pctine wrote:
PPTP Serve...(恕刪)
Remote address 這位置要看profiles 這位置裡面的屬性有沒有設pool,如果有的話就不用設remote address,
Remote address 的屬性優先於profiles,
如果這位置有設指定Ip的話,RouterOS 會以這位置的IP配發給用戶。
個人積分:618分
文章編號:41871460
個人積分:5084分
文章編號:41871617
個人積分:390分
文章編號:41871627
個人積分:5084分
文章編號:41871724
個人積分:618分
文章編號:41871752
個人積分:390分
文章編號:41871866
個人積分:446分
文章編號:41880446
==================================Router protection :Drop Invalid connections規則前的話,內部在使用網頁,這規則會不小心把內部IP列入攻擊名單
但是加入src-address=!192.168.100.0/24,這規則好像就沒有作用?
但是我之前使用http://lxyue19881184.blog.hexun.com.tw/18732601_d.html的第二段規則,則DDOS防禦會有作用
add action=tarpit chain=input comment=\
"==================================\C0\A3\A8\EEDoS\A7\F0\C0\BB" \
connection-limit=3,32 disabled=no protocol=tcp src-address-list=\
black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=1d chain=input comment="\\B1\\B4\\B4\\FADoS\\A7\\F0\\C0\\BB" \
connection-limit=10,32 disabled=no
下面是我目前防禦DDOS規則
add action=tarpit chain=input comment=\
"==================================\C0\A3\A8\EEDoS\A7\F0\C0\BB" \
connection-limit=3,32 disabled=no protocol=tcp src-address-list=\
black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=1d chain=input comment="\\B1\\B4\\B4\\FADoS\\A7\\F0\\C0\\BB" \
connection-limit=10,32 disabled=no in-interface=Adsl src-address=\
!192.168.100.0/24
下面是我用官方規則
# feb/18/2013 22:25:11 by RouterOS 5.16
# software id = TF97-NX3L
#
/ip firewall filter
add action=accept chain=icmp comment="Allow only needed icmp codes in icmp cha\\
in:echo reply Ping\\C0\\B3\\B5\\AA\\AD\\AD\\A8\\EE\\AC\\B0\\A8C\\AC\\ED5\\AD\\D3\\A5]" \
disabled=no icmp-options=0:0 limit=5,5 protocol=icmp
add action=accept chain=icmp comment=\
"Allow only needed icmp codes in icmp chain:net unreachable" disabled=no \
icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment=\
"Allow only needed icmp codes in icmp chain:host unreachable" disabled=no \
icmp-options=3:1 protocol=icmp
add action=accept chain=ICMP comment=\
"Traceroute\AD\AD\A8\EE\AC\B0\A8C\AC\ED5\AD\D3\A5]" disabled=no \
icmp-options=3:3 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment=\
"MTU\BDu\B8\F4\B1\B4\B4\FA\AD\AD\A8\EE\AC\B0\A8C\AC\ED5\AD\D3\A5]" \
disabled=no icmp-options=3:4 limit=5,5 protocol=icmp
add action=accept chain=icmp comment=\
"Allow only needed icmp codes in icmp chain:allow source quench" \
disabled=no icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment="Allow only needed icmp codes in icmp cha\\
in:allow echo request Ping\\BD\\D0\\A8D\\AD\\AD\\A8\\EE\\AC\\B0\\A8C\\AC\\ED5\\AD\\D3\\A5\\
]" disabled=no icmp-options=8:0 limit=5,5 protocol=icmp
add action=accept chain=icmp comment="Allow only needed icmp codes in icmp cha\\
in:allow time exceed Trace TTL\\AD\\AD\\A8\\EE\\AC\\B0\\A8C\\AC\\ED5\\AD\\D3\\A5]" \
disabled=no icmp-options=11:0 limit=5,5 protocol=icmp
add action=accept chain=icmp comment=\
"Allow only needed icmp codes in icmp chain:allow parameter bad" \
disabled=no icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="Allow only needed icmp codes in icmp chain\\
:deny all other types\\A5\\E1\\B1\\F3\\B1\\BC\\A5\\F4\\A6\\F3ICMP\\BC\\C6\\BE\\DA" \
disabled=no
add action=tarpit chain=input comment=\
"==================================\C0\A3\A8\EEDoS\A7\F0\C0\BB" \
connection-limit=3,32 disabled=no protocol=tcp src-address-list=\
black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=1d chain=input comment="\\B1\\B4\\B4\\FADoS\\A7\\F0\\C0\\BB" \
connection-limit=10,32 disabled=no in-interface=Adsl src-address=\
!192.168.100.0/24
add action=drop chain=input comment="==================================Allows \\
only 10 FTP login incorrect answers per minute:drop ftp brute forcers" \
disabled=no dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output comment=\
"Allows only 10 FTP login incorrect answers per minute:" content=\
"530 Login incorrect" disabled=no dst-limit=1/1m,9,dst-address/1m \
protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output comment=\
"Allows only 10 FTP login incorrect answers per minute:" content=\
"530 Login incorrect" disabled=no protocol=tcp
add action=drop chain=input comment="==================================Prevent\\
\\_a SSH brute forcer to be banned for 10 days after repetitive attempts:\\r\\
\\ndrop ssh brute forcers" disabled=no dst-port=22 protocol=tcp \
src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input comment="Prevent a SSH brute forcer \\
to be banned for 10 days after repetitive attempts:\\r\\
\\n" connection-state=new disabled=no dst-port=22 protocol=tcp \
src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input comment="Prevent a SSH brute forcer to\\
\\_be banned for 10 days after repetitive attempts:\\r\\
\\n" connection-state=new disabled=no dst-port=22 protocol=tcp \
src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input comment="Prevent a SSH brute forcer to\\
\\_be banned for 10 days after repetitive attempts:\\r\\
\\n" connection-state=new disabled=no dst-port=22 protocol=tcp \
src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input comment="Prevent a SSH brute forcer to\\
\\_be banned for 10 days after repetitive attempts:\\r\\
\\n" connection-state=new disabled=no dst-port=22 protocol=tcp
add action=drop chain=forward comment="Prevent a SSH brute forcer to be banned\\
\\_for 10 days after repetitive attempts:\\r\\
\\ndrop ssh brute downstream" disabled=no dst-port=22 protocol=tcp \
src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment=\
"==================================Port scanners to list " disabled=no \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no \
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no \
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=\
no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=no \
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=no \
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="==================================Drop th\\
ose IPs in both Input & Forward chains:dropping port scanners\\B1\\B4\\B4\\FA\\
\\A8\\C3\\A5\\E1\\B1\\F3\\BA\\DD\\A4f\\B1\\BD\\BA\\CB\\B3s\\B1\\B5" disabled=no \
src-address-list="port scanners"
add action=drop chain=forward comment=\
"Drop those IPs in both Input & Forward chains:dropping port scanners" \
disabled=no src-address-list="port scanners"
add action=drop chain=input comment="==================================Router \\
protection :Drop Invalid connections\\A5\\E1\\B1\\F3\\ABD\\AAk\\B3s\\B1\\B5packets" \
connection-state=invalid disabled=no
add action=accept chain=input comment="Router protection :Allow Established co\\
nnections\\B1\\B5\\A8\\FC\\A5H\\B3s\\B1\\B5\\AA\\BA\\BC\\C6\\BE\\DA\\A5]" \
connection-state=established disabled=no
add action=accept chain=input comment=\
"Router protection :Allow Established connections" disabled=no \
in-interface=!Adsl src-address=192.168.100.0/24
add action=drop chain=input comment="Router protection :Drop everything else" \
disabled=no
add action=drop chain=forward comment="==================================Custo\\
mer protection (forward chain - traffic passing through the router):drop i\\
nvalid connections\\A5\\E1\\B1\\F3\\ABD\\AAk\\BC\\C6\\BE\\DA\\A5]" connection-state=\
invalid disabled=no
add action=accept chain=forward comment="Customer protection (forward chain - \\
traffic passing through the router):allow already established connections\\
\\B1\\B5\\A8\\FC\\A5H\\B3s\\B1\\B5\\AA\\BA\\BC\\C6\\BE\\DA\\A5]" connection-state=\
established disabled=no
add action=accept chain=forward comment="Customer protection (forward chain - \\
traffic passing through the router):allow related connections\\B1\\B5\\A8\\FC\\
\\AC\\DB\\C3\\F6\\BC\\C6\\BE\\DA\\A5]" connection-state=related disabled=no
add action=drop chain=input comment=\
"\AD\AD\A8\EE\C1`http\B3s\B1\B5\BC\C6\AC\B090" connection-limit=90,0 \
disabled=no dst-port=80 protocol=tcp
add action=drop chain=forward comment=\
"\AD\AD\A8\EE\A8C\AD\D3\A5D\BE\F7TCP\B3s\B1\B5\BC\C6\AC\B050\B1\F8" \
connection-limit=50,32 disabled=no protocol=tcp
add action=drop chain=forward comment=\
"\A5\E1\B1\F3\B1\BC\A9\D2\A6\B3\ABD\B3\E6\BC\BD\BC\C6\BE\DA" disabled=no \
src-address-type=!unicast
add action=drop chain=forward comment=\
"==================================Block Bogon IP addresses" disabled=no \
src-address=0.0.0.0/8
add action=drop chain=forward comment="Block Bogon IP addresses" disabled=no \
dst-address=0.0.0.0/8
add action=drop chain=forward comment="Block Bogon IP addresses" disabled=no \
src-address=127.0.0.0/8
add action=drop chain=forward comment="Block Bogon IP addresses" disabled=no \
dst-address=127.0.0.0/8
add action=drop chain=forward comment="Block Bogon IP addresses" disabled=no \
src-address=224.0.0.0/3
add action=drop chain=forward comment="Block Bogon IP addresses" disabled=no \
dst-address=224.0.0.0/3
add action=jump chain=forward comment=\
"==================================Make jumps to new chains:" disabled=no \
jump-target=tcp protocol=tcp
add action=jump chain=forward comment="Make jumps to new chains:" disabled=no \
jump-target=udp protocol=udp
add action=jump chain=forward comment="Make jumps to new chains:" disabled=no \
jump-target=icmp protocol=icmp
add action=drop chain=tcp comment="==================================Create TC\\
P chain and deny some TCP ports in it (revise port numbers as needed):deny\\
\\_TFTP" disabled=no dst-port=69 protocol=tcp
add action=drop chain=tcp comment="Create TCP chain and deny some TCP ports in\\
\\_it (revise port numbers as needed):deny RPC portmapper" disabled=no \
dst-port=111 protocol=tcp
add action=drop chain=tcp comment="Create TCP chain and deny some TCP ports in\\
\\_it (revise port numbers as needed):deny RPC portmapper" disabled=no \
dst-port=135 protocol=tcp
add action=drop chain=tcp comment="Create TCP chain and deny some TCP ports in\\
\\_it (revise port numbers as needed):deny NBT" disabled=no dst-port=\
137-139 protocol=tcp
add action=drop chain=tcp comment="Create TCP chain and deny some TCP ports in\\
\\_it (revise port numbers as needed):deny cifs" disabled=no dst-port=445 \
protocol=tcp
add action=drop chain=tcp comment="Create TCP chain and deny some TCP ports in\\
\\_it (revise port numbers as needed):deny NFS" disabled=no dst-port=2049 \
protocol=tcp
add action=drop chain=tcp comment="Create TCP chain and deny some TCP ports in\\
\\_it (revise port numbers as needed):deny NetBus" disabled=no dst-port=\
12345-12346 protocol=tcp
add action=drop chain=tcp comment="Create TCP chain and deny some TCP ports in\\
\\_it (revise port numbers as needed):deny NetBus" disabled=no dst-port=\
20034 protocol=tcp
add action=drop chain=tcp comment="Create TCP chain and deny some TCP ports in\\
\\_it (revise port numbers as needed):deny BackOriffice" disabled=no \
dst-port=3133 protocol=tcp
add action=drop chain=tcp comment="Create TCP chain and deny some TCP ports in\\
\\_it (revise port numbers as needed):deny DHCP" disabled=no dst-port=\
67-68 protocol=tcp
add action=drop chain=udp comment="==================================Create UD\\
P chain and deny some UDP ports in it (revise port numbers as needed):den\\
y TFTP" disabled=no dst-port=69 protocol=udp
add action=drop chain=udp comment="Create UDP chain and deny some UDP ports in\\
\\_it (revise port numbers as needed):deny PRC portmapper" disabled=no \
dst-port=111 protocol=udp
add action=drop chain=udp comment="Create UDP chain and deny some UDP ports in\\
\\_it (revise port numbers as needed):deny PRC portmapper" disabled=no \
dst-port=135 protocol=udp
add action=drop chain=udp comment="Create UDP chain and deny some UDP ports in\\
\\_it (revise port numbers as needed):deny NBT" disabled=no dst-port=\
137-139 protocol=udp
add action=drop chain=udp comment="Create UDP chain and deny some UDP ports in\\
\\_it (revise port numbers as needed):deny NFS" disabled=no dst-port=2049 \
protocol=udp
add action=drop chain=udp comment="Create UDP chain and deny some UDP ports in\\
\\_it (revise port numbers as needed):deny BackOriffice" disabled=no \
dst-port=3133 protocol=udp
add action=jump chain=forward comment="==================================\\B8\\
\\F5\\C2\\E0\\A8\\EC\\AFf\\ACr\\C3\\EC\\AA\\ED" disabled=no jump-target=virus
add action=drop chain=virus comment=DeepThroat.Trojan-1 disabled=no dst-port=\
41 protocol=tcp
add action=drop chain=virus comment=Worm.NetSky.Y@mm disabled=no dst-port=82 \
protocol=tcp
add action=drop chain=virus comment=W32.Korgo.A/B/C/D/E/F-1 disabled=no \
dst-port=113 protocol=tcp
add action=drop chain=virus comment=W33.Korgo.A/B/C/D/E/F-2 disabled=no \
dst-port=2041 protocol=tcp
add action=drop chain=virus comment=DeepThroat.Trojan-2 disabled=no dst-port=\
3150 protocol=tcp
add action=drop chain=virus comment=W32.Korgo.A/B/C/D/E/F-3 disabled=no \
dst-port=3067 protocol=tcp
add action=drop chain=virus comment=Backdoor.IRC.Aladdinz.R-1 disabled=no \
dst-port=3422 protocol=tcp
add action=drop chain=virus comment=W32.Korgo.A/B/C/D/E/F-4 disabled=no \
dst-port=6667 protocol=tcp
add action=drop chain=virus comment=Worm.NetSky.S/T/U@mm disabled=no \
dst-port=6789 protocol=tcp
add action=drop chain=virus comment=Back.Orifice.2000.Trojan-1 disabled=no \
dst-port=8787 protocol=tcp
add action=drop chain=virus comment=Back.Orifice.2000.Trojan-2 disabled=no \
dst-port=8879 protocol=tcp
add action=drop chain=virus comment=W32.Dabber.A/B-2 disabled=no dst-port=\
8967 protocol=tcp
add action=drop chain=virus comment=W32.Dabber.A/B-3 disabled=no dst-port=\
9999 protocol=tcp
add action=drop chain=virus comment=Block.NetBus.Trojan-2 disabled=no \
dst-port=20034 protocol=tcp
add action=drop chain=virus comment=GirlFriend.Trojan-1 disabled=no dst-port=\
21554 protocol=tcp
add action=drop chain=virus comment=Back.Orifice.2000.Trojan-3 disabled=no \
dst-port=31666 protocol=tcp
add action=drop chain=virus comment=Backdoor.IRC.Aladdinz.R-2 disabled=no \
dst-port=43958 protocol=tcp
add action=drop chain=virus comment=DeepThroat.Trojan-3 disabled=no dst-port=\
999 protocol=tcp
add action=drop chain=virus comment=DeepThroat.Trojan-4 disabled=no dst-port=\
6670 protocol=tcp
add action=drop chain=virus comment=DeepThroat.Trojan-5 disabled=no dst-port=\
6771 protocol=tcp
add action=drop chain=virus comment=DeepThroat.Trojan-6 disabled=no dst-port=\
60000 protocol=tcp
add action=drop chain=virus comment=DeepThroat.Trojan-7 disabled=no dst-port=\
2140 protocol=tcp
add action=drop chain=virus comment=Portal.of.Doom.Trojan-1 disabled=no \
dst-port=10067 protocol=tcp
add action=drop chain=virus comment=Portal.of.Doom.Trojan-2 disabled=no \
dst-port=10167 protocol=tcp
add action=drop chain=virus comment=Portal.of.Doom.Trojan-3 disabled=no \
dst-port=3700 protocol=tcp
add action=drop chain=virus comment=Portal.of.Doom.Trojan-4 disabled=no \
dst-port=9872-9875 protocol=tcp
add action=drop chain=virus comment=Delta.Source.Trojan-1 disabled=no \
dst-port=6883 protocol=tcp
add action=drop chain=virus comment=Delta.Source.Trojan-2 disabled=no \
dst-port=26274 protocol=tcp
add action=drop chain=virus comment=Delta.Source.Trojan-3 disabled=no \
dst-port=4444 protocol=tcp
add action=drop chain=virus comment=Delta.Source.Trojan-4 disabled=no \
dst-port=47262 protocol=tcp
add action=drop chain=virus comment=Eclypse.Trojan-1 disabled=no dst-port=\
3791 protocol=tcp
add action=drop chain=virus comment=Eclypse.Trojan-2 disabled=no dst-port=\
3801 protocol=tcp
add action=drop chain=virus comment=Eclypse.Trojan-3 disabled=no dst-port=\
65390 protocol=tcp
add action=drop chain=virus comment=Y3K.RAT.Trojan-1 disabled=no dst-port=\
5880-5882 protocol=tcp
add action=drop chain=virus comment=Y3K.RAT.Trojan-2 disabled=no dst-port=\
5888-5889 protocol=tcp
add action=drop chain=virus comment=NetSphere.Trojan-1 disabled=no dst-port=\
30100-30103 protocol=tcp
add action=drop chain=virus comment=NetSphere.Trojan-2 disabled=no dst-port=\
30133 protocol=tcp
add action=drop chain=virus comment=NetMonitor.Trojan-1 disabled=no dst-port=\
7300-7301 protocol=tcp
add action=drop chain=virus comment=NetMonitor.Trojan-2 disabled=no dst-port=\
7306-7308 protocol=tcp
add action=drop chain=virus comment=FireHotcker.Trojan-1 disabled=no \
dst-port=79 protocol=tcp
add action=drop chain=virus comment=FireHotcker.Trojan-2 disabled=no \
dst-port=5031 protocol=tcp
add action=drop chain=virus comment=FireHotcker.Trojan-3 disabled=no \
dst-port=5321 protocol=tcp
add action=drop chain=virus comment=TheThing.Trojan-1 disabled=no dst-port=\
6400 protocol=tcp
add action=drop chain=virus comment=TheThing.Trojan-2 disabled=no dst-port=\
7777 protocol=tcp
add action=drop chain=virus comment=GateCrasher.Trojan-1 disabled=no \
dst-port=1047 protocol=tcp
add action=drop chain=virus comment=GateCrasher.Trojan-2 disabled=no \
dst-port=6969-6970 protocol=tcp
add action=drop chain=virus comment=SubSeven-1 disabled=no dst-port=2774 \
protocol=tcp
add action=drop chain=virus comment=SubSeven-2 disabled=no dst-port=27374 \
protocol=tcp
add action=drop chain=virus comment=SubSeven-3 disabled=no dst-port=1243 \
protocol=tcp
add action=drop chain=virus comment=SubSeven-4 disabled=no dst-port=1234 \
protocol=tcp
add action=drop chain=virus comment=SubSeven-5 disabled=no dst-port=6711-6713 \
protocol=tcp
add action=drop chain=virus comment=SubSeven-7 disabled=no dst-port=16959 \
protocol=tcp
add action=drop chain=virus comment=Moonpie.Trojan-1 disabled=no dst-port=\
25685-25686 protocol=tcp
add action=drop chain=virus comment=Moonpie.Trojan-2 disabled=no dst-port=\
25982 protocol=tcp
add action=drop chain=virus comment=NetSpy.Trojan-3 disabled=no dst-port=\
31337-31339 protocol=tcp
add action=drop chain=virus comment=Trojan disabled=no dst-port=8102 \
protocol=tcp
add action=drop chain=virus comment=WAY.Trojan disabled=no dst-port=8011 \
protocol=tcp
add action=drop chain=virus comment=Trojan.BingHe disabled=no dst-port=7626 \
protocol=tcp
add action=drop chain=virus comment=Trojan.NianSeHoYian disabled=no dst-port=\
19191 protocol=tcp
add action=drop chain=virus comment=NetBull.Trojan disabled=no dst-port=\
23444-23445 protocol=tcp
add action=drop chain=virus comment=WinCrash.Trojan-1 disabled=no dst-port=\
2583 protocol=tcp
add action=drop chain=virus comment=WinCrash.Trojan-2 disabled=no dst-port=\
3024 protocol=tcp
add action=drop chain=virus comment=WinCrash.Trojan-3 disabled=no dst-port=\
4092 protocol=tcp
add action=drop chain=virus comment=WinCrash.Trojan-4 disabled=no dst-port=\
5714 protocol=tcp
add action=drop chain=virus comment=Doly1.0/1.35/1.5trojan-1 disabled=no \
dst-port=1010-1012 protocol=tcp
add action=drop chain=virus comment=Doly1.0/1.35/1.5trojan-2 disabled=no \
dst-port=1015 protocol=tcp
add action=drop chain=virus comment=TransScout.Trojan-1 disabled=no dst-port=\
2004-2005 protocol=tcp
add action=drop chain=virus comment=TransScout.Trojan-2 disabled=no dst-port=\
9878 protocol=tcp
add action=drop chain=virus comment=Backdoor.YAI..Trojan-1 disabled=no \
dst-port=2773 protocol=tcp
add action=drop chain=virus comment=Backdoor.YAI.Trojan-2 disabled=no \
dst-port=7215 protocol=tcp
add action=drop chain=virus comment=Backdoor.YAI.Trojan-3 disabled=no \
dst-port=54283 protocol=tcp
add action=drop chain=virus comment=BackDoorTrojan-1 disabled=no dst-port=\
1003 protocol=tcp
add action=drop chain=virus comment=BackDoorTrojan-2 disabled=no dst-port=\
5598 protocol=tcp
add action=drop chain=virus comment=BackDoorTrojan-3 disabled=no dst-port=\
5698 protocol=tcp
add action=drop chain=virus comment=SchainwindlerTrojan-2 disabled=no \
dst-port=31554 protocol=tcp
add action=drop chain=virus comment=Shaft.DDoS.Trojan-1 disabled=no dst-port=\
18753 protocol=tcp
add action=drop chain=virus comment=Shaft.DDoS.Trojan-2 disabled=no dst-port=\
20432 protocol=tcp
add action=drop chain=virus comment=Devil.DDoS.Trojan disabled=no dst-port=\
65000 protocol=tcp
add action=drop chain=virus comment=LatinusTrojan-1 disabled=no dst-port=\
11831 protocol=tcp
add action=drop chain=virus comment=LatinusTrojan-2 disabled=no dst-port=\
29559 protocol=tcp
add action=drop chain=virus comment=Snid.X2Trojan-1 disabled=no dst-port=1784 \
protocol=tcp
add action=drop chain=virus comment=Snid.X2Trojan-2 disabled=no dst-port=3586 \
protocol=tcp
add action=drop chain=virus comment=Snid.X2Trojan-3 disabled=no dst-port=7609 \
protocol=tcp
add action=drop chain=virus comment=BionetTrojan-1 disabled=no dst-port=\
12348-12349 protocol=tcp
add action=drop chain=virus comment=BionetTrojan-2 disabled=no dst-port=12478 \
protocol=tcp
add action=drop chain=virus comment=BionetTrojan-3 disabled=no dst-port=57922 \
protocol=tcp
add action=drop chain=virus comment=Worm.Novarg.a.Mydoom.a1. disabled=no \
dst-port=3127 protocol=tcp
add action=drop chain=virus comment=Worm.BBeagle.a.Bagle.a. disabled=no \
dst-port=6777 protocol=tcp
add action=drop chain=virus comment=Worm.BBeagle.b disabled=no dst-port=8866 \
protocol=tcp
add action=drop chain=virus comment=Worm.BBeagle.c-g/j-l disabled=no \
dst-port=2745 protocol=tcp
add action=drop chain=virus comment=Worm.BBeagle.p/q/r/n disabled=no \
dst-port=2556 protocol=tcp
add action=drop chain=virus comment=Worm.BBEagle.m-2 disabled=no dst-port=\
20742 protocol=tcp
add action=drop chain=virus comment=Worm.BBeagle.s/t/u/v disabled=no \
dst-port=4751 protocol=tcp
add action=drop chain=virus comment=Worm.BBeagle.aa/ab/w/x-z-2 disabled=no \
dst-port=2535 protocol=tcp
add action=drop chain=virus comment=Worm.LovGate.r.RpcExploit disabled=no \
dst-port=5238 protocol=tcp
add action=drop chain=virus comment=Worm.Sasser.a disabled=no dst-port=1068 \
protocol=tcp
add action=drop chain=virus comment=Worm.Sasser.b/c/f disabled=no dst-port=\
5554 protocol=tcp
add action=drop chain=virus comment=Worm.Sasser.b/c/f disabled=no dst-port=\
9996 protocol=tcp
add action=drop chain=virus comment=Worm.Sasser.d disabled=no dst-port=9995 \
protocol=tcp
add action=drop chain=virus comment=Worm.Lovgate.a/b/c/d disabled=no \
dst-port=10168 protocol=tcp
add action=drop chain=virus comment=Worm.Lovgate.v.QQ disabled=no dst-port=\
20808 protocol=tcp
add action=drop chain=virus comment=Worm.Lovgate.f/g disabled=no dst-port=\
1092 protocol=tcp
add action=drop chain=virus comment=Worm.Lovgate.f/g disabled=no dst-port=\
20168 protocol=tcp
add action=drop chain=virus comment=ndm.requester disabled=no dst-port=\
1363-1364 protocol=tcp
add action=drop chain=virus comment=screen.cast disabled=no dst-port=1368 \
protocol=tcp
add action=drop chain=virus comment=hromgrafx disabled=no dst-port=1373 \
protocol=tcp
add action=drop chain=virus comment=cichainlid disabled=no dst-port=1377 \
protocol=tcp
add action=drop chain=virus comment=Backdoor.Optixprotocol disabled=no \
dst-port=3410 protocol=tcp
add action=drop chain=virus comment=Worm.BBeagle.b disabled=no dst-port=8888 \
protocol=tcp
add action=drop chain=virus comment=Delta.Source.Trojan-7 disabled=no \
dst-port=44444 protocol=udp
add action=drop chain=virus comment=Worm.Sobig.f-3 disabled=no dst-port=8998 \
protocol=udp
add action=drop chain=virus comment=Worm.Sobig.f-1 disabled=no dst-port=123 \
protocol=udp
add action=drop chain=virus comment=Worm.Novarg.a.Mydoom.a2. disabled=no \
dst-port=3198 protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=\
139 protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=\
135 protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=\
445 protocol=tcp
個人積分:1148分
文章編號:41884413
個人積分:5084分
文章編號:41886829
derliang wrote:
這安全機制很實用,請問可以在實作上再多做介紹嗎?..(恕刪)
在那篇官方文件就有實作的範例.
Port Knocking
/ ip firewall filter
add chain=input protocol=tcp dst-port=1337 action=add-src-to-address-list address-list=knock \
address-list-timeout=15s comment="Port Knocking1" disabled=no
add chain=input protocol=tcp dst-port=7331 src-address-list=knock action= add-src-to-address-list \
address-list=safe address-list-timeout=15m comment="Port Knocking2" disabled=no
當第一次收到 TCP/1337, 就把 source address 加到 knock address-list, 且有效期只有 15s, 表示在 15s 以內必須再送出第二個正確的封包, 如果送出正確的封包就把它加到 safe list. 既加到 safe list, 有效期為 1day, 這些變化都是自己可以再去改變的,
之後的 firewall rule 只要允許 safe list 的來源 IP 能允許對 router 存取就可以了.
至於要怎麼 '敲門', 用 telnet command 就可以了.
FB: Pctine
個人積分:5084分
文章編號:41888646
hcmhcm wrote:
add action=jump chain=forward comment="==================================\\B8\\
\\F5\\C2\\E0\\A8\\EC\\AFf\\ACr\\C3\\EC\\AA\\ED" disabled=no jump-target=virus
add action=drop chain=virus comment=DeepThroat.Trojan-1 disabled=no dst-port=\
41 protocol=tcp
add action=drop chain=virus comment=Worm.NetSky.Y@mm disabled=no dst-port=82 \
protocol=tcp...(恕刪)
hcmhcm 兄的 firewall rule 果真複雜, 小弟還沒有學到那麼多.
不過以你上面的做法,chain=forward, 然後 jump to virus chain. 裡面針對那麼多 port 做 drop, 這樣不會有很多誤判嗎? 尤其從 internet 過來的封包, 會不會很多都被無故drop 掉了?
FB: Pctine
