Drop Port Scanner

Untuk memprotek router dari port scanner, kita bisa menyimpan IP hacker yang mencoba scan mikrotik anda. Menggunakan address-list kita bisa drop koneksi dari IP-IP yang terindikasi sebagai port scanner.

di /ip firewall filter

add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="Port scanners to list " disabled=no

Kombinasi dari TCP flags bisa diindikasikan aktifitas dari port scanner.

add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="NMAP FIN Stealth scan"
add chain=input protocol=tcp tcp-flags=fin,syn
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="SYN/FIN scan"
add chain=input protocol=tcp tcp-flags=syn,rst
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="SYN/RST scan"
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="FIN/PSH/URG scan"
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="ALL/ALL scan"
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="NMAP NULL scan"

Kemudian anda bisa drop IP tersebut :

add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no

Dengan cara yang sama, anda bisa drop port scanner dalam chain forward, ganti kode diatas dengan “chain=forward”.

Be the first to like.

Did you like this? Share it:

Leave a Reply