Příloha č. 2 Základní konfigurce. Základní konfigurace. Zařízení mikrotik

Příloha č. 2 Základní konfigurce

Základní konfigurace Zařízení mikrotik

OBSAH

Základní konfigurace ..................................................................................................... 1 Zařízení mikrotik............................................................................................................ 1 1

Konfigurace ............................................................................................................. 3 1.1

Odmazání všech výchozích továrních nastavení........................................................... 3

1.2

Základní ochrana protokolu SSH a FTP ....................................................................... 3

1.3

Nastavení času a časového pásma ................................................................................. 5

1.4

Nastavení síťových interface ......................................................................................... 5

1.5

Nastavení výchozí brány ............................................................................................... 6

1.6

Nastavení mailu ............................................................................................................. 6

1.7

Aktivace snmp ............................................................................................................... 6

1.8

DNS ............................................................................................................................... 6

1.9

Povolení IPv6 ................................................................................................................ 6

1.10

Zkouška e-mailu......................................................................................................... 7

1.11

Automatické zálohy na e-mail ................................................................................... 7

2

1 Konfigurace 1.1 Odmazání všech výchozích továrních nastavení #Odmazání filter rules,nat,mangle /ip firewall filter remove [/ip firewall filter find]; /ip firewall nat remove [/ip firewall nat find]; /ip firewall mangle remove [/ip firewall mangle find]; /ip firewall address-list remove [/ip firewall address-list find]; #/ip pool remove [/ip pool find]; #/ip dhcp-client remove [/ip dhcp-client find]; #/ip dhcp-server remove [/ip dhcp-server find]; #/ip dhcp-server network remove [/ip dhcp-server network find]; #/ip dhcp-server option remove [/ip dhcp-server option find];

1.2 Základní ochrana protokolu SSH a FTP Zdroj následujících údajů: Microtic Documentation. Mikrotik.com. [online]. [cit. 2015-0402]. Dostupné z http://wiki.mikrotik.com/. #přidání ssh and ftp brutefoce prevence /ip firewall filter add action=drop chain=input comment="Drop anyone in the Black List (SSH)" src-addresslist="Black List (SSH)" add action=drop chain=input comment="Drop anyone in the Black List (Telnet)" src-addresslist="Black List (Telnet)" add action=drop chain=input comment="Drop anyone in the Black List (Winbox)" srcaddress-list="Black List (Winbox)" 3

add action=jump chain=input comment="Jump to TSG SSH Chain" jump-target="TSG SSH Chain" add action=add-src-to-address-list address-list="Black List (SSH)" address-list-timeout=1d chain="TSG SSH Chain" comment="Transfer repeated attempts from SSH Stage 3 to BlackList" connection-state=new dst-port=22 protocol=tcp src-address-list="SSH Stage 3" add action=add-src-to-address-list address-list="SSH Stage 3" address-list-timeout=3m chain="TSG SSH Chain" comment="Add succesive attempts to SSH Stage 3" connectionstate=new dst-port=22 protocol=tcp src-address-list="SSH Stage 2" add action=add-src-to-address-list address-list="SSH Stage 2" address-list-timeout=3m chain="TSG SSH Chain" comment="Add succesive attempts to SSH Stage 2" connectionstate=new dst-port=22 protocol=tcp src-address-list="SSH Stage 1" add action=add-src-to-address-list address-list="SSH Stage 1" address-list-timeout=3m chain="TSG SSH Chain" comment="Add intial attempt to SSH Stage 1 List" connectionstate=new dst-port=22 protocol=tcp add action=return chain="TSG SSH Chain" comment="Return From TSG SSH Chain" add action=jump chain=input comment="Jump to TSG Telnet Chain" jump-target="TSG Telnet Chain" add action=add-src-to-address-list address-list="Black List (Telnet)" address-list-timeout=1d chain="TSG Telnet Chain" comment="Transfer repeated attempts from Telnet Stage 3 to Black-List" connection-state=new dst-port=23 protocol=tcp src-address-list="Telnet Stage 3" add action=add-src-to-address-list address-list="Telnet Stage 3" address-list-timeout=3m chain="TSG Telnet Chain" comment="Add succesive attempts to Telnet Stage 3" connectionstate=new dst-port=23 protocol=tcp src-address-list="Telnet Stage 2" add action=add-src-to-address-list address-list="Telnet Stage 2" address-list-timeout=3m chain="TSG Telnet Chain" comment="Add succesive attempts to Telnet Stage 2" connectionstate=new dst-port=23 protocol=tcp src-address-list="Telnet Stage 1" add action=add-src-to-address-list address-list="Telnet Stage 1" address-list-timeout=3m chain="TSG Telnet Chain" comment="Add Intial attempt to Telnet Stage 1" connectionstate=new dst-port=23 protocol=tcp 4

add action=return chain="TSG Telnet Chain" comment="Return From TSG Telnet Chain" add action=jump chain=input comment="Jump to TSG Winbox Chain" jump-target="TSG Winbox Chain" add

action=add-src-to-address-list

address-list="Black

List

(Winbox)"

address-list-

timeout=1d chain="TSG Winbox Chain" comment="Transfer repeated attempts from Winbox Stage 3 to Black-List" connection-state=new dst-port=8291 protocol=tcp src-addresslist="Winbox Stage 3" add action=add-src-to-address-list address-list="Winbox Stage 3" address-list-timeout=3m chain="TSG Winbox Chain" comment="Add succesive attempts to Winbox Stage 3" connection-state=new dst-port=8291 protocol=tcp src-address-list="Winbox Stage 2" add action=add-src-to-address-list address-list="Winbox Stage 2" address-list-timeout=3m chain="TSG Winbox Chain" comment="Add succesive attempts to Winbox Stage 2" connection-state=new dst-port=8291 protocol=tcp src-address-list="Winbox Stage 1" add action=add-src-to-address-list address-list="Winbox Stage 1" address-list-timeout=3m chain="TSG Winbox Chain" comment="Add Intial attempt to Winbox Stage 1" connectionstate=new dst-port=8291 protocol=tcp add action=return chain="TSG Winbox Chain" comment="Return From TSG Winbox Chain"

1.3 Nastavení času a časového pásma #datum a čas – bráno z tik.cesnet.cz – 195.113.144.201 /system clock set time-zone-name=Europe/Prague; /system ntp client set enabled=yes mode=unicast primary-ntp=195.113.144.201;

1.4 Nastavení síťových interface # nastavení IPv4 na rozhraní ether1 ip X.X.X.X/ZZ /ip address add interface=ether1 address=X.X.X.X/ZZ # nastavení IPv6 na rozhraní ether1 ipv6 – např.: 2001:db8:1234::/64 s advertise /ipv6 address add interface=ether1 address=2001:db8:1234::/64 advertise=yes 5

1.5 Nastavení výchozí brány # nastavení IPv4 výchozí bráy X.X.X.X /ip address add gateway=X.X.X.X # nastavení IPv6 výchozí brány ipv6 – např.: 2001:db8:1234::1 /ipv6 address add gateway=2001:db8:1234::1

1.6 Nastavení mailu #nastavení mailové služby X.X.X.X = smtp server /tool e-mail set address=X.X.X.X port=25 from=([/system identity get name] . "@bivs.cz")

1.7 Aktivace snmp #snmp /ip accounting web-access set accessible-via-web=yes; /ip accounting set enabled=yes account-local-traffic=yes; /snmp set contact=public enabled=yes; /snmp set contact=public enabled=yes trap-community=public;

1.8 DNS #dns X.X.X.X a Y.Y.Y.Y dns servery i IPv6 /ip dns set allow-remote-requests=no; /ip dns set servers=X.X.X.X,Y.Y.Y.Y; /ip dns static remove [/ip dns static find];

1.9 Povolení IPv6 #povolení balíčku IPv6 6

/system package enable [/system package find where name =ipv6];

1.10 Zkouška e-mailu #odeslání test mailu na [email protected] /tool e-mail send [email protected] subject=("TEST " . [/system identity get name] . " -" . [/system clock get date] . " -- RB" . [/system routerboard get model] . " -- " .[/system resource get version] );

1.11 Automatické zálohy na e-mail # script pro zasílání záloh na [email protected] každých 20 dní :local sysname :local time :local date

:set sysname [/system identity get name] :set time [/system clock get time] :set date [/system clock get date] /system backup save name=([/system identity get name] . "-" . [:pick [/system clock get date] 7 11] . [:pick [/system clock get date] 0 3] . [:pick [/system clock get date] 4 6]); :delay 30 /tool e-mail send [email protected] subject=("Backup " . sysname . " -- " . date . " -- RB" . [/system routerboard get model] . " -- " .[/system resource get version]) file=([/system identity get name] . "-" . [:pick [/system clock get date] 7 11] . [:pick [/system clock get date] 0 3] . [:pick [/system clock get date] 4 6]); :delay 20 file remove ([/system identity get name] . "-" . [:pick [/system clock get date] 7 11] . [:pick [/system clock get date] 0 3] . [:pick [/system clock get date] 4 6]); 7

:log warning "Zaloha byla odeslana na email!" /system scheduler add interval=20d name="AutoBackup" on-event=AutoBackup

8