Mengatasi system,error,critical login failure Mikrotik
Beberapa hari ini mikrotik di jaringan kami sering ada log merah yang tulisannya seperti berikut.
echo: system,error,critical login failure for user master from 67.225.209.238 via ssh
[admin@Sumo] >
echo: system,error,critical login failure for user apache from 67.225.209.238 via ssh
[admin@Sumo] >
echo: system,error,critical login failure for user root from 67.225.209.238 via ssh
[admin@Sumo] >
echo: system,error,critical login failure for user root from 67.225.209.238 via ssh
[admin@Sumo] >
echo: system,error,critical login failure for user root from 67.225.209.238 via ssh
[admin@Sumo] >
echo: system,error,critical login failure for user root from 67.225.209.238 via ssh
[admin@Sumo] >
echo: system,error,critical login failure for user root from 67.225.209.238 via ssh
[admin@Sumo] >
echo: system,error,critical login failure for user admin from 67.225.209.238 via ssh
[admin@Sumo] >
echo: system,error,critical login failure for user admin from 67.225.209.238 via ssh
[admin@Sumo] >
echo: system,error,critical login failure for user admin from 67.225.209.238 via ssh
[admin@Sumo] >
echo: system,error,critical login failure for user admin from 67.225.209.238 via ssh
kalau di cek IP adressnya ternyata dari luar negri. Namun setelah googling kesana kemari
ternyata katanya log itu adalah log penyusup atau bisa di bilang ada yang coba hack mikrtoik
kita. Dari forum mikrotik ternyata ada solusi ampuh untuk mengatasi hal ini. Berikut Rulenya
yang bisa anda pasang di mikrotik anda untuk mengamankan mikrotik anda dari penyusup.
Ini adalah rule yang saya dapat dari forum mikrotik.
in /ip firewall filter
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \
address-list=ftp_blacklist address-list-timeout=3h
Setelah rule di atas tambahkan juga rule dibawah ini
in /ip firewall filter
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \ src-list=ssh_stage3 action=add-src-to-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \ src-list=ssh_stage2 action=add-src-to-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
Setelah itu terakir tambahkan rule berikut.
/ip firewall filteradd chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute downstream" disabled=no
Sumber
http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention_%28FTP_%26_SSH%29
Semoga bermanfaat
Khusus buat temen-temen yang mempunyai network server menggunakan MikroTik, bagaimana
kalian mencegah user yang mencoba login mikrotik, metode ini biasa dikenal dengan istilah
bruteforce yaitu metode mencoba menebak username dan password sampai berulang-ulang.
Bruteforce login mengkombinasikan beberapa karakter, yang telah di ambil dari database dan
mencoba login pada server mikrotik anda, metode ini tidak hanya bisa dilakukan pada mikrotik
tapi hampir semua jenis authentication baik website atau sejenisnya yang tidak dilindungi oleh
firewall khusus Bruteforce.
Langsung aja, untuk mencegah Bruteforce login pada server mikrotik silahkan copy configurasi
berikut :
Block Bruteforce FTP login
Spoiler:
/ip firewall filter
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \
comment="drop ftp brute forcers"
add chain=output action=accept protocol=tcp content="530 Login incorrect"
dst-limit=1/1m,9,dst-address/1m
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \
address-list=ftp_blacklist address-list-timeout=3h
Block SSH brute forcer login
Spoiler:
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment=""
disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
dan terkahir untuk memblock semua dari Ip yang didapatkan dari script diatas
Spoiler:
add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute downstream" disabled=no
Cara mencegah NetCut di jaringan hotspot mikrotik
1. pake winbox aja biar gampang.2. masuk ke IP > DHCP Server
3. pilih konfigurasi DHCP yang digunakan untuk hotspot anda, kalo' saya, menggunakan settingan default DHCP aja
4. di sini saya cuma mengganti waktu sewa IP menjadi 1 hari
5. dan yang paling penting, aktifkan opsi Add ARP for Leases, opsi ini untuk mencegah ARP Spoofing oleh NetCut
lebih aman lagi, drop semua paket ICMP pada firewall, jadi tambahin aja (soalnya pernah baca, kalo NetCut itu menggunakan ICMP untuk apanyaaa gitu, eh satu lagi, kalo rule ini diterapkan, jangan bingung ya, soalnya ping pasti ga bisa !!!!)
/ip firewall filter
add action=accept chain=input protocol=icmp disabled=no comment="default configuration anti netcut, defaultnya accept"
anti confliker / ip firewall filter
add chain=forward protocol=udp src-port=135-139 action=drop comment=";;Block W32.Kido - Conficker" disabled=no
add chain=forward protocol=udp dst-port=135-139 action=drop comment="" disabled=no add chain=forward protocol=udp src-port=445 action=drop comment="" disabled=no add chain=forward protocol=udp dst-port=445 action=drop comment="" disabled=no add chain=forward protocol=tcp src-port=135-139 action=drop comment="" disabled=no add chain=forward protocol=tcp dst-port=135-139 action=drop comment="" disabled=no add chain=forward protocol=tcp src-port=445 action=drop comment="" disabled=no add chain=forward protocol=tcp dst-port=445 action=drop comment="" disabled=no add chain=forward protocol=tcp dst-port=4691 action=drop comment="" disabled=no add chain=forward protocol=tcp dst-port=5933 action=drop comment="" disabled=no add chain=forward protocol=udp dst-port=5355 action=drop comment="Block LLMNR" disabled=no
add chain=forward protocol=udp dst-port=4647 action=drop comment="" disabled=no add action=drop chain=forward comment="SMTP Deny" disabled=no protocol=tcp src-port=25
add action=drop chain=forward comment="" disabled=no dst-port=25 protocol=tcp Melindungi FTP Server Mikrotik Anda
/ ip firewall filter
add chain=input in-interface=hotspot protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop comment="FTP Blacklist"
/ ip firewall filter
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m comment="accept 10 incorrect logins per minute"
/ ip firewall filter
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" address-list=ftp_blacklist address-list-timeout=3h comment="add to blacklist" Ingat, urutan diatas harus tepat...tidak boleh tertukar-tukar...
Mari kita bahas satu persatu dari rule-rule diatas...
/ ip firewall filter
add chain=input in-interface=ether1 protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop
Rule pertama ini akan melakukan filtering untuk traffik yang berasal dari ether1 (silahkan dirubah sesuai kebutuhan), protocol TCP dengan port 21...dan IP asal traffik dicocokkan dengan addr-list ftp_blacklist (yang akan dicreate di rule berikutnya).... bila cocok / positif maka action drop akan dilakukan...
Bila ada yang melakukan brute force attack untuk pertama kalinya,
rule pertama ini tidak melakukan apa2...Namun apabila IP-nya telah tercatat, maka akan langsung di Drop.
---# accept 10 incorrect logins per minute / ip firewall filter
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m
Rule ini bertindak sebagai pengawas,
apakah dari IP tertentu telah melakukan Login secara Incorrect sebanyak 9 kali dalam jangka waktu 1 menit....Jadi bila masih dalam batasan 9 kali dalam 1 menit maka masih akan diaccept...Nah apabila telah melampaui 9 kali,
maka rule ini tidak akan apply dan akan lanjut ke rule setelahnya yakni...
---#add to blacklist
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" address-list=blacklist address-list-timeout=3h
Rule ini akan menambahkan IP sang penyerang ke dalam addr-list bernama ftp_blacklist...hanya itu yang dilakukan rule ini...
Nah, pada saat percobaan yang ke-11 serangan ini akan di Drop oleh Rule yang Pertama....
Setting Firewall Mikrotik Untuk Menangkal Virus dan Netcut
Dalam artikel kali akan membahas terkait sistem firewall dalam mikrotik terkhusus untuk
menangkal virus dan netcut dalam jaringan lokal (local network). Berbagai serangan baik dari
jaringan lokal maupun global merupakan sesuatu hal yang mengganggu sistem dan informasi
yang sifatnya privacy, olehnya para administrator jaringan dituntut lebih memahami bagaimana
memanagement keamanan sistem dalam perangkat jaringannya.
Terkhusus pada perangkat jaringan yang satu ini, mikrotik dalam sistemnya memberikan fasilitas
firewall dalam menangkal berbagai serangan. Bagaimana melakukan hal tersebut, berikut listing
kode untuk setting firewall menangkal virus dan netcut :
1. Untuk langkah pertama login ke sistem mikrotik menggunakan winbox loader
2. Pada menu mikrotik pilih New Terminal kemudian ketikkan atau copas kode dibawah ini :
/ip firewall filter
add action=accept chain=input disabled=no dst-port=8291 protocol=tcp
add action=drop chain=forward connection-state=invalid disabled=no
add action=drop chain=virus disabled=no dst-port=135-139 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1433-1434 protocol=tcp
add action=drop chain=virus disabled=no dst-port=445 protocol=tcp
add action=drop chain=virus disabled=no dst-port=445 protocol=udp
add action=drop chain=virus disabled=no dst-port=593 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1024-1030 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1080 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1214 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1363 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1364 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1368 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1373 protocol=tcp
add action=drop chain=virus disabled=no dst-port=1377 protocol=tcp
add action=drop chain=virus disabled=no dst-port=2745 protocol=tcp
add action=drop chain=virus disabled=no dst-port=2283 protocol=tcp
add action=drop chain=virus disabled=no dst-port=2535 protocol=tcp
add action=drop chain=virus disabled=no dst-port=2745 protocol=tcp
add action=drop chain=virus disabled=no dst-port=3127 protocol=tcp
add action=drop chain=virus disabled=no dst-port=3410 protocol=tcp
add action=drop chain=virus disabled=no dst-port=4444 protocol=tcp
add action=drop chain=virus disabled=no dst-port=4444 protocol=udp
add action=drop chain=virus disabled=no dst-port=5554 protocol=tcp
add action=drop chain=virus disabled=no dst-port=8866 protocol=tcp
add action=drop chain=virus disabled=no dst-port=9898 protocol=tcp
add action=drop chain=virus disabled=no dst-port=10080 protocol=tcp
add action=drop chain=virus disabled=no dst-port=12345 protocol=tcp
add action=drop chain=virus disabled=no dst-port=17300 protocol=tcp
add action=drop chain=virus disabled=no dst-port=27374 protocol=tcp
add action=drop chain=virus disabled=no dst-port=65506 protocol=tcp
add action=jump chain=forward disabled=no jump-rel="nofollow" target=virus
add action=drop chain=input connection-state=invalid disabled=no
add action=accept chain=input disabled=no protocol=udp
add action=accept chain=input disabled=no limit=50/5s,2 protocol=icmp
add action=drop chain=input disabled=no protocol=icmp
add action=accept chain=input disabled=no dst-port=21 protocol=tcp
add action=accept chain=input disabled=no dst-port=22 protocol=tcp
add action=accept chain=input disabled=no dst-port=23 protocol=tcp
add action=accept chain=input disabled=no dst-port=80 protocol=tcp
add action=accept chain=input disabled=no dst-port=8291 protocol=tcp
add action=accept chain=input disabled=no dst-port=1723 protocol=tcp
add action=accept chain=input disabled=no dst-port=23 protocol=tcp
add action=accept chain=input disabled=no dst-port=80 protocol=tcp
add action=accept chain=input disabled=no dst-port=1723 protocol=tcp
add action=add-src-to-address-list address-list=DDOS address-list-timeout=15s chain=input
disabled=no dst-port=1337 protocol=tcp
add action=add-src-to-address-list address-list=DDOS address-list-timeout=15m chain=input
disabled=no dst-port=7331 protocol=tcp src-address-list=knock
add action=add-src-to-address-list address-list=”port-scanners” address-list-timeout=2w
chain=input comment=”port-scanner” disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=”port-scanners” address-list-timeout=2w
chain=input comment=”SYN/FIN” disabled=no protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=”port-scanners” address-list-timeout=2w
chain=input comment=”SYN/RST” disabled=no protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=”port-scanners” address-list-timeout=2w
chain=input comment=”FIN/PSH/URG” disabled=no protocol=tcp tcp-flags=fin,psh,urg,!syn,!
rst,!ack
add action=add-src-to-address-list address-list=”port-scanners” address-list-timeout=2w
chain=input comment=”ALL/ALL scan” disabled=no protocol=tcp
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=”port-scanners” address-list-timeout=2w
chain=input comment=”NMAP” disabled=no protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=accept chain=input comment=”ANTI-NETCUT” disabled=no dst-port=0-65535
protocol=tcp src-address=61.213.183.1-61.213.183.254
add action=accept chain=input comment=”ANTI-NETCUT” disabled=no dst-port=0-65535
protocol=tcp src-address=67.195.134.1-67.195.134.254
add action=accept chain=input comment=”ANTI-NETCUT” disabled=no dst-port=0-65535
protocol=tcp src-address=68.142.233.1-68.142.233.254
add action=accept chain=input comment=”ANTI-NETCUT” disabled=no dst-port=0-65535
protocol=tcp src-address=68.180.217.1-68.180.217.254
add action=accept chain=input comment=”ANTI-NETCUT” disabled=no dst-port=0-65535
protocol=tcp src-address=203.84.204.1-203.84.204.254
add action=accept chain=input comment=”ANTI-NETCUT” disabled=no dst-port=0-65535
protocol=tcp src-address=69.63.176.1-69.63.176.254
add action=accept chain=input comment=”ANTI-NETCUT” disabled=no dst-port=0-65535
protocol=tcp src-address=69.63.181.1-69.63.181.254
add action=accept chain=input comment=”ANTI-NETCUT” disabled=no dst-port=0-65535
protocol=tcp src-address=63.245.209.1-63.245.209.254
add action=accept chain=input comment=”ANTI-NETCUT” disabled=no dst-port=0-65535
protocol=tcp src-address=63.245.213.1-63.245.213.254
Lindungi client dari virus dengan firewall di mikrotik
Posted by
mazumam
on Jun 13, 2012 in
Mikrotik
,
Networking
,
Tutorial
|
0 comments
Untuk melindungi jaringan pelanggan, kita harus memeriksa semua traffic yang melewati router
dan blok yang tidak diinginkan. Untuk lalu lintas udp icmp, tcp, kita akan menciptakan rantai,
dimana semua paket yang tidak diinginkan akan dicabut. Untuk awal, kita bisa copy dan paste
perintah berikut ke RouterOS terminal konsol:
/ip firewall filter
add chain=forward connection-state=established comment=”allow established connections”
add chain=forward connection-state=related comment=”allow related connections” add chain=forward connection-state=invalid action=drop comment=”drop invalid connections”
Selanjutnya, kita harus menyaring dan drop semua paket yang tidak diinginkan yang terlihat
seperti berasal dari host yang terinfeksi virus
/ip firewall filter
add chain=virus protocol=tcp dst-port=135-139 action=drop comment=”Drop Blaster Worm”
add chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop Messenger Worm”
add chain=virus protocol=tcp dst-port=445 action=drop comment=”Drop Blaster Worm”
add chain=virus protocol=udp dst-port=445 action=drop comment=”Drop Blaster Worm”
add chain=virus protocol=tcp dst-port=593 action=drop comment=”________”
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment=”________” add chain=virus protocol=tcp dst-port=1080 action=drop comment=”Drop MyDoom” add chain=virus protocol=tcp dst-port=1214 action=drop comment=”________” add chain=virus protocol=tcp dst-port=1363 action=drop comment=”ndm requester”
add chain=virus protocol=tcp dst-port=1364 action=drop comment=”ndm server” add chain=virus protocol=tcp dst-port=1368 action=drop comment=”screen cast” add chain=virus protocol=tcp dst-port=1373 action=drop comment=”hromgrafx” add chain=virus protocol=tcp dst-port=1377 action=drop comment=”cichlid” add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment=”Worm” add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Bagle Virus” add chain=virus protocol=tcp dst-port=2283 action=drop comment=”Drop Dumaru.Y” add chain=virus protocol=tcp dst-port=2535 action=drop comment=”Drop Beagle” add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Drop Beagle.C-K”
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment=”Drop MyDoom”
add chain=virus protocol=tcp dst-port=3410 action=drop comment=”Drop Backdoor OptixPro”
add chain=virus protocol=tcp dst-port=4444 action=drop comment=”Worm” add chain=virus protocol=udp dst-port=4444 action=drop comment=”Worm”
add chain=virus protocol=tcp dst-port=5554 action=drop comment=”Drop Sasser” add chain=virus protocol=tcp dst-port=8866 action=drop comment=”Drop Beagle.B” add chain=virus protocol=tcp dst-port=9898 action=drop comment=”Drop Dabber.A-B”
add chain=virus protocol=tcp dst-port=10000 action=drop comment=”Drop Dumaru.Y”
add chain=virus protocol=tcp dst-port=10080 action=drop comment=”Drop MyDoom.B”
add chain=virus protocol=tcp dst-port=12345 action=drop comment=”Drop NetBus” add chain=virus protocol=tcp dst-port=17300 action=drop comment=”Drop Kuang2″ add chain=virus protocol=tcp dst-port=27374 action=drop comment=”Drop
SubSeven”
add chain=virus protocol=tcp dst-port=65506 action=drop comment=”Drop PhatBot, Agobot, Gaobot”
add chain=forward action=jump jump-target=virus comment=”jump to the virus chan”
Firewall Blokir Worm, Virus di Mikrotik
Sejak munculnya serangan worm Conficker , Downandup, Kido secara sporadis ke seluruh jaringan internet di seluruh dunia membuat para network administrator dan security engineer kerepotan untuk menangkal dengan ulah cacing ganas ini, seperti kita ketahui OS windows tidak memiliki tingkat security yg baik serta memiliki banyak celah yang mudah ditembus karena cacat bawaan OS windows , default service Netbios 135-139 dan SMB 445 yang tetap terbuka meskipun Windows udah dipatch, atau diupgrade
Worm ini mampu mengubah/menambah fungsi internal windows (TCP) untuk
memblok akses situs-situs keamanan (security/antivirus), dengan memfilter alamat yang mempunyai karakter/text tertentu. Dan untuk menghilangkan efek tersebut tidak mudah, karena boleh dibilang sudah tingkat low level programming.
Worm ini didesign untuk melindungi diri dari deteksi antivirus dengan menggunakan teknik tertentu yang jarang digunakan, melindungi diri dari upaya untuk dihapus, mematikan windows update, restore point sebelum infeksi, mematikan trafik jaringan tertentu, mengoptimalkan fitur windows Vista untuk memudahkan penyebaran, mampu menginjeksi explorer.exe, svchost.exe dan services.exe dan lainnya.
Situs-situs yang di blok cukup banyak, meliputi web yang menggunakan text seperti berikut ( bisa di blok atau selalu memunculkan pesan Time Out ketika membuka situsnya) : •virus •spyware •malware •rootkit •defender •microsoft •symantec •norton •mcafee •trendmicro •sophos •panda •etrust •f-secure •kaspersky •f-prot •nod32 •eset •grisoft •avast •avira
•comodo •clamav •norman •pctools •rising •sunbelt •threatexpert •wilderssecurity •windowsupdate •avp •avg
Untuk mengatasi aksi si cacing ganas ini , kami sarankan gunakan fitur filter dari firewall yang sudah tersedia di Mikrotik Router, silahkan copy paste script blokir worm, virus berikut dari terminal/konsol di Mikrotik Router
/ip firewall filter
add chain=forward connection-state=established comment=”allow established connections”
add chain=forward connection-state=related comment=”allow related connections” add chain=forward connection-state=invalid action=drop comment=”drop invalid connections”
add chain=virus protocol=tcp dst-port=135-139 action=drop comment=”Drop Blaster Worm”
add chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop Messenger Worm”
add chain=virus protocol=tcp dst-port=445 action=drop comment=”Drop Blaster Worm”
add chain=virus protocol=udp dst-port=445 action=drop comment=”Drop Conficker Worm”
add chain=virus protocol=tcp dst-port=593 action=drop comment=”Drop Kido Worm”
comment=”________”
add chain=virus protocol=tcp dst-port=1080 action=drop comment=”Drop MyDoom”
add chain=virus protocol=tcp dst-port=1214 action=drop comment=”________” add chain=virus protocol=tcp dst-port=1363 action=drop comment=”ndm requester”
add chain=virus protocol=tcp dst-port=1364 action=drop comment=”ndm server” add chain=virus protocol=tcp dst-port=1368 action=drop comment=”screen cast” add chain=virus protocol=tcp dst-port=1373 action=drop comment=”hromgrafx” add chain=virus protocol=tcp dst-port=1377 action=drop comment=”cichlid” add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment=”Worm” add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Bagle Virus” add chain=virus protocol=tcp dst-port=2283 action=drop comment=”Drop
Dumaru.Y”
add chain=virus protocol=tcp dst-port=2535 action=drop comment=”Drop Beagle” add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Drop
Beagle.C-K”
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment=”Drop MyDoom”
add chain=virus protocol=tcp dst-port=3410 action=drop comment=”Drop Backdoor OptixPro”
add chain=virus protocol=tcp dst-port=4444 action=drop comment=”Worm” add chain=virus protocol=udp dst-port=4444 action=drop comment=”Worm” add chain=virus protocol=tcp dst-port=5554 action=drop comment=”Drop Sasser” add chain=virus protocol=tcp dst-port=8866 action=drop comment=”Drop
Beagle.B”
add chain=virus protocol=tcp dst-port=9898 action=drop comment=”Drop Dabber.A-B”
add chain=virus protocol=tcp dst-port=10000 action=drop comment=”Drop Dumaru.Y”
add chain=virus protocol=tcp dst-port=10080 action=drop comment=”Drop MyDoom.B”
add chain=virus protocol=tcp dst-port=12345 action=drop comment=”Drop NetBus”
add chain=virus protocol=tcp dst-port=17300 action=drop comment=”Drop Kuang2″
add chain=virus protocol=tcp dst-port=27374 action=drop comment=”Drop SubSeven”
add chain=virus protocol=tcp dst-port=65506 action=drop comment=”Drop PhatBot, Agobot, Gaobot”
Agar script filter firewall ini bisa bekerja secara optimal dan akurat memblokir worm, virus maka tambahkan rule baru chain=forward dari list virus dan action=jump add chain=forward action=jump jump-target=virus comment=”jump to the virus chain”
Sehingga nampak bisa dilihat pada gambar, apabila paket atau koneksi yang berjalan tidak sesuai dengan rule chain=virus maka segera diproses kembali ke chain=forward, selamat mencoba
Cara Block SSH FTP Brute Force MikroTik
Posted by:
Adam Rachmad
October 9, 2013 in
Mikrotik
0 Comments
Block SSH FTP Brute Force
MikroTik
, tehnik setting mikrotik bwt block SSH FTP Brute Force.
Apaan tuh gan ? itu kyk ada yg coba untuk masuk / menebak username password mikrotik agan.
Dia nyoba secara ngacak buat nemuin username password mikrotik agan, biasanya target
username yg biasanya dipake ngasal kyk username: admin password:123456.
Gimana cara liat or taunya gan ? liat gambar Log mikrotik di bawah :
Itu indikasi bahwa ada yg mao coba2 login pake username ngacak via SSH mikrotik agan.
Biasanya kejadian gini kalo router mikrotik agan punya IP Public / di cloud
internet
.
Cara Block Brute Force di MikroTik
Langsung hajar gan pake setting setting firewall mikrotik mikrotik ni :
/ip firewall filteradd action=drop chain=input comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist
address-list-timeout=3h chain=output content="530 Login incorrect" protocol=
tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=
1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=
1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=
1m chain=input connection-state=new dst-port=22 protocol=tcp
Dijelasin dikit yak pake bahasa ane ^_^
Buat yg coba hack via FTP bruteforce, setting mikrotik ini nangkep by IP yang 10x salah login /
FTP login incorrect per menit. IP yg ketangkep dimasukin di address-list=ftp_blacklist dan
semuanya akan di drop.
Yg coba hack via SSH bruteforce, setting mikrotik ini nangkep IP yang coba login dan salah
terus. IP yg ketangkep dimasukin di address-list=ssh_blacklist dan semuanya akan di drop.
Contoh IP-IP nakal yang busted ! 39 IP (o_o)
Firewall untuk router mikrotik
Written by harijanto@datautama.net.id
http://www.datautama.net.id Thursday, 09 November 2006
Untuk mengamankan router mikrotik dari traffic
virus
dan excess ping dapat digunakan skrip
firewall
berikut
Pertama buat address-list "ournetwork" yang berisi alamat IP radio, IP LAN dan IP WAN atau IP
lainnya yang dapat dipercaya
Dalam contoh berikut alamat IP radio adalah = 10.0.0.0/16, IP LAN = 192.168.2.0/24 dan IP
WAN = 203.89.24.0/21 dan IP lainnya yang dapat dipercaya = 202.67.33.7
Untuk membuat address-list dapat menggunakan contoh skrip seperti berikut ini tinggal
disesuaikan dengan konfigurasi jaringan Anda.
Buat skrtip berikut menggunakan notepad kemudian copy-paste ke console mikrotik
/ ip firewall address-listadd list=ournetwork address=203.89.24.0/21 comment="Datautama Network" \ disabled=no
add list=ournetwork address=10.0.0.0/16 comment="IP Radio" disabled=no
add list=ournetwork address=192.168.2.0/24 comment="LAN Network" disabled=no
Selanjutnya copy-paste skrip berikut pada console mikrotik
/ ip firewall filter
add chain=forward connection-state=established action=accept comment="allow \ established connections" disabled=no
add chain=forward connection-state=related action=accept comment="allow \ related connections" disabled=no
add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop \ Messenger Worm" disabled=no
add chain=forward connection-state=invalid action=drop comment="drop invalid \ connections" disabled=no
add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop \ Blaster Worm" disabled=no
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm" \ disabled=no
add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster \ Worm" disabled=no
add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster \ Worm" disabled=no
disabled=no
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________" \
disabled=no
add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom" \ disabled=no
add chain=virus protocol=tcp dst-port=1214 action=drop comment="________" \ disabled=no
add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester" \
disabled=no
add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server" \ disabled=no
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast" \ disabled=no
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx" \ disabled=no
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid" \ disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus" \ disabled=no
add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y" \
disabled=no
add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle" \ disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop \ Beagle.C-K" disabled=no
add chain=virus protocol=tcp dst-port=3127 action=drop comment="Drop MyDoom" \ disabled=no
add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor \
OptixPro" disabled=no
add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm" \ disabled=no
add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm" \ disabled=no
add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser" \ disabled=no
add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B" \
disabled=no
add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop \ Dabber.A-B" disabled=no
add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop \
Dumaru.Y, sebaiknya di didisable karena juga sering digunakan utk vpn atau \
webmin" disabled=yes
add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop \ MyDoom.B" disabled=no
add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus" \
disabled=no
add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2" \
disabled=no
SubSeven" disabled=no
add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, \
Agobot, Gaobot" disabled=no
add chain=forward action=jump jump-target=virus comment="jump to the virus \ chain" disabled=no
add chain=input connection-state=established action=accept comment="Accept \ established connections" disabled=no
add chain=input connection-state=related action=accept comment="Accept related \
connections" disabled=no
add chain=input connection-state=invalid action=drop comment="Drop invalid \ connections" disabled=no
add chain=input protocol=udp action=accept comment="UDP" disabled=no
add chain=input protocol=icmp limit=50/5s,2 action=accept comment="Allow \ limited pings" disabled=no
add chain=input protocol=icmp action=drop comment="Drop excess pings" \ disabled=no
add chain=input protocol=tcp dst-port=21 src-address-list=ournetwork \ action=accept comment="FTP" disabled=no
add chain=input protocol=tcp dst-port=22 src-address-list=ournetwork \ action=accept comment="SSH for secure shell" disabled=no
add chain=input protocol=tcp dst-port=23 src-address-list=ournetwork \ action=accept comment="Telnet" disabled=no
add chain=input protocol=tcp dst-port=80 src-address-list=ournetwork \ action=accept comment="Web" disabled=no
add chain=input protocol=tcp dst-port=8291 src-address-list=ournetwork \ action=accept comment="winbox" disabled=no
add chain=input protocol=tcp dst-port=1723 action=accept comment="pptp-server" \
disabled=no
add chain=input src-address-list=ournetwork action=accept comment="From \ Datautama network" disabled=no
add chain=input action=log log-prefix="DROP INPUT" comment="Log everything \ else" disabled=no
add chain=input action=drop comment="Drop everything else" disabled=no
Efek dari skrip diatas adalah:
1. router mikrotik hanya dapat diakses FTP, SSH, Web dan Winbox dari IP yang didefinisikan dalam address-list "ournetwork" sehingga tidak bisa diakses dari sembarang tempat.
2. Port-port yang sering dimanfaatkan virus di blok sehingga traffic virus tidak dapat dilewatkan, tetapi perlu diperhatikan jika ada user yang kesulitan mengakses service tertentu harus dicek pada chain="virus" apakah port yang dibutuhkan user tersebut terblok oleh firewall.
3. Packet ping dibatasi untuk menghindari excess ping.
