2017年4月3日

RouterOS Port Knocking

RouterOS Port Knocking 類似Linux中的Fail2Ban的功能,設定方式如下
/ip firewall filter
add action=add-src-to-address-list address-list=drop_scan_ip address-list-timeout=52w1d chain=input comment=ip_scan protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment=drop_scan_ip src-address-list=drop_scan_ip
add action=drop chain=input dst-port=21,22,23,8291 protocol=tcp src-address-list=login_error_ip
add action=add-src-to-address-list address-list=login_error_ip address-list-timeout=1d chain=input connection-state=new dst-port=21,22,23,8291 protocol=tcp src-address-list=ros_service_login5
add action=add-src-to-address-list address-list=ros_service_login5 address-list-timeout=1d30s chain=input connection-state=new dst-port=21,22,23,8291 protocol=tcp src-address-list=ros_service_login4
add action=add-src-to-address-list address-list=ros_service_login4 address-list-timeout=30s chain=input connection-state=new dst-port=21,22,23,8291 protocol=tcp src-address-list=ros_service_login3
add action=add-src-to-address-list address-list=ros_service_login3 address-list-timeout=30s chain=input connection-state=new dst-port=21,22,23,8291 protocol=tcp src-address-list=ros_service_login2
add action=add-src-to-address-list address-list=ros_service_login2 address-list-timeout=30s chain=input connection-state=new dst-port=21,22,23,8291 protocol=tcp src-address-list=ros_service_login1
add action=add-src-to-address-list address-list=ros_service_login1 address-list-timeout=30s chain=input connection-state=new dst-port=21,22,23,8291 protocol=tcp src-address-list=!Lan_ip

/ip firewall address-list
add address=172.16.0.0/12 list=Lan_ip
add address=192.168.0.0/16 list=Lan_ip
add address=10.0.0.0/8 list=Lan_ip

阻攔規則邏輯



阻攔效果


沒有留言:

張貼留言