API tools faq
paste
Advertisement
willianmp

Firewall/Blacklist

willianmp
Jul 5th, 2017
836
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ActionScript 12.46 KB | None | 0 0
raw download clone embed print report
  1. Em virtude da quantidade de ataques e maquinas infectadas por Ransomweres, botnets, C&C server e spammers, deixar aqui uma pequena contribuição, o firewall para RouterOS (Mikrotik) que utilizo na maioria dos meus parceiros para a tentativa de mitigar esse casos. Esse pequeno firewall entre outras coisas é adaptado para o uso das listas citadas acima, tanto manual ou dinamicamente atualizada via servidores remotos.
  2.  
  3. Antes de copiar e colar no terminal, faça as modificações necessárias apontadas.
  4.  
  5. Obs: Algumas listas são tão grandes que não são indicadas para equipamentos de baixa performance.
  6.  
  7. Para garantir uma lista mais ampla e atualizada diariamente, configuro lista dinâmica com atualização em servidor remoto. Entre em contato.
  8.  
  9. # jul/05/2017 15:07:50 by RouterOS 6.38.1
  10. #
  11. /ip firewall nat
  12. add action=dst-nat chain=dstnat comment="Desviando trafego indesejado HAO123 para o google.com.br" dst-address-list=11-HAO123-Lista-Negra dst-port=80 protocol=tcp to-addresses=216.58.202.35 to-ports=80
  13. #
  14. #
  15. #
  16. /ip firewall address-list
  17. add comment="Libera para acesso ao router" address=172.16.0.100 list=2-IP-Seguro
  18. add address=10.0.0.0/8 list=3-IPs-Privados
  19. add address=172.16.0.0/12 list=3-IPs-Privados
  20. add address=192.168.0.0/16 list=3-IPs-Privados
  21. add address=5.196.50.44 list=4-Virus-AirNet
  22. add address=200.98.64.46 list=4-Virus-AirNet
  23. add address=173.255.236.223 list=4-Virus-AirNet
  24. add address=159.253.131.113 list=4-Virus-AirNet
  25. add address=192.155.88.213 list=4-Virus-AirNet
  26. add address=206.190.150.20 list=4-Virus-AirNet
  27. add address=189.45.36.66 list=4-Virus-AirNet
  28. add address=177.8.32.74 list=4-Virus-AirNet
  29. add address=119.75.219.0/24 list=11-HAO123-Lista-Negra
  30. add address=61.135.185.0/24 list=11-HAO123-Lista-Negra
  31. add address=123.125.112.0/24 list=11-HAO123-Lista-Negra
  32. add address=63.217.158.0/24 list=11-HAO123-Lista-Negra
  33. add address=180.149.131.0/24 list=11-HAO123-Lista-Negra
  34. add address=200.229.203.0/24 list=11-HAO123-Lista-Negra
  35. add address=52.67.182.104 list=11-HAO123-Lista-Negra
  36. add address=54.232.210.232 list=11-HAO123-Lista-Negra
  37. #
  38. #
  39. #
  40. /ip firewall filter
  41. add action=drop chain=input comment="Dns-flood" dst-port=53,5353 protocol=tcp src-address-list=!3-IPs-Privados
  42. add action=drop chain=input dst-port=53,5353 protocol=udp src-address-list=!3-IPs-Privados
  43. add action=accept chain=input comment="Permitir hosts seguros SSH" connection-state=new dst-port=22 protocol=tcp src-address-list=7-Conexao-Segura
  44. add action=drop chain=input comment="Bloquear for\E7a bruta em SSH" dst-port=22 protocol=tcp src-address-list=6-SSH-Lista-Negra
  45. add action=add-src-to-address-list address-list=6-SSH-Lista-Negra address-list-timeout=1w3d chain=input comment="Lista negra - for\E7a bruta em SSH" connection-state=new dst-port=22 protocol=tcp src-address-list=\
  46.     SSH-Lista-Negra-stagio-3
  47. add action=add-src-to-address-list address-list=SSH-Lista-Negra-stagio-3 address-list-timeout=1m chain=input comment="Lista negra - for\E7a bruta em SSH - terceiro est\E1gio" connection-state=new dst-port=22 \
  48.     protocol=tcp src-address-list=SSH-Lista-Negra-stagio-2
  49. add action=add-src-to-address-list address-list=SSH-Lista-Negra-stagio-2 address-list-timeout=1m chain=input comment="Lista negra - for\E7a bruta em SSH - segundo est\E1gio" connection-state=new dst-port=22 \
  50.     protocol=tcp src-address-list=SSH-Lista-Negra-stagio-1
  51. add action=add-src-to-address-list address-list=SSH-Lista-Negra-stagio-1 address-list-timeout=1m chain=input comment="Lista negra - for\E7a bruta em SSH -primeiro est\E1gio" connection-state=new dst-port=22 \
  52.     protocol=tcp
  53. add action=accept chain=input comment="Permitir hosts seguros Winbox" connection-state=new dst-port=8291 protocol=tcp src-address-list=7-Conexao-Segura
  54. add action=drop chain=input comment="Bloquear for\E7a bruta em Winbox" dst-port=8291 protocol=tcp src-address-list=8-Winbox-Lista-Negra
  55. add action=add-src-to-address-list address-list=8-Winbox-Lista-Negra address-list-timeout=1w3d chain=input comment="Lista negra - for\E7a bruta em Winbox" connection-state=new dst-port=8291 protocol=tcp \
  56.     src-address-list=Winbox-Lista-Negra-stagio-3
  57. add action=add-src-to-address-list address-list=Winbox-Lista-Negra-stagio-3 address-list-timeout=1m chain=input comment="Lista negra - for\E7a bruta em Winbox - terceiro est\E1gio" connection-state=new dst-port=\
  58.     8291 protocol=tcp src-address-list=Winbox-Lista-Negra-stagio-2
  59. add action=add-src-to-address-list address-list=Winbox-Lista-Negra-stagio-2 address-list-timeout=1m chain=input comment="Lista negra - for\E7a bruta em Winbox - segundo est\E1gio" connection-state=new dst-port=8291 \
  60.     protocol=tcp src-address-list=Winbox-Lista-Negra-stagio-1
  61. add action=add-src-to-address-list address-list=Winbox-Lista-Negra-stagio-1 address-list-timeout=1m chain=input comment="Lista negra - for\E7a bruta em Winbox - primeiro est\E1gio" connection-state=new dst-port=\
  62.     8291 protocol=tcp
  63. add action=accept chain=input comment="Liberar SSH" connection-state=new dst-port=22 protocol=tcp
  64. add action=accept chain=input comment="Liberar WinBox" connection-state=new dst-port=8291 protocol=tcp
  65. add action=accept chain=input comment="Libear FTP" connection-state=new dst-port=20-21 protocol=tcp
  66. add action=add-src-to-address-list address-list=9-Batendo address-list-timeout=15s chain=input comment="Batendo na porta - primeiro est\E1gio" dst-port=1337 protocol=tcp
  67. add action=add-src-to-address-list address-list=7-Conexao-Segura address-list-timeout=15m chain=input comment="Batendo na porta - lista branca" dst-port=7331 protocol=tcp src-address-list=9-Batendo
  68. add action=jump chain=input comment="Verifique se h\E1 coisas ruins na cadeia de \"Ataque\"" jump-target=Attacks
  69. add action=accept chain=input comment="Permitir a resposta ICMP" icmp-options=8:0 protocol=icmp
  70. add action=add-src-to-address-list address-list=1-Log-ping address-list-timeout=10m chain=input comment="Cliente Pingando" protocol=icmp
  71. add action=accept chain=input comment="Permitir todos os pacotes dos nossos parceiros confi\E1veis \"IP-Seguro\"" connection-state=new src-address-list=2-IP-Seguro
  72. add action=accept chain=input comment="Permitir que os intervalos IP privados acessem o roteador" connection-state=new src-address-list=3-IPs-Privados
  73. add action=accept chain=input comment="Permitir conex\F5es v\E1lidas atuais, bem como pacotes relacionados v\E1lidos" connection-state=established,related
  74. add action=drop chain=input comment="Bloqueia todo o resto por padr\E3o"
  75. add action=jump chain=forward comment="Verifique se h\E1 coisas ruins na cadeia de \"Ataque\"" jump-target=Attacks
  76. #
  77. ##
  78. ### Limite de conexoes em connetion-limit está setado com 500, alterar conforme necessidade, ou desabilitar caso haja necessidade.
  79. ##
  80. #
  81. add action=drop chain=forward comment="Limites de conexoes" connection-limit=500,32 dst-address-list=!5-Sem-Limite-Conexao dst-port=0-80 limit=1,5:packet log=yes log-prefix=80- protocol=tcp src-address-list=\
  82.     !5-Sem-Limite-Conexao tcp-flags=syn,!fin,!rst,!psh,!ack,!urg,!ece,!cwr
  83. add action=drop chain=forward connection-limit=500,32 dst-address-list=!5-Sem-Limite-Conexao dst-port=81-442 protocol=tcp src-address-list=!5-Sem-Limite-Conexao tcp-flags=syn,!fin,!rst,!psh,!ack,!urg,!ece,!cwr
  84. add action=drop chain=forward connection-limit=500,32 dst-address-list=!5-Sem-Limite-Conexao dst-port=443 protocol=tcp src-address-list=!5-Sem-Limite-Conexao tcp-flags=syn,!fin,!rst,!psh,!ack,!urg,!ece,!cwr
  85. add action=drop chain=forward comment="Limites de conexoes portas altas" connection-limit=500,32 dst-port=444-65535 limit=1,5:packet protocol=tcp tcp-flags=syn,!fin,!rst,!psh,!ack,!urg,!ece,!cwr
  86. add action=drop chain=forward comment=Dns-flood dst-port=53,5353 protocol=tcp src-address-list=!3-IPs-Privados
  87. add action=drop chain=forward dst-port=53,5353 protocol=udp src-address-list=!3-IPs-Privados
  88. add action=add-src-to-address-list address-list=Log-Equip_ubnt_infectado_virus address-list-timeout=0s chain=forward comment="Equipamentos com virus AirNet (UBIQUIT)" dst-address-list=4-Virus-AirNet
  89. add action=drop chain=forward comment="Bloquear virus AirNet (UBIQUIT)" src-address-list=4-Virus-AirNet
  90. add action=accept chain=forward comment="Permitir a resposta ICMP" icmp-options=8:0 protocol=icmp
  91. add action=add-src-to-address-list address-list=1-Log-ping address-list-timeout=10m chain=forward comment="Cliente Pingando" protocol=icmp
  92. add action=accept chain=forward comment="Permitir conex\F5es v\E1lidas atuais, bem como pacotes relacionados v\E1lidos" connection-state=established,related
  93. add action=accept chain=forward comment="Permitir que os intervalos IP privados sejam encaminhados pelo roteador" connection-state=new src-address-list=3-IPs-Privados
  94. add action=drop chain=Attacks comment="Bloquear conex\F5es de hosts na lista negra" src-address-list=Blacklist
  95. add action=drop chain=Attacks comment="Bloquear conex\F5es para hosts na lista negra" dst-address-list=Blacklist
  96. add action=drop chain=Attacks comment="Bloqueia combina\E7\E3o de sinalizador tcp inv\E1lida" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
  97. add action=drop chain=Attacks comment="Bloqueia combina\E7\E3o de sinalizador tcp inv\E1lida" protocol=tcp tcp-flags=fin,syn
  98. add action=drop chain=Attacks comment="Bloqueia combina\E7\E3o de sinalizador tcp inv\E1lida" protocol=tcp tcp-flags=fin,rst
  99. add action=drop chain=Attacks comment="Bloqueia combina\E7\E3o de sinalizador tcp inv\E1lida" protocol=tcp tcp-flags=fin,!ack
  100. add action=drop chain=Attacks comment="Bloqueia combina\E7\E3o de sinalizador tcp inv\E1lida" protocol=tcp tcp-flags=fin,urg
  101. add action=drop chain=Attacks comment="Bloqueia combina\E7\E3o de sinalizador tcp inv\E1lida" protocol=tcp tcp-flags=syn,rst
  102. add action=drop chain=Attacks comment="Bloqueia combina\E7\E3o de sinalizador tcp inv\E1lida" protocol=tcp tcp-flags=rst,urg
  103. add action=drop chain=Attacks comment="Porta de origem TCP inv\E1lida (0)" protocol=tcp src-port=0
  104. add action=drop chain=Attacks comment="Porta de destino TCP inv\E1lida (0)" dst-port=0 protocol=tcp
  105. add action=drop chain=Attacks comment="Porta de origem UDP inv\E1lida (0)" protocol=udp src-port=0
  106. add action=drop chain=Attacks comment="Porta de destino UDP inv\E1lida (0)" dst-port=0 protocol=udp
  107. add action=drop chain=Attacks comment="Pacotes inv\E1lidos (sem conex\E3o atual v\E1lida)" connection-state=invalid
  108. add action=return chain=Attacks comment="Retornar \E0 cadeia que saltou"
  109. #
  110. ##
  111. ### Renomeie in-interface para o nome da interface de entrada de link em seu router.
  112. ##
  113. #
  114. add action=drop chain=forward comment="Bloquear todo o resto vindo da WAN" in-interface=WAN
  115. add action=accept chain=output comment="Permitir apenas 10 FTP login respostas incorretas por minuto" content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
  116. add action=add-dst-to-address-list address-list=10-FTP-Lista-Negra address-list-timeout=3h chain=output comment="Lista negra - for\E7a bruta em FTP" content="530 Login incorrect" protocol=tcp
  117. add action=accept chain=output comment="Permitir conex\F5es v\E1lidas atuais, bem como pacotes relacionados v\E1lidos" connection-state=established
  118. add action=accept chain=output connection-state=related
  119. add action=drop chain=output comment="Bloquear todo o resto" connection-state=invalid
  120. #
  121. ##
  122. ### Pequena Blacklist para bloqueio de botnets, C&C server, and spammers..
  123. ##
  124. #
  125. /ip firewall address-list
  126. add comment="Lista negra Dshield" list="Blacklist" address=5.188.11.0-5.188.11.255
  127. add list="Blacklist" address=185.35.62.0-185.35.62.255
  128. add list="Blacklist" address=80.82.77.0-80.82.77.255
  129. add list="Blacklist" address=196.52.43.0-196.52.43.255
  130. add list="Blacklist" address=158.85.81.0-158.85.81.255
  131. add list="Blacklist" address=45.55.2.0-45.55.2.255
  132. add list="Blacklist" address=5.188.10.0-5.188.10.255
  133. add list="Blacklist" address=168.1.128.0-168.1.128.255
  134. add list="Blacklist" address=104.193.252.0-104.193.252.255
  135. add list="Blacklist" address=141.212.122.0-141.212.122.255
  136. add list="Blacklist" address=71.6.216.0-71.6.216.255
  137. add list="Blacklist" address=60.191.38.0-60.191.38.255
  138. add list="Blacklist" address=64.125.239.0-64.125.239.255
  139. add list="Blacklist" address=77.72.82.0-77.72.82.255
  140. add list="Blacklist" address=169.54.233.0-169.54.233.255
  141. add list="Blacklist" address=183.129.160.0-183.129.160.255
  142. add list="Blacklist" address=104.236.175.0-104.236.175.255
  143. add list="Blacklist" address=222.47.26.0-222.47.26.255
  144. add list="Blacklist" address=45.55.0.0-45.55.0.255
  145. add list="Blacklist" address=89.248.172.0-89.248.172.255
  146.  
  147. Todo trabalho tem um custo, contribua com qualquer valor em minha carteira de Bitcoins:
  148. 13RbNMKewGwrbnwAKwT5hJA7XpugXFBhXV
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!