Mikrotik Security Script

Mikrotik Security Script – Protecting a Mikrotik Internet Facing Router

There are a lot of Mikrotik security scripts out there, showing off bells and whistles of how to block extremely specific attacks. Many of these are additional layers of security, the more layers, the safer you can be, at the expense of CPU power.

I needed a security script to protect a small business. The only publicly facing internet services are TCP443 for an internally hosted web-site, and TCP25 with a restricted access rule (whitelist only). The design philosophy is to minimize the number of IP filters. For example, instead of having separate block rules for TCP22, UDP53, TCP3389, TCP5900, etc, load them into a single rule blocking via address list. Invalid traffic used by port-scanners and DDoS’ers will be tarpitted.

Goals

  1. Provide a high level of protection without going over-kill on firewall rules (CPU load).
  2. Redirect client requested DNS queries (UDP 53 to 8.8.8.8 for example) to be forced to use a DNS server of my choosing, in this case, OpenDNS.
  3. Block as much torrent-related activity as we can. Combination of OpenDNS, and interrupting DNS lookups with Layer7 Protocol packet marking.
  4. Block WAN DNS lookups, and block and log LAN based SMTP mailbots and port scanning (NETBIOS).

Hoping this script can be of use to you.

#Disable Unnecessary Services (Winbox only)
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes

#Disable unused packages
/system package disable hotspot
/system package disable mpls

####WAN Rules####
#Don’t let Winbox access (TCP8291) be broadcast to neighbors via WAN
/ip neighbor discovery
set ether1 discover=no

#Blacklist Common Port Lookups for 3 days
/ip firewall filter
add action=add-src-to-address-list address-list=BlackList address-list-timeout=3d chain=input comment="Detect Port Scanners" dst-port=21-23,53,88,135-139,389,445,1433,3306,3389,5900,6667 in-interface=ether1 protocol=tcp
add action=add-src-to-address-list address-list=BlackList address-list-timeout=3d chain=input comment="Detect UDP WAN DNS Lookups to prevent DDoS" dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input comment="Drop Blacklisted Hosts to Router" in-interface=ether1 src-address-list=BlackList
add action=drop chain=forward comment="Drop Blacklisted Hosts through Router" in-interface=ether1 src-address-list=BlackList

#Blacklist NMAP Stealth Port Scanners for 3 days (can be abused for DDoS as well)
/ip firewall filter
add action=drop chain=input comment="Drop port scanners" src-address-list=PortScanners
add action=add-src-to-address-list address-list=BlackList address-list-timeout=3d chain=input comment="Add Port scanners to blacklist" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=BlackList address-list-timeout=3d chain=input comment="Add NMAP FIN Stealth scan to list" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=BlackList address-list-timeout=3d chain=input comment="Add SYN/FIN scan to list" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=BlackList address-list-timeout=3d chain=input comment="Add SYN/RST scan to list" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=BlackList address-list-timeout=3d chain=input comment="Add FIN/PSH/URG scan to list" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=BlackList address-list-timeout=3d chain=input comment="Add ALL/ALL scan to list" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=BlackList address-list-timeout=3d chain=input comment="Add NMAP NULL scan to list" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg

#Port Knocking Entry
add action=add-src-to-address-list address-list=AccessRouter1 address-list-timeout=10s chain=input comment="Port Knock for Router Access" dst-port=10000 protocol=tcp
add action=add-src-to-address-list address-list=AccessRouter2 address-list-timeout=10s chain=input dst-port=20000 protocol=udp src-address-list=AccessRouter1
add action=add-src-to-address-list address-list=AccessRouter3 address-list-timeout=1h chain=input dst-port=30000 protocol=udp src-address-list=AccessRouter2
add action=add-src-to-address-list address-list=AccessRouter4 address-list-timeout=1h chain=input dst-port=40000 protocol=tcp src-address-list=AccessRouter3
add chain=input comment="Allow in Winbox" dst-port=8291 in-interface=ether1 protocol=tcp src-address-list=AccessRouter4

#Allow through good traffic (started from LAN)
add chain=forward comment="allow established/related connections through the router" connection-state=established,related

#Block DDoS Attacks
/ip firewall filter
add action=tarpit chain=input comment="Suppress DoS attack" connection-limit=3,32 protocol=tcp src-address-list=DOSattacker
add action=add-src-to-address-list address-list=DOSattacker address-list-timeout=1d chain=input comment="Detect DoS attack" in-interface=ether1 connection-limit=20,32 log=yes protocol=tcp
add action=accept chain=input in-interface=ether1 comment="suppress ping flood-0:0 and limit for 5pac/s" icmp-options=0:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=input in-interface=ether1 comment="suppress ping flood-3:3 and limit for 5pac/s" icmp-options=3:3 limit=5,5:packet protocol=icmp
add action=accept chain=input in-interface=ether1 comment="suppress ping flood-3:4 and limit for 5pac/s" icmp-options=3:4 limit=5,5:packet protocol=icmp
add action=accept chain=input in-interface=ether1 comment="suppress ping flood-8:0 and limit for 5pac/s" icmp-options=8:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=input in-interface=ether1 comment="suppress ping flood-11:0 and limit for 5pac/s" icmp-options=11:0-255 limit=5,5:packet protocol=icmp

#Drop Unsolicited Traffic from WAN
/ip firewall filter
add action=drop chain=input comment="Drop Unsolicited WAN Traffic" connection-state=invalid,related,new in-interface=ether1

####LAN Rules####
#Redirect clients in a specific interface-list (guest bridges) to our DNS Servers (OpenDNS), and prevent from using their own DNS Servers (Google, Comcast, etc) to bypass filtering
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=53 in-interface-list=list-guests protocol=udp to-addresses=208.67.222.222 

#Block Torrenting DNS Lookups
/ip firewall layer7-protocol
add comment="P2P DNS Blocking" name=p2p_dns regexp="^.+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits|rarbg|torlock|kat|1337x).*\$"
/ip firewall mangle
add action=mark-packet chain=postrouting disabled=no layer7-protocol=p2p_dns new-packet-mark="p2p download" passthrough=no
/ip firewall filter
add action=drop chain=forward comment="Block P2P_dns Packets" disabled=no layer7-protocol=p2p_dns

#Block basic Torrenting Traffic
/ip firewall filter
add action=drop chain=forward comment="Block General P2P Connections" disabled=no p2p=all-p2p
add action=drop chain=forward comment="TORRENT No 1: Drop classic torrents" disabled=no p2p=all-p2p
add action=drop chain=forward comment="TORRENT No 2: Drop outgoing DHT" content=d1:ad2:id20: disabled=no dst-port=1025-65535 packet-size=95-190 protocol=udp
add action=drop chain=forward comment="TORRENT No 3: Drop outgoing TCP announce" content="info_hash=" disabled=no dst-port=2710,80,443 protocol=tcp

#Enable NAT for Web Translation (Should not have ETH1 and ETH2 bridged, use NAT to get your LAN to the WAN connection)
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

#Detect Compromised Hosts (SMTP Outbound and NetBIOS Outbound)
add action=drop chain=forward comment="Log and Drop potential compromised internal hosts" log=yes log-prefix=SMTP-25-VIOLATION out-interface=ether1 port=25 protocol=tcp
add action=drop chain=forward comment="Log and Drop Netbios/SMB outbound" dst-port=139 log=yes log-prefix=NETBIOS-139-VIOLATION out-interface=ether1 protocol=tcp
add action=drop chain=forward dst-port=445 log=yes log-prefix=NETBIOS-445-VIOLATION out-interface=ether1 protocol=tcp

Leave a Reply

Your email address will not be published. Required fields are marked *