68.180.217.254 add action=accept chain=input comment=”ANTI-NETCUT” disabled=no dst-port=0-65535 protocol=tcp src-address=203.84.204.1-203.84.204.254 add action=accept chain=input comment=”ANTI-NETCUT” disabled=no dst-port=0-65535 protocol=tcp src-address=69.63.176.1-69.63.176.254 add action=accept chain=input comment=”ANTI-NETCUT” disabled=no dst-port=0-65535 protocol=tcp src-address=69.63.181.1-69.63.181.254 add action=accept chain=input comment=”ANTI-NETCUT” disabled=no dst-port=0-65535 protocol=tcp src-address=63.245.209.1-63.245.209.254 add action=accept chain=input comment=”ANTI-NETCUT” disabled=no dst-port=0-65535 protocol=tcp src-address=63.245.213.1-63.245.213.254
Lindungi client dari virus dengan firewall di mikrotik Posted by mazumam on Jun 13, 2012 in Mikrotik, Networking, Tutorial | 0 comments
Untuk melindungi jaringan pelanggan, kita harus memeriksa semua traffic yang melewati router dan blok yang tidak diinginkan. Untuk lalu lintas udp icmp, tcp, kita akan menciptakan rantai, dimana semua paket yang tidak diinginkan akan dicabut. Untuk awal, kita bisa copy dan paste perintah berikut ke RouterOS terminal konsol: /ip firewall filter add chain=forward connection-state=established comment=”allow established connections” add chain=forward connection-state=related comment=”allow related connections” add chain=forward connection-state=invalid action=drop comment=”drop invalid connections”
Selanjutnya, kita harus menyaring dan drop semua paket yang tidak diinginkan yang terlihat seperti berasal dari host yang terinfeksi virus /ip firewall filter add chain=virus protocol=tcp Blaster Worm” add chain=virus protocol=udp Messenger Worm” add chain=virus protocol=tcp Worm” add chain=virus protocol=udp Worm” add chain=virus protocol=tcp add chain=virus protocol=tcp add chain=virus protocol=tcp add chain=virus protocol=tcp add chain=virus protocol=tcp
dst-port=135-139 action=drop comment=”Drop dst-port=135-139 action=drop comment=”Drop dst-port=445 action=drop comment=”Drop Blaster dst-port=445 action=drop comment=”Drop Blaster dst-port=593 action=drop comment=”________” dst-port=1024-1030 action=drop comment=”________” dst-port=1080 action=drop comment=”Drop MyDoom” dst-port=1214 action=drop comment=”________” dst-port=1363 action=drop comment=”ndm requester”
add chain=virus add chain=virus add chain=virus add chain=virus add chain=virus add chain=virus add chain=virus add chain=virus add chain=virus K” add chain=virus MyDoom” add chain=virus OptixPro” add chain=virus add chain=virus add chain=virus add chain=virus add chain=virus B” add chain=virus Dumaru.Y” add chain=virus MyDoom.B” add chain=virus add chain=virus add chain=virus SubSeven” add chain=virus Agobot, Gaobot”
protocol=tcp protocol=tcp protocol=tcp protocol=tcp protocol=tcp protocol=tcp protocol=tcp protocol=tcp protocol=tcp
dst-port=1364 action=drop comment=”ndm server” dst-port=1368 action=drop comment=”screen cast” dst-port=1373 action=drop comment=”hromgrafx” dst-port=1377 action=drop comment=”cichlid” dst-port=1433-1434 action=drop comment=”Worm” dst-port=2745 action=drop comment=”Bagle Virus” dst-port=2283 action=drop comment=”Drop Dumaru.Y” dst-port=2535 action=drop comment=”Drop Beagle” dst-port=2745 action=drop comment=”Drop Beagle.C-
protocol=tcp dst-port=3127-3128 action=drop comment=”Drop protocol=tcp dst-port=3410 action=drop comment=”Drop Backdoor protocol=tcp protocol=udp protocol=tcp protocol=tcp protocol=tcp
dst-port=4444 dst-port=4444 dst-port=5554 dst-port=8866 dst-port=9898
action=drop action=drop action=drop action=drop action=drop
comment=”Worm” comment=”Worm” comment=”Drop Sasser” comment=”Drop Beagle.B” comment=”Drop Dabber.A-
protocol=tcp dst-port=10000 action=drop comment=”Drop protocol=tcp dst-port=10080 action=drop comment=”Drop protocol=tcp dst-port=12345 action=drop comment=”Drop NetBus” protocol=tcp dst-port=17300 action=drop comment=”Drop Kuang2″ protocol=tcp dst-port=27374 action=drop comment=”Drop protocol=tcp dst-port=65506 action=drop comment=”Drop PhatBot,
add chain=forward action=jump jump-target=virus comment=”jump to the virus chan”
sekian, semoga bermanfaat :)
Firewall Blokir Worm, Virus di Mikrotik Sejak munculnya serangan worm Conficker , Downandup, Kido secara sporadis ke seluruh jaringan internet di seluruh dunia membuat para network administrator dan security engineer kerepotan untuk menangkal dengan ulah cacing ganas ini, seperti kita ketahui OS windows tidak memiliki tingkat security yg baik serta memiliki banyak celah yang mudah ditembus karena cacat bawaan OS windows , default service Netbios 135-139 dan SMB 445 yang tetap terbuka meskipun Windows udah dipatch, atau diupgrade Worm ini mampu mengubah/menambah fungsi internal windows (TCP) untuk memblok akses situs-situs keamanan (security/antivirus), dengan memfilter alamat yang mempunyai karakter/text tertentu. Dan untuk menghilangkan efek tersebut tidak mudah, karena boleh dibilang sudah tingkat low level programming. Worm ini didesign untuk melindungi diri dari deteksi antivirus dengan menggunakan teknik tertentu yang jarang digunakan, melindungi diri dari upaya untuk dihapus, mematikan windows update, restore point sebelum infeksi, mematikan trafik jaringan tertentu, mengoptimalkan fitur windows Vista untuk memudahkan penyebaran, mampu menginjeksi explorer.exe, svchost.exe dan services.exe dan lainnya. Situs-situs yang di blok cukup banyak, meliputi web yang menggunakan text seperti berikut ( bisa di blok atau selalu memunculkan pesan Time Out ketika membuka situsnya) : •virus •spyware •malware •rootkit •defender •microsoft •symantec •norton •mcafee •trendmicro •sophos •panda •etrust •f-secure •kaspersky •f-prot •nod32 •eset •grisoft •avast •avira
•comodo •clamav •norman •pctools •rising •sunbelt •threatexpert •wilderssecurity •windowsupdate •avp •avg Untuk mengatasi aksi si cacing ganas ini , kami sarankan gunakan fitur filter dari firewall yang sudah tersedia di Mikrotik Router, silahkan copy paste script blokir worm, virus berikut dari terminal/konsol di Mikrotik Router /ip firewall filter add chain=forward connection-state=established comment=”allow established connections” add chain=forward connection-state=related comment=”allow related connections” add chain=forward connection-state=invalid action=drop comment=”drop invalid connections”
add chain=virus protocol=tcp dst-port=135-139 action=drop comment=”Drop Blaster Worm” add chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop Messenger Worm” add chain=virus protocol=tcp dst-port=445 action=drop comment=”Drop Blaster Worm” add chain=virus protocol=udp dst-port=445 action=drop comment=”Drop Conficker Worm” add chain=virus protocol=tcp dst-port=593 action=drop comment=”Drop Kido Worm” add chain=virus protocol=tcp dst-port=1024-1030 action=drop
comment=”________” add chain=virus protocol=tcp dst-port=1080 action=drop comment=”Drop MyDoom” add chain=virus protocol=tcp dst-port=1214 action=drop comment=”________” add chain=virus protocol=tcp dst-port=1363 action=drop comment=”ndm requester” add chain=virus protocol=tcp dst-port=1364 action=drop comment=”ndm server” add chain=virus protocol=tcp dst-port=1368 action=drop comment=”screen cast” add chain=virus protocol=tcp dst-port=1373 action=drop comment=”hromgrafx” add chain=virus protocol=tcp dst-port=1377 action=drop comment=”cichlid” add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment=”Worm” add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Bagle Virus” add chain=virus protocol=tcp dst-port=2283 action=drop comment=”Drop Dumaru.Y” add chain=virus protocol=tcp dst-port=2535 action=drop comment=”Drop Beagle” add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Drop Beagle.C-K” add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment=”Drop MyDoom” add chain=virus protocol=tcp dst-port=3410 action=drop comment=”Drop Backdoor OptixPro” add chain=virus protocol=tcp dst-port=4444 action=drop comment=”Worm” add chain=virus protocol=udp dst-port=4444 action=drop comment=”Worm” add chain=virus protocol=tcp dst-port=5554 action=drop comment=”Drop Sasser” add chain=virus protocol=tcp dst-port=8866 action=drop comment=”Drop Beagle.B” add chain=virus protocol=tcp dst-port=9898 action=drop comment=”Drop Dabber.A-B” add chain=virus protocol=tcp dst-port=10000 action=drop comment=”Drop Dumaru.Y” add chain=virus protocol=tcp dst-port=10080 action=drop comment=”Drop MyDoom.B” add chain=virus protocol=tcp dst-port=12345 action=drop comment=”Drop NetBus” add chain=virus protocol=tcp dst-port=17300 action=drop comment=”Drop Kuang2″ add chain=virus protocol=tcp dst-port=27374 action=drop comment=”Drop SubSeven” add chain=virus protocol=tcp dst-port=65506 action=drop comment=”Drop PhatBot, Agobot, Gaobot” Agar script filter firewall ini bisa bekerja secara optimal dan akurat memblokir worm, virus maka tambahkan rule baru chain=forward dari list virus dan action=jump add chain=forward action=jump jump-target=virus comment=”jump to the virus chain”
Sehingga nampak bisa dilihat pada gambar, apabila paket atau koneksi yang berjalan tidak sesuai dengan rule chain=virus maka segera diproses kembali ke chain=forward, selamat mencoba
Cara Block SSH FTP Brute Force MikroTik Posted by: Adam Rachmad October 9, 2013 in Mikrotik 0 Comments Block SSH FTP Brute Force MikroTik, tehnik setting mikrotik bwt block SSH FTP Brute Force. Apaan tuh gan ? itu kyk ada yg coba untuk masuk / menebak username password mikrotik agan. Dia nyoba secara ngacak buat nemuin username password mikrotik agan, biasanya target username yg biasanya dipake ngasal kyk username: admin password:123456. Gimana cara liat or taunya gan ? liat gambar Log mikrotik di bawah :
Itu indikasi bahwa ada yg mao coba2 login pake username ngacak via SSH mikrotik agan. Biasanya kejadian gini kalo router mikrotik agan punya IP Public / di cloud internet.
Cara Block Brute Force di MikroTik Langsung hajar gan pake setting setting firewall mikrotik mikrotik ni : /ip firewall filter add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=ftp_blacklist add chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol= tcp add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 address-listtimeout= 1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-listtimeout= 1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 address-listtimeout= 1m chain=input connection-state=new dst-port=22 protocol=tcp
Dijelasin dikit yak pake bahasa ane ^_^ Buat yg coba hack via FTP bruteforce, setting mikrotik ini nangkep by IP yang 10x salah login / FTP login incorrect per menit. IP yg ketangkep dimasukin di address-list=ftp_blacklist dan semuanya akan di drop. Yg coba hack via SSH bruteforce, setting mikrotik ini nangkep IP yang coba login dan salah terus. IP yg ketangkep dimasukin di address-list=ssh_blacklist dan semuanya akan di drop.
Contoh IP-IP nakal yang busted ! 39 IP (o_o)
Referensi : Bruteforce login prevention (FTP & SSH)
Firewall untuk router mikrotik Written by
[email protected] http://www.datautama.net.id Thursday, 09 November 2006
Untuk mengamankan router mikrotik dari traffic virus dan excess ping dapat digunakan skrip firewall berikut Pertama buat address-list "ournetwork" yang berisi alamat IP radio, IP LAN dan IP WAN atau IP lainnya yang dapat dipercaya Dalam contoh berikut alamat IP radio adalah = 10.0.0.0/16, IP LAN = 192.168.2.0/24 dan IP WAN = 203.89.24.0/21 dan IP lainnya yang dapat dipercaya = 202.67.33.7 Untuk membuat address-list dapat menggunakan contoh skrip seperti berikut ini tinggal disesuaikan dengan konfigurasi jaringan Anda. Buat skrtip berikut menggunakan notepad kemudian copy-paste ke console mikrotik / ip firewall address-list add list=ournetwork address=203.89.24.0/21 comment="Datautama Network" \ disabled=no add list=ournetwork address=10.0.0.0/16 comment="IP Radio" disabled=no add list=ournetwork address=192.168.2.0/24 comment="LAN Network" disabled=no
Selanjutnya copy-paste skrip berikut pada console mikrotik / ip firewall filter add chain=forward connection-state=established action=accept comment="allow \ established connections" disabled=no add chain=forward connection-state=related action=accept comment="allow \ related connections" disabled=no add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop \ Messenger Worm" disabled=no add chain=forward connection-state=invalid action=drop comment="drop invalid \ connections" disabled=no add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop \ Blaster Worm" disabled=no add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm" \ disabled=no add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster \ Worm" disabled=no add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster \ Worm" disabled=no add chain=virus protocol=tcp dst-port=593 action=drop comment="________" \
disabled=no add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________" \ disabled=no add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom" \ disabled=no add chain=virus protocol=tcp dst-port=1214 action=drop comment="________" \ disabled=no add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester" \ disabled=no add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server" \ disabled=no add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast" \ disabled=no add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx" \ disabled=no add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid" \ disabled=no add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus" \ disabled=no add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y" \ disabled=no add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle" \ disabled=no add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop \ Beagle.C-K" disabled=no add chain=virus protocol=tcp dst-port=3127 action=drop comment="Drop MyDoom" \ disabled=no add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor \ OptixPro" disabled=no add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm" \ disabled=no add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm" \ disabled=no add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser" \ disabled=no add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B" \ disabled=no add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop \ Dabber.A-B" disabled=no add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop \ Dumaru.Y, sebaiknya di didisable karena juga sering digunakan utk vpn atau \ webmin" disabled=yes add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop \ MyDoom.B" disabled=no add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus" \ disabled=no add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2" \ disabled=no add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop \
SubSeven" disabled=no add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, \ Agobot, Gaobot" disabled=no add chain=forward action=jump jump-target=virus comment="jump to the virus \ chain" disabled=no add chain=input connection-state=established action=accept comment="Accept \ established connections" disabled=no add chain=input connection-state=related action=accept comment="Accept related \ connections" disabled=no add chain=input connection-state=invalid action=drop comment="Drop invalid \ connections" disabled=no add chain=input protocol=udp action=accept comment="UDP" disabled=no add chain=input protocol=icmp limit=50/5s,2 action=accept comment="Allow \ limited pings" disabled=no add chain=input protocol=icmp action=drop comment="Drop excess pings" \ disabled=no add chain=input protocol=tcp dst-port=21 src-address-list=ournetwork \ action=accept comment="FTP" disabled=no add chain=input protocol=tcp dst-port=22 src-address-list=ournetwork \ action=accept comment="SSH for secure shell" disabled=no add chain=input protocol=tcp dst-port=23 src-address-list=ournetwork \ action=accept comment="Telnet" disabled=no add chain=input protocol=tcp dst-port=80 src-address-list=ournetwork \ action=accept comment="Web" disabled=no add chain=input protocol=tcp dst-port=8291 src-address-list=ournetwork \ action=accept comment="winbox" disabled=no add chain=input protocol=tcp dst-port=1723 action=accept comment="pptp-server" \ disabled=no add chain=input src-address-list=ournetwork action=accept comment="From \ Datautama network" disabled=no add chain=input action=log log-prefix="DROP INPUT" comment="Log everything \ else" disabled=no add chain=input action=drop comment="Drop everything else" disabled=no
Efek dari skrip diatas adalah: 1. router mikrotik hanya dapat diakses FTP, SSH, Web dan Winbox dari IP yang didefinisikan dalam address-list "ournetwork" sehingga tidak bisa diakses dari sembarang tempat. 2. Port-port yang sering dimanfaatkan virus di blok sehingga traffic virus tidak dapat dilewatkan, tetapi perlu diperhatikan jika ada user yang kesulitan mengakses service tertentu harus dicek pada chain="virus" apakah port yang dibutuhkan user tersebut terblok oleh firewall. 3. Packet ping dibatasi untuk menghindari excess ping.
Selain itu yang perlu diperhatikan adalah: sebaiknya buat user baru dan password dengan group full kemudian disable user admin, hal ini untuk meminimasi resiko mikrotik Anda di hack orang.
Selamat mencoba
