Mengatasi system,error,critical login failure Mikrotik

Transkripsi

1 Mengatasi system,error,critical login failure Mikrotik Beberapa hari ini mikrotik di jaringan kami sering ada log merah yang tulisannya seperti berikut. echo: system,error,critical login failure for user master from via ssh > echo: system,error,critical login failure for user apache from via ssh > echo: system,error,critical login failure for user root from via ssh > echo: system,error,critical login failure for user root from via ssh > echo: system,error,critical login failure for user root from via ssh > echo: system,error,critical login failure for user root from via ssh > echo: system,error,critical login failure for user root from via ssh > echo: system,error,critical login failure for user admin from via ssh > echo: system,error,critical login failure for user admin from via ssh > echo: system,error,critical login failure for user admin from via ssh > echo: system,error,critical login failure for user admin from via ssh kalau di cek IP adressnya ternyata dari luar negri. Namun setelah googling kesana kemari ternyata katanya log itu adalah log penyusup atau bisa di bilang ada yang coba hack mikrtoik kita. Dari forum mikrotik ternyata ada solusi ampuh untuk mengatasi hal ini. Berikut Rulenya yang bisa anda pasang di mikrotik anda untuk mengamankan mikrotik anda dari penyusup. Ini adalah rule yang saya dapat dari forum mikrotik. in /ip firewall filter add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop comment="drop ftp brute forcers"

2 add chain=output action=accept protocol=tcp content="530 Login incorrect" dstlimit=1/1m,9,dst-address/1m add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" address-list=ftp_blacklist address-list-timeout=3h Setelah rule di atas tambahkan juga rule dibawah ini in /ip firewall filter add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="drop ssh brute forcers" add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 action=add-src-to-address-list addresslist=ssh_blacklist address-list-timeout=10d comment="" add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 action=add-src-to-address-list addresslist=ssh_stage3 address-list-timeout=1m comment="" add chain=input protocol=tcp dst-port=22 connection-state=new src-addresslist=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" add chain=input protocol=tcp dst-port=22 connection-state=new action=add-srcto-address-list address-list=ssh_stage1 address-list-timeout=1m comment="" Setelah itu terakir tambahkan rule berikut. /ip firewall filter add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="drop ssh brute downstream" Sumber Semoga bermanfaat

3 Khusus buat temen-temen yang mempunyai network server menggunakan MikroTik, bagaimana kalian mencegah user yang mencoba login mikrotik, metode ini biasa dikenal dengan istilah bruteforce yaitu metode mencoba menebak username dan password sampai berulang-ulang. Bruteforce login mengkombinasikan beberapa karakter, yang telah di ambil dari database dan mencoba login pada server mikrotik anda, metode ini tidak hanya bisa dilakukan pada mikrotik tapi hampir semua jenis authentication baik website atau sejenisnya yang tidak dilindungi oleh firewall khusus Bruteforce. Langsung aja, untuk mencegah Bruteforce login pada server mikrotik silahkan copy configurasi berikut : Block Bruteforce FTP login Spoiler: /ip firewall filter add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop comment="drop ftp brute forcers" add chain=output action=accept protocol=tcp content="530 Login incorrect" dstlimit=1/1m,9,dst-address/1m add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" address-list=ftp_blacklist address-list-timeout=3h Block SSH brute forcer login Spoiler: add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="drop ssh brute forcers" add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=10d comment="" add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m comment="" add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m comment=""

4 dan terkahir untuk memblock semua dari Ip yang didapatkan dari script diatas Spoiler: add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="drop ssh brute downstream"

5 Cara mencegah NetCut di jaringan hotspot mikrotik 1. pake winbox aja biar gampang. 2. masuk ke IP > DHCP Server 3. pilih konfigurasi DHCP yang digunakan untuk hotspot anda, kalo' saya, menggunakan settingan default DHCP aja 4. di sini saya cuma mengganti waktu sewa IP menjadi 1 hari 5. dan yang paling penting, aktifkan opsi Add ARP for Leases, opsi ini untuk mencegah ARP Spoofing oleh NetCut lebih aman lagi, drop semua paket ICMP pada firewall, jadi tambahin aja (soalnya pernah baca, kalo NetCut itu menggunakan ICMP untuk apanyaaa gitu, eh satu lagi, kalo rule ini diterapkan, jangan bingung ya, soalnya ping pasti ga bisa!!!!) /ip firewall filter add action=accept chain=input protocol=icmp comment="default configuration anti netcut, defaultnya accept" anti confliker / ip firewall filter add chain=forward protocol=udp src-port= action=drop comment=";;block W32.Kido - Conficker" add chain=forward protocol=udp dst-port= action=drop comment="" add chain=forward protocol=udp src-port=445 action=drop comment="" add chain=forward protocol=udp dst-port=445 action=drop comment="" add chain=forward protocol=tcp src-port= action=drop comment="" add chain=forward protocol=tcp dst-port= action=drop comment="" add chain=forward protocol=tcp src-port=445 action=drop comment="" add chain=forward protocol=tcp dst-port=445 action=drop comment="" add chain=forward protocol=tcp dst-port=4691 action=drop comment="" add chain=forward protocol=tcp dst-port=5933 action=drop comment="" add chain=forward protocol=udp dst-port=5355 action=drop comment="block LLMNR" add chain=forward protocol=udp dst-port=4647 action=drop comment="" add action=drop chain=forward comment="smtp Deny" protocol=tcp srcport=25 add action=drop chain=forward comment="" dst-port=25 protocol=tcp Melindungi FTP Server Mikrotik Anda / ip firewall filter add chain=input in-interface=hotspot protocol=tcp dst-port=21 src-addresslist=ftp_blacklist action=drop comment="ftp Blacklist" / ip firewall filter add chain=output action=accept protocol=tcp content="530 Login incorrect" dstlimit=1/1m,9,dst-address/1m comment="accept 10 incorrect logins per minute"

6 / ip firewall filter add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" address-list=ftp_blacklist address-list-timeout=3h comment="add to blacklist" Ingat, urutan diatas harus tepat...tidak boleh tertukar-tukar... Mari kita bahas satu persatu dari rule-rule diatas... / ip firewall filter add chain=input in-interface=ether1 protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop Rule pertama ini akan melakukan filtering untuk traffik yang berasal dari ether1 (silahkan dirubah sesuai kebutuhan), protocol TCP dengan port 21...dan IP asal traffik dicocokkan dengan addr-list ftp_blacklist (yang akan dicreate di rule berikutnya)... bila cocok / positif maka action drop akan dilakukan... Bila ada yang melakukan brute force attack untuk pertama kalinya, rule pertama ini tidak melakukan apa2...namun apabila IP-nya telah tercatat, maka akan langsung di Drop # accept 10 incorrect logins per minute / ip firewall filter add chain=output action=accept protocol=tcp content="530 Login incorrect" dstlimit=1/1m,9,dst-address/1m Rule ini bertindak sebagai pengawas, apakah dari IP tertentu telah melakukan Login secara Incorrect sebanyak 9 kali dalam jangka waktu 1 menit...jadi bila masih dalam batasan 9 kali dalam 1 menit maka masih akan diaccept...nah apabila telah melampaui 9 kali, maka rule ini tidak akan apply dan akan lanjut ke rule setelahnya yakni #add to blacklist add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" address-list=blacklist address-list-timeout=3h Rule ini akan menambahkan IP sang penyerang ke dalam addr-list bernama ftp_blacklist...hanya itu yang dilakukan rule ini... Nah, pada saat percobaan yang ke-11 serangan ini akan di Drop oleh Rule yang Pertama... dapet dari forum juga... moga bermanfaat

7 Setting Firewall Mikrotik Untuk Menangkal Virus dan Netcut Dalam artikel kali akan membahas terkait sistem firewall dalam mikrotik terkhusus untuk menangkal virus dan netcut dalam jaringan lokal (local network). Berbagai serangan baik dari jaringan lokal maupun global merupakan sesuatu hal yang mengganggu sistem dan informasi yang sifatnya privacy, olehnya para administrator jaringan dituntut lebih memahami bagaimana memanagement keamanan sistem dalam perangkat jaringannya. Terkhusus pada perangkat jaringan yang satu ini, mikrotik dalam sistemnya memberikan fasilitas firewall dalam menangkal berbagai serangan. Bagaimana melakukan hal tersebut, berikut listing kode untuk setting firewall menangkal virus dan netcut : 1. Untuk langkah pertama login ke sistem mikrotik menggunakan winbox loader 2. Pada menu mikrotik pilih New Terminal kemudian ketikkan atau copas kode dibawah ini : /ip firewall filter add action=accept chain=input dst-port=8291 protocol=tcp add action=drop chain=forward connection-state=invalid add action=drop chain=virus dst-port= protocol=tcp add action=drop chain=virus dst-port= protocol=tcp add action=drop chain=virus dst-port=445 protocol=tcp add action=drop chain=virus dst-port=445 protocol=udp add action=drop chain=virus dst-port=593 protocol=tcp add action=drop chain=virus dst-port= protocol=tcp add action=drop chain=virus dst-port=1080 protocol=tcp add action=drop chain=virus dst-port=1214 protocol=tcp add action=drop chain=virus dst-port=1363 protocol=tcp add action=drop chain=virus dst-port=1364 protocol=tcp add action=drop chain=virus dst-port=1368 protocol=tcp add action=drop chain=virus dst-port=1373 protocol=tcp add action=drop chain=virus dst-port=1377 protocol=tcp add action=drop chain=virus dst-port=2745 protocol=tcp add action=drop chain=virus dst-port=2283 protocol=tcp add action=drop chain=virus dst-port=2535 protocol=tcp add action=drop chain=virus dst-port=2745 protocol=tcp add action=drop chain=virus dst-port=3127 protocol=tcp add action=drop chain=virus dst-port=3410 protocol=tcp add action=drop chain=virus dst-port=4444 protocol=tcp add action=drop chain=virus dst-port=4444 protocol=udp add action=drop chain=virus dst-port=5554 protocol=tcp add action=drop chain=virus dst-port=8866 protocol=tcp add action=drop chain=virus dst-port=9898 protocol=tcp add action=drop chain=virus dst-port=10080 protocol=tcp add action=drop chain=virus dst-port=12345 protocol=tcp add action=drop chain=virus dst-port=17300 protocol=tcp add action=drop chain=virus dst-port=27374 protocol=tcp

8 add action=drop chain=virus dst-port=65506 protocol=tcp add action=jump chain=forward jump-rel="nofollow" target=virus add action=drop chain=input connection-state=invalid add action=accept chain=input protocol=udp add action=accept chain=input limit=50/5s,2 protocol=icmp add action=drop chain=input protocol=icmp add action=accept chain=input dst-port=21 protocol=tcp add action=accept chain=input dst-port=22 protocol=tcp add action=accept chain=input dst-port=23 protocol=tcp add action=accept chain=input dst-port=80 protocol=tcp add action=accept chain=input dst-port=8291 protocol=tcp add action=accept chain=input dst-port=1723 protocol=tcp add action=accept chain=input dst-port=23 protocol=tcp add action=accept chain=input dst-port=80 protocol=tcp add action=accept chain=input dst-port=1723 protocol=tcp add action=add-src-to-address-list address-list=ddos address-list-timeout=15s chain=input dst-port=1337 protocol=tcp add action=add-src-to-address-list address-list=ddos address-list-timeout=15m chain=input dst-port=7331 protocol=tcp src-address-list=knock add action=add-src-to-address-list address-list= port-scanners address-list-timeout=2w chain=input comment= port-scanner protocol=tcp psd=21,3s,3,1 add action=add-src-to-address-list address-list= port-scanners address-list-timeout=2w chain=input comment= SYN/FIN protocol=tcp tcp-flags=fin,syn add action=add-src-to-address-list address-list= port-scanners address-list-timeout=2w chain=input comment= SYN/RST protocol=tcp tcp-flags=syn,rst add action=add-src-to-address-list address-list= port-scanners address-list-timeout=2w chain=input comment= FIN/PSH/URG protocol=tcp tcp-flags=fin,psh,urg,!syn,! rst,!ack add action=add-src-to-address-list address-list= port-scanners address-list-timeout=2w chain=input comment= ALL/ALL scan protocol=tcp tcpflags=fin,syn,rst,psh,ack,urg add action=add-src-to-address-list address-list= port-scanners address-list-timeout=2w chain=input comment= NMAP protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg add action=accept chain=input comment= ANTI-NETCUT dst-port= protocol=tcp src-address= add action=accept chain=input comment= ANTI-NETCUT dst-port= protocol=tcp src-address=

9 add action=accept chain=input comment= ANTI-NETCUT dst-port= protocol=tcp src-address= add action=accept chain=input comment= ANTI-NETCUT dst-port= protocol=tcp src-address= add action=accept chain=input comment= ANTI-NETCUT dst-port= protocol=tcp src-address= add action=accept chain=input comment= ANTI-NETCUT dst-port= protocol=tcp src-address= add action=accept chain=input comment= ANTI-NETCUT dst-port= protocol=tcp src-address= add action=accept chain=input comment= ANTI-NETCUT dst-port= protocol=tcp src-address= add action=accept chain=input comment= ANTI-NETCUT dst-port= protocol=tcp src-address=

10 Lindungi client dari virus dengan firewall di mikrotik Posted by mazumam on Jun 13, 2012 in Mikrotik, Networking, Tutorial 0 comments Untuk melindungi jaringan pelanggan, kita harus memeriksa semua traffic yang melewati router dan blok yang tidak diinginkan. Untuk lalu lintas udp icmp, tcp, kita akan menciptakan rantai, dimana semua paket yang tidak diinginkan akan dicabut. Untuk awal, kita bisa copy dan paste perintah berikut ke RouterOS terminal konsol: /ip firewall filter add chain=forward connection-state=established comment= allow established connections add chain=forward connection-state=related comment= allow related connections add chain=forward connection-state=invalid action=drop comment= drop invalid connections Selanjutnya, kita harus menyaring dan drop semua paket yang tidak diinginkan yang terlihat seperti berasal dari host yang terinfeksi virus /ip firewall filter add chain=virus protocol=tcp dst-port= action=drop comment= Drop Blaster Worm add chain=virus protocol=udp dst-port= action=drop comment= Drop Messenger Worm add chain=virus protocol=tcp dst-port=445 action=drop comment= Drop Blaster Worm add chain=virus protocol=udp dst-port=445 action=drop comment= Drop Blaster Worm add chain=virus protocol=tcp dst-port=593 action=drop comment= add chain=virus protocol=tcp dst-port= action=drop comment= add chain=virus protocol=tcp dst-port=1080 action=drop comment= Drop MyDoom add chain=virus protocol=tcp dst-port=1214 action=drop comment= add chain=virus protocol=tcp dst-port=1363 action=drop comment= ndm requester

11 add chain=virus protocol=tcp dst-port=1364 action=drop comment= ndm server add chain=virus protocol=tcp dst-port=1368 action=drop comment= screen cast add chain=virus protocol=tcp dst-port=1373 action=drop comment= hromgrafx add chain=virus protocol=tcp dst-port=1377 action=drop comment= cichlid add chain=virus protocol=tcp dst-port= action=drop comment= Worm add chain=virus protocol=tcp dst-port=2745 action=drop comment= Bagle Virus add chain=virus protocol=tcp dst-port=2283 action=drop comment= Drop Dumaru.Y add chain=virus protocol=tcp dst-port=2535 action=drop comment= Drop Beagle add chain=virus protocol=tcp dst-port=2745 action=drop comment= Drop Beagle.C- K add chain=virus protocol=tcp dst-port= action=drop comment= Drop MyDoom add chain=virus protocol=tcp dst-port=3410 action=drop comment= Drop Backdoor OptixPro add chain=virus protocol=tcp dst-port=4444 action=drop comment= Worm add chain=virus protocol=udp dst-port=4444 action=drop comment= Worm add chain=virus protocol=tcp dst-port=5554 action=drop comment= Drop Sasser add chain=virus protocol=tcp dst-port=8866 action=drop comment= Drop Beagle.B add chain=virus protocol=tcp dst-port=9898 action=drop comment= Drop Dabber.A- B add chain=virus protocol=tcp dst-port=10000 action=drop comment= Drop Dumaru.Y add chain=virus protocol=tcp dst-port=10080 action=drop comment= Drop MyDoom.B add chain=virus protocol=tcp dst-port=12345 action=drop comment= Drop NetBus add chain=virus protocol=tcp dst-port=17300 action=drop comment= Drop Kuang2 add chain=virus protocol=tcp dst-port=27374 action=drop comment= Drop SubSeven add chain=virus protocol=tcp dst-port=65506 action=drop comment= Drop PhatBot, Agobot, Gaobot add chain=forward action=jump jump-target=virus comment= jump to the virus chan sekian, semoga bermanfaat :)

12 Firewall Blokir Worm, Virus di Mikrotik Sejak munculnya serangan worm Conficker, Downandup, Kido secara sporadis ke seluruh jaringan internet di seluruh dunia membuat para network administrator dan security engineer kerepotan untuk menangkal dengan ulah cacing ganas ini, seperti kita ketahui OS windows tidak memiliki tingkat security yg baik serta memiliki banyak celah yang mudah ditembus karena cacat bawaan OS windows, default service Netbios dan SMB 445 yang tetap terbuka meskipun Windows udah dipatch, atau diupgrade Worm ini mampu mengubah/menambah fungsi internal windows (TCP) untuk memblok akses situs-situs keamanan (security/antivirus), dengan memfilter alamat yang mempunyai karakter/text tertentu. Dan untuk menghilangkan efek tersebut tidak mudah, karena boleh dibilang sudah tingkat low level programming. Worm ini didesign untuk melindungi diri dari deteksi antivirus dengan menggunakan teknik tertentu yang jarang digunakan, melindungi diri dari upaya untuk dihapus, mematikan windows update, restore point sebelum infeksi, mematikan trafik jaringan tertentu, mengoptimalkan fitur windows Vista untuk memudahkan penyebaran, mampu menginjeksi explorer.exe, svchost.exe dan services.exe dan lainnya. Situs-situs yang di blok cukup banyak, meliputi web yang menggunakan text seperti berikut ( bisa di blok atau selalu memunculkan pesan Time Out ketika membuka situsnya) : virus spyware malware rootkit defender microsoft symantec norton mcafee trendmicro sophos panda etrust f-secure kaspersky f-prot nod32 eset grisoft avast avira

13 comodo clamav norman pctools rising sunbelt threatexpert wilderssecurity windowsupdate avp avg Untuk mengatasi aksi si cacing ganas ini, kami sarankan gunakan fitur filter dari firewall yang sudah tersedia di Mikrotik Router, silahkan copy paste script blokir worm, virus berikut dari terminal/konsol di Mikrotik Router /ip firewall filter add chain=forward connection-state=established comment= allow established connections add chain=forward connection-state=related comment= allow related connections add chain=forward connection-state=invalid action=drop comment= drop invalid connections add chain=virus protocol=tcp dst-port= action=drop comment= Drop Blaster Worm add chain=virus protocol=udp dst-port= action=drop comment= Drop Messenger Worm add chain=virus protocol=tcp dst-port=445 action=drop comment= Drop Blaster Worm add chain=virus protocol=udp dst-port=445 action=drop comment= Drop Conficker Worm add chain=virus protocol=tcp dst-port=593 action=drop comment= Drop Kido Worm add chain=virus protocol=tcp dst-port= action=drop

14 comment= add chain=virus protocol=tcp dst-port=1080 action=drop comment= Drop MyDoom add chain=virus protocol=tcp dst-port=1214 action=drop comment= add chain=virus protocol=tcp dst-port=1363 action=drop comment= ndm requester add chain=virus protocol=tcp dst-port=1364 action=drop comment= ndm server add chain=virus protocol=tcp dst-port=1368 action=drop comment= screen cast add chain=virus protocol=tcp dst-port=1373 action=drop comment= hromgrafx add chain=virus protocol=tcp dst-port=1377 action=drop comment= cichlid add chain=virus protocol=tcp dst-port= action=drop comment= Worm add chain=virus protocol=tcp dst-port=2745 action=drop comment= Bagle Virus add chain=virus protocol=tcp dst-port=2283 action=drop comment= Drop Dumaru.Y add chain=virus protocol=tcp dst-port=2535 action=drop comment= Drop Beagle add chain=virus protocol=tcp dst-port=2745 action=drop comment= Drop Beagle.C-K add chain=virus protocol=tcp dst-port= action=drop comment= Drop MyDoom add chain=virus protocol=tcp dst-port=3410 action=drop comment= Drop Backdoor OptixPro add chain=virus protocol=tcp dst-port=4444 action=drop comment= Worm add chain=virus protocol=udp dst-port=4444 action=drop comment= Worm add chain=virus protocol=tcp dst-port=5554 action=drop comment= Drop Sasser add chain=virus protocol=tcp dst-port=8866 action=drop comment= Drop Beagle.B add chain=virus protocol=tcp dst-port=9898 action=drop comment= Drop Dabber.A-B add chain=virus protocol=tcp dst-port=10000 action=drop comment= Drop Dumaru.Y add chain=virus protocol=tcp dst-port=10080 action=drop comment= Drop MyDoom.B add chain=virus protocol=tcp dst-port=12345 action=drop comment= Drop NetBus add chain=virus protocol=tcp dst-port=17300 action=drop comment= Drop Kuang2 add chain=virus protocol=tcp dst-port=27374 action=drop comment= Drop SubSeven add chain=virus protocol=tcp dst-port=65506 action=drop comment= Drop PhatBot, Agobot, Gaobot Agar script filter firewall ini bisa bekerja secara optimal dan akurat memblokir worm, virus maka tambahkan rule baru chain=forward dari list virus dan action=jump add chain=forward action=jump jump-target=virus comment= jump to the virus chain

15 Sehingga nampak bisa dilihat pada gambar, apabila paket atau koneksi yang berjalan tidak sesuai dengan rule chain=virus maka segera diproses kembali ke chain=forward, selamat mencoba

16 Cara Block SSH FTP Brute Force MikroTik Posted by: Adam Rachmad October 9, 2013 in Mikrotik 0 Comments Block SSH FTP Brute Force MikroTik, tehnik setting mikrotik bwt block SSH FTP Brute Force. Apaan tuh gan? itu kyk ada yg coba untuk masuk / menebak username password mikrotik agan. Dia nyoba secara ngacak buat nemuin username password mikrotik agan, biasanya target username yg biasanya dipake ngasal kyk username: admin password: Gimana cara liat or taunya gan? liat gambar Log mikrotik di bawah : Itu indikasi bahwa ada yg mao coba2 login pake username ngacak via SSH mikrotik agan. Biasanya kejadian gini kalo router mikrotik agan punya IP Public / di cloud internet. Cara Block Brute Force di MikroTik Langsung hajar gan pake setting setting firewall mikrotik mikrotik ni : /ip firewall filter add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=ftp_blacklist add chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol= tcp add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 address-listtimeout= 1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2

17 add action=add-src-to-address-list address-list=ssh_stage2 address-listtimeout= 1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 address-listtimeout= 1m chain=input connection-state=new dst-port=22 protocol=tcp Dijelasin dikit yak pake bahasa ane ^_^ Buat yg coba hack via FTP bruteforce, setting mikrotik ini nangkep by IP yang 10x salah login / FTP login incorrect per menit. IP yg ketangkep dimasukin di address-list=ftp_blacklist dan semuanya akan di drop. Yg coba hack via SSH bruteforce, setting mikrotik ini nangkep IP yang coba login dan salah terus. IP yg ketangkep dimasukin di address-list=ssh_blacklist dan semuanya akan di drop. Contoh IP-IP nakal yang busted! 39 IP (o_o) Referensi : Bruteforce login prevention (FTP & SSH)

18 Firewall untuk router mikrotik Written by Thursday, 09 November 2006 Untuk mengamankan router mikrotik dari traffic virus dan excess ping dapat digunakan skrip firewall berikut Pertama buat address-list "ournetwork" yang berisi alamat IP radio, IP LAN dan IP WAN atau IP lainnya yang dapat dipercaya Dalam contoh berikut alamat IP radio adalah = /16, IP LAN = /24 dan IP WAN = /21 dan IP lainnya yang dapat dipercaya = Untuk membuat address-list dapat menggunakan contoh skrip seperti berikut ini tinggal disesuaikan dengan konfigurasi jaringan Anda. Buat skrtip berikut menggunakan notepad kemudian copy-paste ke console mikrotik / ip firewall address-list add list=ournetwork address= /21 comment="datautama Network" add list=ournetwork address= /16 comment="ip Radio" add list=ournetwork address= /24 comment="lan Network" Selanjutnya copy-paste skrip berikut pada console mikrotik / ip firewall filter add chain=forward connection-state=established action=accept comment="allow established connections" add chain=forward connection-state=related action=accept comment="allow related connections" add chain=virus protocol=udp dst-port= action=drop comment="drop Messenger Worm" add chain=forward connection-state=invalid action=drop comment="drop invalid connections" add chain=virus protocol=tcp dst-port= action=drop comment="drop Blaster Worm" add chain=virus protocol=tcp dst-port= action=drop comment="worm" add chain=virus protocol=tcp dst-port=445 action=drop comment="drop Blaster Worm" add chain=virus protocol=udp dst-port=445 action=drop comment="drop Blaster Worm" add chain=virus protocol=tcp dst-port=593 action=drop comment=" "

19 add chain=virus protocol=tcp dst-port= action=drop comment=" " add chain=virus protocol=tcp dst-port=1080 action=drop comment="drop MyDoom" add chain=virus protocol=tcp dst-port=1214 action=drop comment=" " add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester" add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server" add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast" add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx" add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid" add chain=virus protocol=tcp dst-port=2745 action=drop comment="bagle Virus" add chain=virus protocol=tcp dst-port=2283 action=drop comment="drop Dumaru.Y" add chain=virus protocol=tcp dst-port=2535 action=drop comment="drop Beagle" add chain=virus protocol=tcp dst-port=2745 action=drop comment="drop Beagle.C-K" add chain=virus protocol=tcp dst-port=3127 action=drop comment="drop MyDoom" add chain=virus protocol=tcp dst-port=3410 action=drop comment="drop Backdoor OptixPro" add chain=virus protocol=tcp dst-port=4444 action=drop comment="worm" add chain=virus protocol=udp dst-port=4444 action=drop comment="worm" add chain=virus protocol=tcp dst-port=5554 action=drop comment="drop Sasser" add chain=virus protocol=tcp dst-port=8866 action=drop comment="drop Beagle.B" add chain=virus protocol=tcp dst-port=9898 action=drop comment="drop Dabber.A-B" add chain=virus protocol=tcp dst-port=10000 action=drop comment="drop Dumaru.Y, sebaiknya di didisable karena juga sering digunakan utk vpn atau webmin" disabled=yes add chain=virus protocol=tcp dst-port=10080 action=drop comment="drop MyDoom.B" add chain=virus protocol=tcp dst-port=12345 action=drop comment="drop NetBus" add chain=virus protocol=tcp dst-port=17300 action=drop comment="drop Kuang2" add chain=virus protocol=tcp dst-port=27374 action=drop comment="drop

20 SubSeven" add chain=virus protocol=tcp dst-port=65506 action=drop comment="drop PhatBot, Agobot, Gaobot" add chain=forward action=jump jump-target=virus comment="jump to the virus chain" add chain=input connection-state=established action=accept comment="accept established connections" add chain=input connection-state=related action=accept comment="accept related connections" add chain=input connection-state=invalid action=drop comment="drop invalid connections" add chain=input protocol=udp action=accept comment="udp" add chain=input protocol=icmp limit=50/5s,2 action=accept comment="allow limited pings" add chain=input protocol=icmp action=drop comment="drop excess pings" add chain=input protocol=tcp dst-port=21 src-address-list=ournetwork action=accept comment="ftp" add chain=input protocol=tcp dst-port=22 src-address-list=ournetwork action=accept comment="ssh for secure shell" add chain=input protocol=tcp dst-port=23 src-address-list=ournetwork action=accept comment="telnet" add chain=input protocol=tcp dst-port=80 src-address-list=ournetwork action=accept comment="web" add chain=input protocol=tcp dst-port=8291 src-address-list=ournetwork action=accept comment="winbox" add chain=input protocol=tcp dst-port=1723 action=accept comment="pptp-server" add chain=input src-address-list=ournetwork action=accept comment="from Datautama network" add chain=input action=log log-prefix="drop INPUT" comment="log everything else" add chain=input action=drop comment="drop everything else" Efek dari skrip diatas adalah: 1. router mikrotik hanya dapat diakses FTP, SSH, Web dan Winbox dari IP yang didefinisikan dalam address-list "ournetwork" sehingga tidak bisa diakses dari sembarang tempat. 2. Port-port yang sering dimanfaatkan virus di blok sehingga traffic virus tidak dapat dilewatkan, tetapi perlu diperhatikan jika ada user yang kesulitan mengakses service tertentu harus dicek pada chain="virus" apakah port yang dibutuhkan user tersebut terblok oleh firewall. 3. Packet ping dibatasi untuk menghindari excess ping. Selain itu yang perlu diperhatikan adalah: sebaiknya buat user baru dan password dengan group full kemudian disable user admin, hal ini untuk meminimasi resiko mikrotik Anda di hack orang.

21 Selamat mencoba