Сообщество IT-специалистов
Ответы на любые вопросы об IT
Профессиональное развитие в IT
Удаленная работа для IT-специалистов
/ip firewall filter
add action=add-src-to-address-list address-list=port-scanners address-list-timeout=2w chain=input comment="Port-scanners to list " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=port-scanners address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=port-scanners address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=port-scanners address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=port-scanners address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=port-scanners address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=port-scanners address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment=DNS-DENY dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment=DNS-DENY dst-port=53 in-interface-list=WAN protocol=udp
add action=add-src-to-address-list address-list=!_dns-flood address-list-timeout=none-dynamic chain=forward comment=DNS_Flood connection-limit=100,32 dst-port=53 in-interface-list=WAN protocol=udp
add action=add-src-to-address-list address-list=!_smb-flood address-list-timeout=none-dynamic chain=forward comment=SMB_Flood connection-limit=100,32 dst-port=445 in-interface-list=WAN protocol=tcp
add action=add-src-to-address-list address-list=!_telnet-flood address-list-timeout=none-dynamic chain=forward comment=Telnet_Flood connection-limit=20,32 dst-port=23 in-interface-list=WAN protocol=tcp
add action=add-src-to-address-list address-list=!_ssh-flood address-list-timeout=none-dynamic chain=forward comment=SSH_Flood connection-limit=20,32 dst-port=22 in-interface-list=WAN protocol=tcp
add action=add-src-to-address-list address-list=!_snpp-flood address-list-timeout=none-dynamic chain=forward comment=SNPP_Flood connection-limit=20,32 dst-port=444 in-interface-list=WAN protocol=tcp
add action=add-src-to-address-list address-list=!_msf-indication address-list-timeout=none-dynamic chain=forward comment=Metasploit_Indication connection-limit=20,32 dst-port=4444 in-interface-list=WAN protocol=tcp
add action=log chain=forward comment=Abnormal_Traffic connection-bytes=80000000 in-interface-list=WAN log=yes log-prefix=!_Abnormal-Traffic
После этого все запихиваем в RAW:
/ip firewall raw
add action=drop chain=prerouting in-interface-list=WAN src-address-list=port-scanners
Правила файрвола надо поднять на самый верх.