8/12/2019 Firewall - Ataques & Dicas

1/19

PRINCIPAIS ATAQUES (E DEFESAS)

8/12/2019 Firewall - Ataques & Dicas

2/19

ATAQUES PORT SCAN

Como funciona esse ataque?O atacante utiliza um programa para rastrear as

portas abertas do seu roteador (ou um host na

sua rede) e posteriormente lanar um ataque.

Como proteger a sua rede?

add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-

address-list address-list="port scanners" address-list-timeout=2wcomment="Port scanners to list " disabled=no

add chain=input src-address-list="port scanners" action=drop

comment="dropping port scanners" disabled=no

8/12/2019 Firewall - Ataques & Dicas

3/19

ATAQUES PORT SCAN

Como proteger a sua rede?

add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg

action=add-src-to-address-list address-list="port scanners"

address-list-timeout=2w comment="NMAP FIN Stealth scan"

add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-

address-list address-list="port scanners" address-list-timeout=2w

comment="SYN/FIN scan"

add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-

address-list address-list="port scanners" address-list-timeout=2w

comment="SYN/RST scan"

8/12/2019 Firewall - Ataques & Dicas

4/19

ATAQUES PORT SCAN

Como proteger a sua rede?

add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack

action=add-src-to-address-list address-list="port scanners"

address-list-timeout=2w comment="FIN/PSH/URG scan"

add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg

action=add-src-to-address-list address-list="port scanners"

address-list-timeout=2w comment="ALL/ALL scan"

add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg

action=add-src-to-address-list address-list="port scanners"

address-list-timeout=2w comment="NMAP NULL scan"

8/12/2019 Firewall - Ataques & Dicas

5/19

ATAQUES DOS (DENIAL OF SERVICE)

Como funciona esse ataque?

Um ataque de negao de servio(DOS), uma tentativa em tornar os recursos de umsistema indisponveis para seus utilizadores. No

se trata de uma invaso do sistema, mas sim da

sua invalidao por sobrecarga. Ataques DDOSso a mesma coisa que o ataque DOS, porm

este de forma distribuda.

8/12/2019 Firewall - Ataques & Dicas

6/19

ATAQUES DOS (DENIAL OF SERVICE)

Como proteger a sua rede?Limitando as conexes de entrada:

/ip firewall filter

add chain=input protocol=tcp connection-limit=100,32 \

action=add-src-to-address-list address-list=end_bloqueadosaddress-list-timeout=1d

/ip firewall filter

add chain=input protocol=tcp src-address-list=end_bloqueados\

connection-limit=3,32 action=tarpit

8/12/2019 Firewall - Ataques & Dicas

7/19

ATAQUES DOS (DENIAL OF SERVICE)

Como proteger a sua rede?

Filtragem do estado SYN (TCP):/ip firewall filter

add chain=forward protocol=tcp tcp-flags=syn connection-

state=new \ action=jump jump-target=SYN-Protect

comment="SYN Flood protect" disabled=yes

add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5

connection-state=new \ action=accept comment="" disabled=no

add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-

state=new \ action=drop comment="" disabled=no

/ip firewall connection tracking set tcp-syncookie=yes

Habilitando os Cookies do estado SYN (TCP):

8/12/2019 Firewall - Ataques & Dicas

8/19

8/12/2019 Firewall - Ataques & Dicas

9/19

ATAQUES BRUTE FORCE

Como proteger a sua rede?

Proteo para FTP:/ip firewall filteradd chain=input protocol=tcp dst-port=21 src-address-

list=ftp_blacklist action=drop \ comment="drop ftp brute

forcers"

add chain=output action=accept protocol=tcp

content="530 Login incorrect" dst-limit=1/1m,9,dst-

address/1m

add chain=output action=add-dst-to-address-list

protocol=tcp content="530 Login incorrect" \ address-

list=ftp_blacklist address-list-timeout=3h

8/12/2019 Firewall - Ataques & Dicas

10/19

ATAQUES BRUTE FORCE

Como proteger a sua rede?

Proteo para SSH:add chain=input protocol=tcp dst-port=22 src-address-

list=ssh_blacklist action=drop \ comment="drop ssh

brute forcers" disabled=no

add chain=input protocol=tcp dst-port=22 connection-

state=new \ src-address-list=ssh_stage3 action=add-src-

to-address-list address-list=ssh_blacklist \ address-list-timeout=10d comment="" disabled=no

8/12/2019 Firewall - Ataques & Dicas

11/19

ATAQUES BRUTE FORCE

Como proteger a sua rede?

Proteo para SSH:add chain=input protocol=tcp dst-port=22 connection-

state=new \ src-address-list=ssh_stage2 action=add-src-

to-address-list address-list=ssh_stage3 \ address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-

state=new src-address-list=ssh_stage1 \ action=add-src-to-address-list address-list=ssh_stage2 address-list-

timeout=1m comment="" disabled=no

8/12/2019 Firewall - Ataques & Dicas

12/19

ATAQUES BRUTE FORCE

Como proteger a sua rede?

Proteo para SSH:add chain=input protocol=tcp dst-port=22 connection-

state=new action=add-src-to-address-list \ address-

list=ssh_stage1 address-list-timeout=1m comment=""disabled=no

8/12/2019 Firewall - Ataques & Dicas

13/19

DICAS & TRUQUES

8/12/2019 Firewall - Ataques & Dicas

14/19

PROTEES MNIMAS

/ ip firewall filter

add chain=input connection-state=established comment="Accept

established connections"add chain=input connection-state=related comment="Accept related

connections" add chain=input connection-state=invalid action=drop

comment="Drop invalid connections"

add chain=input protocol=udp action=accept comment="UDP"

disabled=noadd chain=input protocol=icmp limit=50/5s,2 comment="Allow limited

pings"

add chain=input protocol=icmp action=drop comment="Drop excess

pings"

add chain=input protocol=tcp dst-port=22 comment="SSH"

add chain=input protocol=tcp dst-port=8291 comment="winbox"

add chain=input src-address=SUAS_REDES comment=Aceita redes"

add chain=input action=log log-prefix="DROP INPUT" comment="Log

everything else"add chain=input action=drop comment="Drop everything else"

8/12/2019 Firewall - Ataques & Dicas

15/19

BLOQUEANDO O ULTRASURF

/ip firewall address-listadd address=65.49.0.0/17 comment="" disabled=no

list=UltraSurfServers add address=204.107.140.0/24 comment=""

disabled=no list=UltraSurfServers

/ip firewall mangleadd action=add-src-to-address-list address-list=UltraSurfUsers \

address-list-timeout=5m chain=prerouting

comment=UltraSurfUsers disabled=\ no dst-address-

list=UltraSurfServers dst-port=443 protocol=tcp

/ip firewall filter

add action=drop chain=forward comment="Block UltraSurf"

disabled=no dst-port=\ 443 protocol=tcp src-address-

list=UltraSurfUsers

8/12/2019 Firewall - Ataques & Dicas

16/19

BLOQUEANDO O ARES

/ip firewall layer7-protocol

add name=ares regexp="^\03[]Z].\?.\?\05\$

/ip firewall filter

add action=drop chain=forward disabled=yes in-interface=local \

layer7-protocol=ares

8/12/2019 Firewall - Ataques & Dicas

17/19

MANIPULANDO MEDIDORES

1Criar uma lista de endereos com todos os endereos dos

medidores;

2Criar uma regra no mangle, marcando a conexo destes

pacotes;

3Criar uma regra no mangle, marcando os pacotes desta

conexo;

4Criar uma regra no queue-tree, informando a velocidade dos

medidores e selecionando os pacotes marcados anteriormente.

8/12/2019 Firewall - Ataques & Dicas

18/19

OUTRAS DICAS

/ip firewall mangle

add action=change-ttl chain=postrouting comment=\

"BLOQUEIO DE COMPARTILHAMENTO" disabled=yes new-

ttl=set:127 \

out-interface=local passthrough=noadd action=change-ttl chain=postrouting comment="BLOQUEIO

DE P2P" disabled=\

yes new-ttl=set:1 p2p=all-p2p passthrough=no

add action=change-ttl chain=forward comment="BLOQUEIO DETRACERT/TRACEROUTE" \

disabled=yes new-ttl=set:30 passthrough=yes protocol=icmp

8/12/2019 Firewall - Ataques & Dicas

19/19

MUITO OBRIGADO!!

www.teleclubrasil.com.br

catvbrasil@gmail.com

OI (21) 8833-7141

TIM (21) 6928-0110

http://www.catvbrasil.com.br/mailto:catvbrasil@gmail.commailto:catvbrasil@gmail.comhttp://www.catvbrasil.com.br/http://www.catvbrasil.com.br/