https://wiki.mikrotik.com/index.php?title=Drop_port_scanners&feed=atom&action=historyDrop port scanners - Revision history2024-03-28T20:55:09ZRevision history for this page on the wikiMediaWiki 1.38.2https://wiki.mikrotik.com/index.php?title=Drop_port_scanners&diff=5611&oldid=prevNormis at 11:02, 16 October 20072007-10-16T11:02:23Z<p></p>
<p><b>New page</b></p><div>To protect the Router from port scanners, we can record the IPs of hackers who try to scan your box. Using this address list we can drop connection from those IP<br />
<br />
in '''/ip firewall filter'''<br />
<br />
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" <br />
address-list-timeout=2w comment="Port scanners to list " disabled=no<br />
<br />
Various combinations of TCP flags can also indicate port scanner activity.<br />
<br />
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg <br />
action=add-src-to-address-list address-list="port scanners" <br />
address-list-timeout=2w comment="NMAP FIN Stealth scan"<br />
<br />
add chain=input protocol=tcp tcp-flags=fin,syn <br />
action=add-src-to-address-list address-list="port scanners"<br />
address-list-timeout=2w comment="SYN/FIN scan"<br />
<br />
add chain=input protocol=tcp tcp-flags=syn,rst <br />
action=add-src-to-address-list address-list="port scanners"<br />
address-list-timeout=2w comment="SYN/RST scan"<br />
<br />
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack <br />
action=add-src-to-address-list address-list="port scanners" <br />
address-list-timeout=2w comment="FIN/PSH/URG scan"<br />
<br />
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg<br />
action=add-src-to-address-list address-list="port scanners" <br />
address-list-timeout=2w comment="ALL/ALL scan"<br />
<br />
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg <br />
action=add-src-to-address-list address-list="port scanners" <br />
address-list-timeout=2w comment="NMAP NULL scan"<br />
<br />
Then you can drop those IPs:<br />
<br />
add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no<br />
<br />
Similarly, you can drop these port scanners in the forward chain, but using the above rules with "chain=forward".<br />
<br />
[[Category:Firewall]]</div>Normishttps://wiki.mikrotik.com/index.php?title=Drop_port_scanners&diff=349&oldid=prevRieks: Spelling error fix2005-12-30T13:12:53Z<p>Spelling error fix</p>
<p><b>New page</b></p><div>To protect the Router from port scanners, we can record the IPs of hackers who try to scan your box. Using this address list we can drop connection from those IP<br />
<br />
in '''/ip firewall filter'''<br />
<br />
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" <br />
address-list-timeout=2w comment="Port scanners to list " disabled=no<br />
<br />
Then you can drop those IPs:<br />
<br />
add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no<br />
<br />
Similarly, you can drop these port scanners in the forward chain, but using the above rules with "chain=forward".</div>Rieks