ponedeljek, 05. januar 2015

Mikrotik port scanning firewall rules

Now, if you read my previous blogs, we talked about default password rules and the logic behind them. Now we will setup some more fun things.
In this case PORT SCAN DETECTION and Blacklisting

What will this firewall rules do? They will detect port scanning and put the source IP on address list and block all traffic from that IP for a specific time.
So how do we do this?

First a quick look at what port scanning is and how it works.

Port scanning is an act of systematically scanning a computer's ports. Since a port is a place where information goes into and out of a computer, port scanning identifies open doors to a computer. Port scanning has legitimate uses in managing networks, but port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer or router.

There are also many types of port scanning to name just few:

-      SYN Scan

-      UDP Scan

-      FIN Scan

-      ACK Scan

-      X-MAS Scan


All this types of port scans use different flags in their TCP packets to identify open ports. If you’re willing to learn more about TCP packets and port scanning, you can start here.
Port Scanning

We will setup a firewall rules to protect you from basic port scanning techniques used by so called “script kiddies”

The easiest way is to start WinBox and open terminal. Then just paste this rules in. REMEMBER: The default firewall rules must be below this rules. If this rules are below the default firewall rules just drag them in the correct order.

/ip firewall filter

add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no

add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"

add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan"

add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan"

add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"

add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"

add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"

The red marked rule MUST be the first from top to bottom after you paste all this in. Since this is the rule that drops the traffic from IP addresses on the “port scanners” list.
Let’s just talk a bit how this rules work.

So when a packet is detected entering a port that has the flags (fin,psh,syn,… etc) corresponding to a specific type of port scan, the IP from which the packets are sent is added to the “port scanner” list that you can find in the WinBox menu under IP\Firewall Address list TAB. This list is then blocked (as you can see in the first (RED) rule) The IP is in this case added to the list for 2 weeks, but you can set this time as you wish.

Port scanning as you will see is quite a regular occurrence, and this rules will make it very hard for an attacker to enumerate your open ports, since all his data will be dropped after a few packets.
Here is a picture from my router for last 3 port scanning attempts.

Just don’t do the same mistake that I did and test this from your local network. I, smartass as I am, had a router set up so he can only be managed from ONE (my static) IP address. Well you can imagine that after I port scanned the router the address was added to the list for 2 weeks denying my only mean to log on to the router. And I had to do another factory reset and import configuration, or wait 2 weeks :D
Feel free to ask any question in the comment section below, and thank you for reading.

May the force be with you all.