Рецептики для MikroTik
Защита от брутфорсеров:
/ip firewall filter
add action=drop chain=input comment="drop ssh brute forcers" disabled=no dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=22 protocol=tcp
add action=drop chain=input comment="drop telnet brute forcers" disabled=no dst-port=23 protocol=tcp src-address-list=telnet_blacklist
add action=add-src-to-address-list address-list=telnet_blacklist address-list-timeout=1w3d chain=input connection-state=new disabled=no dst-port=23 protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=23 protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=23 protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m chain=input connection-state=new disabled=no dst-port=23 protocol=tcp
Защита от сканирования портов:
add action=drop chain=input disabled=no src-address-list="port scanners" comment="port scanners"
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input disabled=no protocol=tcp psd=21,3s, 3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=fin, syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=syn, rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=fin, psh, urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=fin, syn, rst, psh, ack, urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
Закрытие одноклассников и подобных:
/ip firewall filter
add action=drop chain=forward comment="block socials" dst-address-list=!yes_social layer7-protocol=social protocol=tcp src-port=80
add action=drop chain=forward dst-address-list=!yes_social layer7-protocol=social protocol=tcp src-port=443
/ip firewall layer7-protocol
add name=social regexp="^.+(vk.com|vkontakte|odnoklassniki|odnoklasniki|facebook|fall-in-love|loveplanet|my.mail.ru).*\$"
Смена MAC адреса на интерфейсе:
/interface ethernet set ether1 mac-address=00:01:03:04:05:06
Защита от спамеров в сети:
/ip firewall filter
add chain=forward protocol=tcp dst-port=25 src-address-list=spammer
action=drop comment="BLOCK SPAMMERS OR INFECTED USERS"
add chain=forward protocol=tcp dst-port=25 connection-limit=30,32 limit=50,5 action=add-src-to-address-list
address-list=spammer address-list-timeout=1d comment="Detect and add-list SMTP virus or spammers"