最简单的彻底禁止公网访问SSH FTP端口

1
2
/ip firewall filter
add chain=input protocol=tcp dst-port=21-22 src-address-list=!allow-addresses action=drop comment="禁止公网SSH & FTP" disabled=no

使用IP列表来实现更灵活的策略,三分钟之内只能允许建立三次新会话,超过了就阻塞

1
2
3
4
5
6
7
8
/ip firewall filter
add chain=input protocol=tcp dst-port=21,22,23,8291 src-address-list=login_blacklist action=drop comment="drop login brute forcers 1" disabled=no
add chain=input protocol=tcp dst-port=21,22,23,8291 connection-state=new src-address-list=login_stage5 action=add-src-to-address-list address-list=login_blacklist address-list-timeout=1d comment="drop login brute forcers 2" disabled=no
add chain=input protocol=tcp dst-port=21,22,23,8291 connection-state=new src-address-list=login_stage4 action=add-src-to-address-list address-list=login_stage5 address-list-timeout=1m comment="drop login brute forcers 3" disabled=no
add chain=input protocol=tcp dst-port=21,22,23,8291 connection-state=new src-address-list=login_stage3 action=add-src-to-address-list address-list=login_stage4 address-list-timeout=1m comment="drop login brute forcers 4" disabled=no
add chain=input protocol=tcp dst-port=21,22,23,8291 connection-state=new src-address-list=login_stage2 action=add-src-to-address-list address-list=login_stage3 address-list-timeout=1m comment="drop login brute forcers 5" disabled=no
add chain=input protocol=tcp dst-port=21,22,23,8291 connection-state=new src-address-list=login_stage1 action=add-src-to-address-list address-list=login_stage2 address-list-timeout=1m comment="drop login brute forcers 6" disabled=no
add chain=input protocol=tcp dst-port=21,22,23,8291 connection-state=new action=add-src-to-address-list address-list=login_stage1 address-list-timeout=1m comment="drop login brute forcers 7" disabled=no

防端口扫描

1
2
3
4
5
6
7
8
9
/ip firewall filter
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="Port scanners to list" disabled=no 
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="NMAP FIN Stealth scan"
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="SYN/FIN scan"
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="SYN/RST scan"
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="FIN/PSH/URG scan"
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="ALL/ALL scan"
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="NMAP NULL scan"
add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no

最新文章

  1. a版本冲刺第七天
  2. SSH实例(7)
  3. C# 创建Windows Service
  4. 使用webstorm操作git
  5. FW:使用weave管理docker网络
  6. SqlServer2008快照隔离模式的业务应用
  7. Android monkey介绍
  8. Web前端年后跳槽必看的各种面试题
  9. 设置cookie倒计时让让表单自动提交
  10. (转)mysql 的 find_in_set函数使用方法
  11. Mysql单表查询(胖胖老师)
  12. 《Java》第八周学习总结
  13. 1e9个兵临城下
  14. Bridge桥接模式(结构型模式)
  15. Spring Boot 启用Gzip压缩
  16. P1001 第K极值
  17. [转载][翻译]Go的50坑:新Golang开发者要注意的陷阱、技巧和常见错误[2]
  18. MongoDB入门教程二[MongoDB Shell 简介与使用]
  19. Memcached和Memcache 配置教程windows X64
  20. ipad safari 滚动(overflow)解决方案

热门文章

  1. Quartz 2D编程指南(5) - 变换(Transforms)
  2. 搭建Hadoop2.6.0+Eclipse开发调试环境(以及log4j.properties的配置)
  3. LeetCode 360. Sort Transformed Array
  4. css animation动画
  5. 洛谷P2192HXY玩卡片
  6. vs2013 快捷键
  7. systemtap 安装试用
  8. Docker生态会重蹈Hadoop的覆辙吗?
  9. Kubernetes基本概念
  10. 搭建基于hyperledger fabric的联盟社区(二) --环境配置