# Drop those IPs in both Input & Forward chains:Īdd chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=noĪdd chain=forward src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=noĪdd chain=input connection-state=invalid action=drop comment="Drop Invalid connections"Īdd chain=input connection-state=established action=accept comment="Allow Established connections"Īdd chain=input src-address=192.168.1.0/24 action=accept in-interface=!SpeedyĪdd chain=input action=drop comment="Drop everything else" Various combinations of TCP flags can also indicate port scanner activity:Īdd chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"Īdd chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan"Īdd chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan"Īdd chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"Īdd chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"Īdd chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan" # Prevent a SSH brute forcer to be banned for 10 days after repetitive attempts:Īdd chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="drop ssh brute forcers" disabled=noĪdd chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=10d comment="" disabled=noĪdd chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m comment="" disabled=noĪdd chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=noĪdd chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=noĪdd chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="drop ssh brute downstream" disabled=noĪdd chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list" disabled=no # Allows only 10 FTP login incorrect answers per minute:Īdd chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop comment="drop ftp brute forcers"Īdd chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1mĪdd chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" address-list=ftp_blacklist address-list-timeout=3h
# Allow only needed icmp codes in icmp chain:Īdd chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="echo reply"Īdd chain=icmp protocol=icmp icmp-options=3:0 action=accept comment="net unreachable"Īdd chain=icmp protocol=icmp icmp-options=3:1 action=accept comment="host unreachable"Īdd chain=icmp protocol=icmp icmp-options=4:0 action=accept comment="allow source quench"Īdd chain=icmp protocol=icmp icmp-options=8:0 action=accept comment="allow echo request"Īdd chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="allow time exceed"Īdd chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="allow parameter bad"Īdd chain=icmp action=drop comment="deny all other types" Block Scan Winbox and Neighbour MikrotikĪpart from Protected router from the virus with configuration in firewall mikrotik, the network administrator also could protect router from scan winbox and neighbor.Note: Enter "/ip firewall filter" at Terminal window before copy & paste the following codes