最简单的彻底禁止公网访问SSH FTP端口
| 1 2 | /ip firewall filter add chain=input protocol=tcp dst-port=21-22 src-address-list=!allow-addresses action=drop comment= "禁止公网SSH & FTP" disabled=no |
使用IP列表来实现更灵活的策略,三分钟之内只能允许建立三次新会话,超过了就阻塞
| 1 2 3 4 5 6 7 8 | /ip firewall filter add chain=input protocol=tcp dst-port=21,22,23,8291 src-address-list=login_blacklist action=drop comment= "drop login brute forcers 1" disabled=no add chain=input protocol=tcp dst-port=21,22,23,8291 connection-state=new src-address-list=login_stage5 action=add-src-to-address-list address-list=login_blacklist address-list-timeout=1d comment= "drop login brute forcers 2" disabled=no add chain=input protocol=tcp dst-port=21,22,23,8291 connection-state=new src-address-list=login_stage4 action=add-src-to-address-list address-list=login_stage5 address-list-timeout=1m comment= "drop login brute forcers 3" disabled=no add chain=input protocol=tcp dst-port=21,22,23,8291 connection-state=new src-address-list=login_stage3 action=add-src-to-address-list address-list=login_stage4 address-list-timeout=1m comment= "drop login brute forcers 4" disabled=no add chain=input protocol=tcp dst-port=21,22,23,8291 connection-state=new src-address-list=login_stage2 action=add-src-to-address-list address-list=login_stage3 address-list-timeout=1m comment= "drop login brute forcers 5" disabled=no add chain=input protocol=tcp dst-port=21,22,23,8291 connection-state=new src-address-list=login_stage1 action=add-src-to-address-list address-list=login_stage2 address-list-timeout=1m comment= "drop login brute forcers 6" disabled=no add chain=input protocol=tcp dst-port=21,22,23,8291 connection-state=new action=add-src-to-address-list address-list=login_stage1 address-list-timeout=1m comment= "drop login brute forcers 7" disabled=no |
防端口扫描
| 1 2 3 4 5 6 7 8 9 | /ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list= "port scanners" address-list-timeout=14d comment= "Port scanners to list" disabled=no add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list= "port scanners" address-list-timeout=14d comment= "NMAP FIN Stealth scan" add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list= "port scanners" address-list-timeout=14d comment= "SYN/FIN scan" add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list= "port scanners" address-list-timeout=14d comment= "SYN/RST scan" add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list= "port scanners" address-list-timeout=14d comment= "FIN/PSH/URG scan" add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list= "port scanners" address-list-timeout=14d comment= "ALL/ALL scan" add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list= "port scanners" address-list-timeout=14d comment= "NMAP NULL scan" add chain=input src-address-list= "port scanners" action=drop comment= "dropping port scanners" disabled=no |