Out of the box, the RouterOS firewall is pretty lean on rules. The default configuration may have as few as four rules in place, three for accepting traffic (icmp, connected, and related traffic) and one for blocking all other inbound traffic. Depending on how you have configured your Internet access (static IP, PPPoE, etc.), the default configuration can leave the router and network fairly vulnerable. The first step I like to take is disabling and limiting access to services running on the firewall. Using the Winbox utility, we can navigate to IP > Services for a listing of running services:
Here we see that all of the common services (ssh, telnet, ftp, http) as well as winbox are running by default. I typically disable ftp and telnet, and then start locking down the remaining services to specific IP addresses or ranges. Next up, we head over to the IP > Firewall > Filter section. If your going to open up SSH access to more than just a few IP addresses, then it is inevitable that brute force attacks will occur. Let’s slap the failed logins into the penalty box (http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention_(FTP):
[sourcecode language=”plain”]
/ip firewall filter
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
[/sourcecode]
What we are doing is moving the IP addresses of failed logins into address-lists and assigning a time out to them (blocking them). If they get to carried away, the block goes up for 10 days. Now, let’s throw some rules in to handle port scans (http://wiki.mikrotik.com/wiki/Drop_port_scanners):
[sourcecode language=”plain”]
/ip firewall filter
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " disabled=no \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" disabled=no \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=no protocol=\
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=no protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=no protocol=\
tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" disabled=no src-address-list="port scanners"
[/sourcecode]
Again, we profile a naughty IP address and then drop ALL traffic coming from it. Next, let’s throttle excessive pings:
[sourcecode language=”plain”]
/ip firewall filter
add action=accept chain=input comment="Allow limited pings" disabled=no limit=50/5s,2 protocol=icmp
add action=drop chain=input comment="Drop excess pings" disabled=no protocol=icmp
[/sourcecode]
It’s always a good idea to do some simple pen-tests from outside the network to be sure everything is working and to discern any other holes that need closing, but this should be a start.
(Additional, 8/16/2012: Greg Sowell was kind enough to share his border router firewall script on his website a couple of weeks back. His blog has a great collection of information and training videos, so head over and take a look: http://gregsowell.com)