ROS 基本防御设置
https://blog.csdn.net/wdhqwe520/article/details/90737291
/ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="Port scanners to list " disabled=no
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="NMAP FIN Stealth scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="SYN/FIN scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="SYN/RST scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="FIN/PSH/URG scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="ALL/ALL scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="NMAP NULL scan"
/ip firewall filter add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
一分鐘內3次登入PPTP/OpenVPN/L2TP失敗後,第4次登入直接封鎖.
https://www.mobile01.com/topicdetail.php?f=110&t=3205444&p=165
/ip firewall
add action=drop chain=input comment="PPTP/OpenVPN/L2TP/WINBOX” src-address-list=login_blacklist
add action=add-src-to-address-list address-list=login_blacklist address-list-timeout=2w chain=input connection-state=new dst-address-type=local dst-port=8291,1723,1195 protocol=tcp src-address-list=login_stage3
add action=add-src-to-address-list address-list=login_stage3 address-list-timeout=1m chain=input connection-state=new dst-address-type=local dst-port=8291,1723,1195 protocol=tcp src-address-list=login_stage2
add action=add-src-to-address-list address-list=login_stage2 address-list-timeout=1m chain=input connection-state=new dst-address-type=local dst-port=8291,1723,1195 protocol=tcp src-address-list=login_stage1
add action=add-src-to-address-list address-list=login_stage1 address-list-timeout=1m chain=input connection-state=new dst-address-type=local dst-port=8291,1723,1195 protocol=tcp
add action=add-src-to-address-list address-list=login_blacklist address-list-timeout=2w chain=input connection-state=new dst-address-type=local dst-port=1701 protocol=udp src-address-list=login_stage3
add action=add-src-to-address-list address-list=login_stage3 address-list-timeout=1m chain=input connection-state=new dst-address-type=local dst-port=1701 protocol=udp src-address-list=login_stage2
add action=add-src-to-address-list address-list=login_stage2 address-list-timeout=1m chain=input connection-state=new dst-address-type=local dst-port=1701 protocol=udp src-address-list=login_stage1
add action=add-src-to-address-list address-list=login_stage1 address-list-timeout=1m chain=input connection-state=new dst-address-type=local dst-port=1701 protocol=udp
其中有個要注意的這防火牆規則只針對RouterOS本身,
假如您是針對區網的Server ,請將chain=input 改成chain=forward
另外將dst-address-type=local ,用dst-address=Server-IP來取代