Previous... My Mikrotik Configuration (part 1)
Step 2, Security.
Setup username and password
user set 0 name=ngeri password=ngeri group=full
user add name=user01 password=password group: read
Don’t use default user admin. Look at what I have done. I change the default user to be other user name. Don't forget to setup the password. It will make your mikrotik more secure.
Firewall in Mikrotik
Setup Firewall.
by grouping IP networks will make it easier to configure the firewall later.
IP-LAN, IP addresses for Lan.
Full-trust, IP Public can be fully trusted. Admin can remotely the Mikrotik.
half-trust, IP public that are not fully trusted, Sometimes, This IP address can be used by admins to remotely the Mikrotik.
Local-untrust, IP address that is not trusted.
/ip firewall address-list
add address=10.17.123.0/24 disabled=no list=IP-LAN
add address=10.254.128.0/22 disabled=no list=IP-LAN
add address=1xx.9x.xx.xx/27 disabled=no list=full-trust
add address=1xx.1xx.xx.xx disabled=no list=full-trust
add address=0.0.0.0/8 disabled=no list=local-untrust
add address=192.168.0.0/16 disabled=no list=local-untrust
add address=127.0.0.0/8 disabled=no list=local-untrust
add address=224.0.0.0/3 disabled=no list=local-untrust
add address=172.16.0.0/12 disabled=no list=local-untrust
add address=1xx.0.0.0/8 disabled=no list=half-trust
add address=2xx.0.0.0/8 disabled=no list=half-trust
add address=1xx.0.0.0/8 disabled=no list=half-trust
add address=3x.0.0.0/8 disabled=no list=half-trust
Drop IP address Local unused or untrusted
/ip firewall filter
add action=drop chain=forward comment="Drop Local Untrust" disabled=no \
src-address-list=local-untrust
add action=drop chain=forward disabled=no dst-address-list=local-untrust
Drop Connection invalid.
add action=drop chain=forward comment="drop invalid connections" \
connection-state=invalid disabled=no
add action=accept chain=forward connection-state=established disabled=no
add action=accept chain=forward comment="allow related connections" \
connection-state=related disabled=no
For communication Mikrotik with other DNS Server
add action=accept chain=input disabled=no dst-port=53,5353 protocol=udp
add action=accept chain=input disabled=no dst-port=53,5353 protocol=tcp
10.17.123.10 is IP address for cacti. Cacti need port 22 (ssh) and port 161 (snmp). Trust everything from 10.17.123.10.
add action=accept chain=input disabled=no src-address=10.17.123.10
And this is it, rules for IP addresses, 10.17.123.6. Users not need to know about this IP. But if one day users know about this IP address, we can identify who is connected to the IP address. There is a rule to the make records every IP address that accesses to the IP 10.17.123.6. According this results, we can analize IP address that should be blocked.
add action=add-src-to-address-list address-list=IP_connect_to_graph \
address-list-timeout=0s chain=input disabled=no dst-address=10.17.123.6 \
dst-port=80 in-interface=LAN protocol=tcp src-address=10.254.128.0/22
add action=accept chain=input disabled=no dst-address=10.17.123.6 dst-port=80 \
in-interface=LAN protocol=tcp src-address=10.254.128.0/22
add action=drop chain=input disabled=no dst-address=10.17.123.6
Now about the security of the interface WAN. First, we limit IP address that will be connected to the router mikrotik. We just allow IP addresses that exist in half-trust group.
add action=drop chain=input disabled=no in-interface=WAN protocol=tcp \
src-address-list=!half-trust
Identify the IP address of scanner then do blacklist
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no \
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no \
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=\
no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=no \
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=no \
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" disabled=no \
src-address-list="port scanners"
Limited Ping Flooding
add action=accept chain=icmp comment="Limited Ping Flood" disabled=no \
icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=icmp disabled=no icmp-options=3:3 limit=5,5 protocol=\
icmp
add action=accept chain=icmp disabled=no icmp-options=3:4 limit=5,5 protocol=\
icmp
add action=accept chain=icmp disabled=no icmp-options=8:0-255 limit=5,5 \
protocol=icmp
add action=accept chain=icmp disabled=no icmp-options=11:0-255 limit=5,5 \
protocol=icmp
add action=drop chain=icmp disabled=no protocol=icmp
Identify the IP address who using ssh brute forces, then do blacklist.
add action=drop chain=input comment="drop ssh brute forcers" disabled=no \
add action=accept chain=input disabled=no in-interface=WAN src-address-list=\
full-trust
add action=drop chain=input comment="drop ssh brute forcers" disabled=no \
dst-port=22,8291 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new disabled=no \
dst-port=22,8291 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-port=22,8291 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-port=22,8291 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-port=22,8291 protocol=tcp src-address-list=!half-trust
add action=drop chain=forward comment="drop ssh brute downstream" disabled=no \
src-address-list=ssh_blacklist
add action=drop chain=input disabled=no protocol=tcp in-interface=WAN \
dst-port=!53,5353,22,8291
Just allow to access to ports 22 and 8291, from the interface LAN network.
add action=drop chain=input disabled=no dst-port=!22,8291 in-interface=LAN \
protocol=tcp
Close the ports indicate viruses and malware. Be careful. Make sure the port services that you need and import is not blocked.
add action=jump chain=forward disabled=no jump-target=udp protocol=udp
add action=jump chain=forward comment="Separate Protocol into Chains" \
disabled=no jump-target=tcp protocol=tcp
add action=jump chain=forward disabled=no jump-target=icmp protocol=icmp
add action=jump chain=forward comment="jump to the virus chain" disabled=no \
jump-target=virus
add action=drop chain=udp comment="Bloking UDP Packet, deny TFTP" disabled=no \
dst-port=69 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=\
111 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=\
135,445 protocol=udp
add action=drop chain=udp comment="deny NBT" disabled=no dst-port=137-139 \
protocol=udp
add action=drop chain=udp comment="deny NFS" disabled=no dst-port=2049 \
protocol=udp
add action=drop chain=udp comment="deny BackOriffice" disabled=no dst-port=\
3133 protocol=udp
add action=drop chain=tcp comment="Bloking TCP Packet, deny TFTP" disabled=no \
dst-port=67-69 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=\
111 protocol=tcp
add action=drop chain=tcp disabled=yes dst-port=119 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=\
135 protocol=tcp
add action=drop chain=tcp comment="deny NBT" disabled=no dst-port=137-139 \
protocol=tcp
add action=drop chain=tcp comment="deny cifs" disabled=no dst-port=445 \
protocol=tcp
add action=drop chain=tcp comment="deny NFS" disabled=no dst-port=2049 \
protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" disabled=no dst-port=\
3133 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=20034 \
protocol=tcp
add action=drop chain=tcp comment="Drop NetBus" disabled=no dst-port=\
12345-12346 protocol=tcp
add action=drop chain=virus comment=\
"________ And there are port that indicate virus" disabled=no dst-port=\
593 protocol=tcp
add action=drop chain=virus comment="________ & Remote Storm" disabled=no \
dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=1214 \
protocol=tcp
add action=drop chain=virus comment="ndm requester & ndm server" disabled=no \
dst-port=1363-1364 protocol=tcp
add action=drop chain=virus comment="screen cast" disabled=no dst-port=1368 \
protocol=tcp
add action=drop chain=virus comment=hromgrafx disabled=no dst-port=1373 \
protocol=tcp
add action=drop chain=virus comment=cichlid disabled=no dst-port=1377 \
protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=1433-1434 \
protocol=tcp
add action=drop chain=virus comment="Bagle Virus" disabled=no dst-port=2745 \
protocol=tcp
add action=drop chain=virus comment="Drop Beagle" disabled=no dst-port=2535 \
protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=\
3127-3128 protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" disabled=no \
dst-port=3410 protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=\
tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=\
udp
add action=drop chain=virus comment="Drop Sasser" disabled=no dst-port=5554 \
protocol=tcp
add action=drop chain=virus comment="Drop Beagle.B" disabled=no dst-port=8866 \
protocol=tcp
add action=drop chain=virus comment="Drop Dabber.A-B" disabled=no dst-port=\
9898 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=\
10000 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom.B" disabled=no dst-port=\
10080 protocol=tcp
add action=drop chain=virus comment="Drop Kuang2" disabled=no dst-port=17300 \
protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" disabled=no dst-port=\
27374 protocol=tcp
add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" disabled=\
no dst-port=65506 protocol=tcp
add action=drop chain=virus comment="Sockets des Troie" disabled=no dst-port=\
1 protocol=udp
add action=drop chain=virus comment=Death disabled=no dst-port=2 protocol=tcp
add action=drop chain=virus comment="Senna Spy FTP server" disabled=no \
dst-port=20 protocol=tcp
add action=drop chain=virus comment="Back Construction, Blade Runner, Cattivik\
\_FTP Server, CC Invader, Dark FTP, Doly Trojan, Fore, Invisible FTP, Jugg\
ernaut 42, Larva, MotIv FTP, Net Administrator, Ramen, Senna Spy FTP serve\
r, The Flu, Traitor 21, WebEx, WinCrash" disabled=yes dst-port=21 \
protocol=tcp
add action=drop chain=virus comment=\
"Fire HacKer, Tiny Telnet Server TTS, Truva Atl" disabled=no dst-port=23 \
protocol=tcp
add action=drop chain=virus comment="Ajan, Antigen, Barok, Email Password Send\
er EPS, EPS II, Gip, Gris, Happy99, Hpteam mail, Hybris, I love you, Kuang\
2, Magic Horse, MBT Mail Bombing Trojan, Moscow Email trojan, Naebi, NewAp\
t worm, ProMail trojan, Shtirlitz, Stealth, Tapiras, Terminator, WinPC, Wi\
nSpy" disabled=no dst-port=25 protocol=tcp
add action=drop chain=virus comment="Agent 40421" disabled=no dst-port=30 \
protocol=tcp
add action=drop chain=virus comment=\
"Agent 31, Hackers Paradise, Masters Paradise" disabled=no dst-port=31 \
protocol=tcp
add action=drop chain=virus comment="Deep Throat, Foreplay" disabled=no \
dst-port=41 protocol=tcp
add action=drop chain=virus comment=DRAT disabled=no dst-port=48 protocol=tcp
add action=drop chain=virus comment=DRAT disabled=no dst-port=50 protocol=tcp
add action=drop chain=virus comment=DMSetup disabled=no dst-port=58 protocol=\
tcp
add action=drop chain=virus comment=DMSetup disabled=no dst-port=59 protocol=\
tcp
add action=drop chain=virus comment="CDK, Firehotcker" disabled=no dst-port=\
79 protocol=tcp
add action=drop chain=virus comment=RemoConChubo disabled=no dst-port=81 \
protocol=tcp
add action=drop chain=virus comment="Hidden Port, NCX" disabled=no dst-port=\
99 protocol=tcp
add action=drop chain=virus comment="ProMail trojan" disabled=yes dst-port=\
110 protocol=tcp
add action=drop chain=virus comment="Invisible Identd Deamon, Kazimas" \
disabled=no dst-port=113 protocol=tcp
add action=drop chain=virus comment="Attack Bot, God Message, JammerKillah" \
disabled=no dst-port=121 protocol=tcp
add action=drop chain=virus comment="Net Controller" disabled=no dst-port=123 \
protocol=tcp
add action=drop chain=virus comment=Farnaz disabled=no dst-port=133 protocol=\
tcp
add action=drop chain=virus comment=NetTaxi disabled=no dst-port=142 \
protocol=tcp
add action=drop chain=virus comment=Infector disabled=no dst-port=146 \
protocol=tcp
add action=drop chain=virus comment=Infector disabled=no dst-port=146 \
protocol=udp
add action=drop chain=virus comment=A-trojan disabled=no dst-port=170 \
protocol=tcp
add action=drop chain=virus comment=Backage disabled=no dst-port=334 \
protocol=tcp
add action=drop chain=virus comment=Backage disabled=no dst-port=411 \
protocol=tcp
add action=drop chain=virus comment="Breach, Incognito" disabled=no dst-port=\
420 protocol=tcp
add action=drop chain=virus comment="TCP Wrappers trojan" disabled=no \
dst-port=421 protocol=tcp
add action=drop chain=virus comment="Hackers Paradise" disabled=no dst-port=\
456 protocol=tcp
add action=drop chain=virus comment="Grlogin & RPC Backdoor" disabled=no \
dst-port=513-514 protocol=tcp
add action=drop chain=virus comment="Net666, Rasmin" disabled=no dst-port=531 \
protocol=tcp
add action=drop chain=virus comment="711 trojan, Seven Eleven, Ini-Killer, Net\
\_Administrator, Phase Zero, Phase-0, Stealth Spy" disabled=no dst-port=\
555 protocol=tcp
add action=drop chain=virus comment="Secret Service" disabled=no dst-port=605 \
protocol=tcp
add action=drop chain=virus comment="Attack FTP, Back Construction, BLA trojan\
, Cain & Abel, NokNok, Satans Back Door SBD, ServU, Shadow Phyre, th3r1pp3\
rz Therippers SniperNet" disabled=no dst-port=666-667 protocol=tcp
add action=drop chain=virus comment="DP trojan" disabled=no dst-port=669 \
protocol=tcp
add action=drop chain=virus comment=GayOL disabled=no dst-port=692 protocol=\
tcp
add action=drop chain=virus comment="AimSpy, Undetected" disabled=no \
dst-port=777 protocol=tcp
add action=drop chain=virus comment=WinHole disabled=no dst-port=808 \
protocol=tcp
add action=drop chain=virus comment="Dark Shadow" disabled=no dst-port=911 \
protocol=tcp
add action=drop chain=virus comment="Deep Throat, Foreplay, WinSatan & Der Spa\
eher, Direct Connection & Der Spaeher, Le Guardien, Silencer, WebEx" \
disabled=no dst-port=999 protocol=tcp
add action=drop chain=virus comment="Doly Trojan" disabled=no dst-port=\
1010-1016 protocol=tcp
add action=drop chain=virus comment=Vampire disabled=no dst-port=1020 \
protocol=tcp
add action=drop chain=virus comment="Remote Storm" disabled=no dst-port=1025 \
protocol=udp
add action=drop chain=virus comment=Multidropper disabled=no dst-port=1035 \
protocol=tcp
add action=drop chain=virus comment="BLA trojan" disabled=no dst-port=1042 \
protocol=tcp
add action=drop chain=virus comment=Rasmin disabled=no dst-port=1045 \
protocol=tcp
add action=drop chain=virus comment="sbin initd" disabled=no dst-port=1049 \
protocol=tcp
add action=drop chain=virus comment=MiniCommand disabled=no dst-port=1050 \
protocol=tcp
add action=drop chain=virus comment="The Thief & AckCmd" disabled=no \
dst-port=1053-1054 protocol=tcp
add action=drop chain=virus comment=WinHole disabled=no dst-port=1080-1083 \
protocol=tcp
add action=drop chain=virus comment=Xtreme disabled=no dst-port=1090 \
protocol=tcp
add action=drop chain=virus comment="Remote Administration Tool RAT, Blood Fes\
t Evolution, Remote Administration Tool RAT" disabled=no dst-port=\
1095-1099 protocol=tcp
add action=drop chain=virus comment=Orion disabled=no dst-port=1150-1151 \
protocol=tcp
add action=drop chain=virus comment=\
"Psyber Stream Server PSS, Streaming Audio Server, Voice" disabled=no \
dst-port=1170 protocol=tcp
add action=drop chain=virus comment=NoBackO disabled=no dst-port=1200-1201 \
protocol=udp
add action=drop chain=virus comment="SoftWAR & Infector" disabled=no \
dst-port=1207-1208 protocol=tcp
add action=drop chain=virus comment=Kaos disabled=no dst-port=1212 protocol=\
tcp
add action=drop chain=virus comment="SubSeven Java client, Ultors Trojan" \
disabled=no dst-port=1234 protocol=tcp
add action=drop chain=virus comment=\
"BackDoor-G, SubSeven, SubSeven Apocalypse, Tiles" disabled=no dst-port=\
1243 protocol=tcp
add action=drop chain=virus comment="VooDoo Doll" disabled=no dst-port=1245 \
protocol=tcp
add action=drop chain=virus comment="Scarab & Project nEXT" disabled=no \
dst-port=1255-1256 protocol=tcp
add action=drop chain=virus comment=Matrix disabled=no dst-port=1269 \
protocol=tcp
add action=drop chain=virus comment="The Matrix" disabled=no dst-port=1272 \
protocol=tcp
add action=drop chain=virus comment=NETrojan disabled=no dst-port=1313 \
protocol=tcp
add action=drop chain=virus comment="Millenium Worm" disabled=no dst-port=\
1338 protocol=tcp
add action=drop chain=virus comment="Bo dll" disabled=no dst-port=1349 \
protocol=tcp
add action=drop chain=virus comment="GoFriller, Backdoor G-1" disabled=no \
dst-port=1394 protocol=tcp
add action=drop chain=virus comment="Remote Storm" disabled=no dst-port=1441 \
protocol=tcp
add action=drop chain=virus comment=FTP99CMP disabled=no dst-port=1492 \
protocol=tcp
add action=drop chain=virus comment=Trinoo disabled=no dst-port=1524 \
protocol=tcp
add action=drop chain=virus comment="Remote Hack" disabled=no dst-port=1568 \
protocol=tcp
add action=drop chain=virus comment="Direct Connection, Shivka-Burka" \
disabled=no dst-port=1600 protocol=tcp
add action=drop chain=virus comment=Exploiter disabled=no dst-port=1703 \
protocol=tcp
add action=drop chain=virus comment=Scarab disabled=no dst-port=1777 \
protocol=tcp
add action=drop chain=virus comment=SpySender disabled=no dst-port=1807 \
protocol=tcp
add action=drop chain=virus comment="Fake FTP & WM FTP Server" disabled=no \
dst-port=1966-1967 protocol=tcp
add action=drop chain=virus comment="OpC BO" disabled=no dst-port=1969 \
protocol=tcp
add action=drop chain=virus comment="Bowl, Shockrave" disabled=no dst-port=\
1981 protocol=tcp
add action=drop chain=virus comment="Back Door, SubSeven, TransScout, Der Spae\
her, Insane Network, Last 2000, Remote Explorer 2000, Senna Spy Trojan Gen\
erator, Der Spaeher, Trojan Cow" disabled=no dst-port=1999-2001 protocol=\
tcp
add action=drop chain=virus comment="Ripper Pro" disabled=no dst-port=2023 \
protocol=tcp
add action=drop chain=virus comment=WinHole disabled=no dst-port=2080 \
protocol=tcp
add action=drop chain=virus comment=Bugs disabled=no dst-port=2115 protocol=\
tcp
add action=drop chain=virus comment="Mini Backlash" disabled=no dst-port=2130 \
protocol=udp
add action=drop chain=virus comment="The Invasor" disabled=no dst-port=2140 \
protocol=tcp
add action=drop chain=virus comment="Deep Throat, Foreplay" disabled=no \
dst-port=2140 protocol=udp
add action=drop chain=virus comment="Illusion Mailer" disabled=no dst-port=\
2155 protocol=tcp
add action=drop chain=virus comment=Nirvana disabled=no dst-port=2255 \
protocol=tcp
add action=drop chain=virus comment="Hvl RAT" disabled=no dst-port=2283 \
protocol=tcp
add action=drop chain=virus comment=Xplorer disabled=no dst-port=2300 \
protocol=tcp
add action=drop chain=virus comment="Studio 54" disabled=no dst-port=2311 \
protocol=tcp
add action=drop chain=virus comment=Contact disabled=no dst-port=2330-2339 \
protocol=tcp
add action=drop chain=virus comment="Voice Spy" disabled=no dst-port=2339 \
protocol=udp
add action=drop chain=virus comment="Doly Trojan" disabled=no dst-port=2345 \
protocol=tcp
add action=drop chain=virus comment="Striker trojan" disabled=no dst-port=\
2565 protocol=tcp
add action=drop chain=virus comment=WinCrash disabled=no dst-port=2583 \
protocol=tcp
add action=drop chain=virus comment="Digital RootBeer" disabled=no dst-port=\
2600 protocol=tcp
add action=drop chain=virus comment="The Prayer" disabled=no dst-port=2716 \
protocol=tcp
add action=drop chain=virus comment="SubSeven, SubSeven 2.1 Gold" disabled=no \
dst-port=2773-2774 protocol=tcp
add action=drop chain=virus comment="Phineas Phucker" disabled=no dst-port=\
2801 protocol=tcp
add action=drop chain=virus comment="Remote Administration Tool RAT" \
disabled=no dst-port=2989 protocol=udp
add action=drop chain=virus comment="Remote Shut" disabled=no dst-port=3000 \
protocol=tcp
add action=drop chain=virus comment=WinCrash disabled=no dst-port=3024 \
protocol=tcp
add action=drop chain=virus comment=Microspy disabled=no dst-port=3031 \
protocol=tcp
add action=drop chain=virus comment="The Invasor" disabled=no dst-port=3150 \
protocol=tcp
add action=drop chain=virus comment="Deep Throat, Foreplay, Mini Backlash" \
disabled=no dst-port=3150 protocol=udp
add action=drop chain=virus comment="Terror trojan" disabled=no dst-port=3456 \
protocol=tcp
add action=drop chain=virus comment="Eclipse 2000, Sanctuary" disabled=no \
dst-port=3459 protocol=tcp
add action=drop chain=virus comment="Portal of Doom" disabled=no dst-port=\
3700 protocol=tcp
add action=drop chain=virus comment=PsychWard disabled=no dst-port=3777 \
protocol=tcp
add action=drop chain=virus comment="Total Solar Eclypse" disabled=no \
dst-port=3791-3801 protocol=tcp
add action=drop chain=virus comment=SkyDance disabled=no dst-port=4000 \
protocol=tcp
add action=drop chain=virus comment=WinCrash disabled=no dst-port=4092 \
protocol=tcp
add action=drop chain=virus comment="Virtual Hacking Machine VHM" disabled=no \
dst-port=4242 protocol=tcp
add action=drop chain=virus comment=BoBo disabled=no dst-port=4321 protocol=\
tcp
add action=drop chain=virus comment="File Nail" disabled=no dst-port=4567 \
protocol=tcp
add action=drop chain=virus comment="ICQ Trojan" disabled=no dst-port=4590 \
protocol=tcp
add action=drop chain=virus comment="ICQ Trogen Lm" disabled=no dst-port=4950 \
protocol=tcp
add action=drop chain=virus comment="Back Door Setup, Blazer5, Bubbel, ICKille\
r, Ra1d, Sockets des Troie, Back Door Setup, Sockets des Troie, cd00r, Sha\
ft" disabled=no dst-port=5000-5002 protocol=tcp
add action=drop chain=virus comment="Solo & One of the Last Trojans OOTLT, One\
\_of the Last Trojans OOTLT, modified" disabled=no dst-port=5010-5011 \
protocol=tcp
add action=drop chain=virus comment="WM Remote KeyLogger" disabled=no \
dst-port=5025 protocol=tcp
add action=drop chain=virus comment="Net Metropolitan" disabled=no dst-port=\
5031-5032 protocol=tcp
add action=drop chain=virus comment=Firehotcker disabled=no dst-port=5321 \
protocol=tcp
add action=drop chain=virus comment="Backage, NetDemon" disabled=no dst-port=\
5333 protocol=tcp
add action=drop chain=virus comment="wCrat WC Remote Administration Tool" \
disabled=no dst-port=5343 protocol=tcp
add action=drop chain=virus comment="Back Construction, Blade Runner" \
disabled=no dst-port=5400-5402 protocol=tcp
add action=drop chain=virus comment="Illusion Mailer" disabled=no dst-port=\
5512 protocol=tcp
add action=drop chain=virus comment="The Flu" disabled=no dst-port=5534 \
protocol=tcp
add action=drop chain=virus comment=Xtcp disabled=no dst-port=5550 protocol=\
tcp
add action=drop chain=virus comment=ServeMe disabled=no dst-port=5555-5557 \
protocol=tcp
add action=drop chain=virus comment=Robo-Hack disabled=no dst-port=5569 \
protocol=tcp
add action=drop chain=virus comment="PC Crasher" disabled=no dst-port=\
5637-5638 protocol=tcp
add action=drop chain=virus comment=WinCrash disabled=no dst-port=5742 \
protocol=tcp
add action=drop chain=virus comment="Portmap Remote Root Linux Exploit" \
disabled=no dst-port=5760 protocol=tcp
add action=drop chain=virus comment="Y3K RAT" disabled=no dst-port=5880-5889 \
protocol=tcp
add action=drop chain=virus comment="The Thing" disabled=no dst-port=6000 \
protocol=tcp
add action=drop chain=virus comment="Bad Blood" disabled=no dst-port=6006 \
protocol=tcp
add action=drop chain=virus comment="Secret Service" disabled=no dst-port=\
6272 protocol=tcp
Block Torrents
add action=drop chain=forward disabled=no p2p=all-p2p
add action=drop chain=forward comment="torrent-DHT-Out-Magnet d1:ad2:id20:" \
content=d1:ad2:id20: disabled=no dst-port=1025-65535 packet-size=95-190 \
protocol=udp
add action=drop chain=forward comment="torrent-DHT-Out-Magnet d1:ad2:id20:" \
disabled=no dst-port=30000-65535 protocol=udp
add action=drop chain=forward comment="torrent /announce..." content=\
"info_hash=" disabled=no dst-port=2710,80 protocol=tcp
Disable unnecessary services in Mikrotik or port services that you have never use.
/ip firewall service-port
set ftp disabled=yes ports=21
set tftp disabled=yes ports=69
set irc disabled=yes ports=6667
set h323 disabled=no
set sip disabled=yes ports=5060,5061 sip-direct-media=yes
set pptp disabled=yes
/ip service
set telnet address="" disabled=no port=23
set ftp address="" disabled=yes port=21
set www address="" disabled=no port=80
set ssh address="" disabled=no port=22
set www-ssl address="" certificate=none disabled=yes port=443
set api address="" disabled=yes port=8728
set winbox address="" disabled=no port=8291
Disable unneccessary tools or that you have never use.
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set [ find default=yes ] disabled=yes
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
/tool mac-server ping
set enabled=no
/routing bgp instance
set default as=65530 disabled=yes
/routing ospf instance
set [ find default=yes ] disabled=yes
/routing ospf area
set [ find default=yes ] area-id=0.0.0.0 disabled=yes
Step 2, Security.
Setup username and password
user set 0 name=ngeri password=ngeri group=full
user add name=user01 password=password group: read
Don’t use default user admin. Look at what I have done. I change the default user to be other user name. Don't forget to setup the password. It will make your mikrotik more secure.
Firewall in Mikrotik
Setup Firewall.
by grouping IP networks will make it easier to configure the firewall later.
IP-LAN, IP addresses for Lan.
Full-trust, IP Public can be fully trusted. Admin can remotely the Mikrotik.
half-trust, IP public that are not fully trusted, Sometimes, This IP address can be used by admins to remotely the Mikrotik.
Local-untrust, IP address that is not trusted.
/ip firewall address-list
add address=10.17.123.0/24 disabled=no list=IP-LAN
add address=10.254.128.0/22 disabled=no list=IP-LAN
add address=1xx.9x.xx.xx/27 disabled=no list=full-trust
add address=1xx.1xx.xx.xx disabled=no list=full-trust
add address=0.0.0.0/8 disabled=no list=local-untrust
add address=192.168.0.0/16 disabled=no list=local-untrust
add address=127.0.0.0/8 disabled=no list=local-untrust
add address=224.0.0.0/3 disabled=no list=local-untrust
add address=172.16.0.0/12 disabled=no list=local-untrust
add address=1xx.0.0.0/8 disabled=no list=half-trust
add address=2xx.0.0.0/8 disabled=no list=half-trust
add address=1xx.0.0.0/8 disabled=no list=half-trust
add address=3x.0.0.0/8 disabled=no list=half-trust
Drop IP address Local unused or untrusted
/ip firewall filter
add action=drop chain=forward comment="Drop Local Untrust" disabled=no \
src-address-list=local-untrust
add action=drop chain=forward disabled=no dst-address-list=local-untrust
Drop Connection invalid.
add action=drop chain=forward comment="drop invalid connections" \
connection-state=invalid disabled=no
add action=accept chain=forward connection-state=established disabled=no
add action=accept chain=forward comment="allow related connections" \
connection-state=related disabled=no
For communication Mikrotik with other DNS Server
add action=accept chain=input disabled=no dst-port=53,5353 protocol=udp
add action=accept chain=input disabled=no dst-port=53,5353 protocol=tcp
10.17.123.10 is IP address for cacti. Cacti need port 22 (ssh) and port 161 (snmp). Trust everything from 10.17.123.10.
add action=accept chain=input disabled=no src-address=10.17.123.10
And this is it, rules for IP addresses, 10.17.123.6. Users not need to know about this IP. But if one day users know about this IP address, we can identify who is connected to the IP address. There is a rule to the make records every IP address that accesses to the IP 10.17.123.6. According this results, we can analize IP address that should be blocked.
add action=add-src-to-address-list address-list=IP_connect_to_graph \
address-list-timeout=0s chain=input disabled=no dst-address=10.17.123.6 \
dst-port=80 in-interface=LAN protocol=tcp src-address=10.254.128.0/22
add action=accept chain=input disabled=no dst-address=10.17.123.6 dst-port=80 \
in-interface=LAN protocol=tcp src-address=10.254.128.0/22
add action=drop chain=input disabled=no dst-address=10.17.123.6
Now about the security of the interface WAN. First, we limit IP address that will be connected to the router mikrotik. We just allow IP addresses that exist in half-trust group.
add action=drop chain=input disabled=no in-interface=WAN protocol=tcp \
src-address-list=!half-trust
Identify the IP address of scanner then do blacklist
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no \
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no \
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=\
no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=no \
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=no \
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" disabled=no \
src-address-list="port scanners"
Limited Ping Flooding
add action=accept chain=icmp comment="Limited Ping Flood" disabled=no \
icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=icmp disabled=no icmp-options=3:3 limit=5,5 protocol=\
icmp
add action=accept chain=icmp disabled=no icmp-options=3:4 limit=5,5 protocol=\
icmp
add action=accept chain=icmp disabled=no icmp-options=8:0-255 limit=5,5 \
protocol=icmp
add action=accept chain=icmp disabled=no icmp-options=11:0-255 limit=5,5 \
protocol=icmp
add action=drop chain=icmp disabled=no protocol=icmp
Identify the IP address who using ssh brute forces, then do blacklist.
add action=drop chain=input comment="drop ssh brute forcers" disabled=no \
add action=accept chain=input disabled=no in-interface=WAN src-address-list=\
full-trust
add action=drop chain=input comment="drop ssh brute forcers" disabled=no \
dst-port=22,8291 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new disabled=no \
dst-port=22,8291 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-port=22,8291 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-port=22,8291 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-port=22,8291 protocol=tcp src-address-list=!half-trust
add action=drop chain=forward comment="drop ssh brute downstream" disabled=no \
src-address-list=ssh_blacklist
add action=drop chain=input disabled=no protocol=tcp in-interface=WAN \
dst-port=!53,5353,22,8291
Just allow to access to ports 22 and 8291, from the interface LAN network.
add action=drop chain=input disabled=no dst-port=!22,8291 in-interface=LAN \
protocol=tcp
Close the ports indicate viruses and malware. Be careful. Make sure the port services that you need and import is not blocked.
add action=jump chain=forward disabled=no jump-target=udp protocol=udp
add action=jump chain=forward comment="Separate Protocol into Chains" \
disabled=no jump-target=tcp protocol=tcp
add action=jump chain=forward disabled=no jump-target=icmp protocol=icmp
add action=jump chain=forward comment="jump to the virus chain" disabled=no \
jump-target=virus
add action=drop chain=udp comment="Bloking UDP Packet, deny TFTP" disabled=no \
dst-port=69 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=\
111 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=\
135,445 protocol=udp
add action=drop chain=udp comment="deny NBT" disabled=no dst-port=137-139 \
protocol=udp
add action=drop chain=udp comment="deny NFS" disabled=no dst-port=2049 \
protocol=udp
add action=drop chain=udp comment="deny BackOriffice" disabled=no dst-port=\
3133 protocol=udp
add action=drop chain=tcp comment="Bloking TCP Packet, deny TFTP" disabled=no \
dst-port=67-69 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=\
111 protocol=tcp
add action=drop chain=tcp disabled=yes dst-port=119 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=\
135 protocol=tcp
add action=drop chain=tcp comment="deny NBT" disabled=no dst-port=137-139 \
protocol=tcp
add action=drop chain=tcp comment="deny cifs" disabled=no dst-port=445 \
protocol=tcp
add action=drop chain=tcp comment="deny NFS" disabled=no dst-port=2049 \
protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" disabled=no dst-port=\
3133 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=20034 \
protocol=tcp
add action=drop chain=tcp comment="Drop NetBus" disabled=no dst-port=\
12345-12346 protocol=tcp
add action=drop chain=virus comment=\
"________ And there are port that indicate virus" disabled=no dst-port=\
593 protocol=tcp
add action=drop chain=virus comment="________ & Remote Storm" disabled=no \
dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=1214 \
protocol=tcp
add action=drop chain=virus comment="ndm requester & ndm server" disabled=no \
dst-port=1363-1364 protocol=tcp
add action=drop chain=virus comment="screen cast" disabled=no dst-port=1368 \
protocol=tcp
add action=drop chain=virus comment=hromgrafx disabled=no dst-port=1373 \
protocol=tcp
add action=drop chain=virus comment=cichlid disabled=no dst-port=1377 \
protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=1433-1434 \
protocol=tcp
add action=drop chain=virus comment="Bagle Virus" disabled=no dst-port=2745 \
protocol=tcp
add action=drop chain=virus comment="Drop Beagle" disabled=no dst-port=2535 \
protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=\
3127-3128 protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" disabled=no \
dst-port=3410 protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=\
tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=\
udp
add action=drop chain=virus comment="Drop Sasser" disabled=no dst-port=5554 \
protocol=tcp
add action=drop chain=virus comment="Drop Beagle.B" disabled=no dst-port=8866 \
protocol=tcp
add action=drop chain=virus comment="Drop Dabber.A-B" disabled=no dst-port=\
9898 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=\
10000 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom.B" disabled=no dst-port=\
10080 protocol=tcp
add action=drop chain=virus comment="Drop Kuang2" disabled=no dst-port=17300 \
protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" disabled=no dst-port=\
27374 protocol=tcp
add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" disabled=\
no dst-port=65506 protocol=tcp
add action=drop chain=virus comment="Sockets des Troie" disabled=no dst-port=\
1 protocol=udp
add action=drop chain=virus comment=Death disabled=no dst-port=2 protocol=tcp
add action=drop chain=virus comment="Senna Spy FTP server" disabled=no \
dst-port=20 protocol=tcp
add action=drop chain=virus comment="Back Construction, Blade Runner, Cattivik\
\_FTP Server, CC Invader, Dark FTP, Doly Trojan, Fore, Invisible FTP, Jugg\
ernaut 42, Larva, MotIv FTP, Net Administrator, Ramen, Senna Spy FTP serve\
r, The Flu, Traitor 21, WebEx, WinCrash" disabled=yes dst-port=21 \
protocol=tcp
add action=drop chain=virus comment=\
"Fire HacKer, Tiny Telnet Server TTS, Truva Atl" disabled=no dst-port=23 \
protocol=tcp
add action=drop chain=virus comment="Ajan, Antigen, Barok, Email Password Send\
er EPS, EPS II, Gip, Gris, Happy99, Hpteam mail, Hybris, I love you, Kuang\
2, Magic Horse, MBT Mail Bombing Trojan, Moscow Email trojan, Naebi, NewAp\
t worm, ProMail trojan, Shtirlitz, Stealth, Tapiras, Terminator, WinPC, Wi\
nSpy" disabled=no dst-port=25 protocol=tcp
add action=drop chain=virus comment="Agent 40421" disabled=no dst-port=30 \
protocol=tcp
add action=drop chain=virus comment=\
"Agent 31, Hackers Paradise, Masters Paradise" disabled=no dst-port=31 \
protocol=tcp
add action=drop chain=virus comment="Deep Throat, Foreplay" disabled=no \
dst-port=41 protocol=tcp
add action=drop chain=virus comment=DRAT disabled=no dst-port=48 protocol=tcp
add action=drop chain=virus comment=DRAT disabled=no dst-port=50 protocol=tcp
add action=drop chain=virus comment=DMSetup disabled=no dst-port=58 protocol=\
tcp
add action=drop chain=virus comment=DMSetup disabled=no dst-port=59 protocol=\
tcp
add action=drop chain=virus comment="CDK, Firehotcker" disabled=no dst-port=\
79 protocol=tcp
add action=drop chain=virus comment=RemoConChubo disabled=no dst-port=81 \
protocol=tcp
add action=drop chain=virus comment="Hidden Port, NCX" disabled=no dst-port=\
99 protocol=tcp
add action=drop chain=virus comment="ProMail trojan" disabled=yes dst-port=\
110 protocol=tcp
add action=drop chain=virus comment="Invisible Identd Deamon, Kazimas" \
disabled=no dst-port=113 protocol=tcp
add action=drop chain=virus comment="Attack Bot, God Message, JammerKillah" \
disabled=no dst-port=121 protocol=tcp
add action=drop chain=virus comment="Net Controller" disabled=no dst-port=123 \
protocol=tcp
add action=drop chain=virus comment=Farnaz disabled=no dst-port=133 protocol=\
tcp
add action=drop chain=virus comment=NetTaxi disabled=no dst-port=142 \
protocol=tcp
add action=drop chain=virus comment=Infector disabled=no dst-port=146 \
protocol=tcp
add action=drop chain=virus comment=Infector disabled=no dst-port=146 \
protocol=udp
add action=drop chain=virus comment=A-trojan disabled=no dst-port=170 \
protocol=tcp
add action=drop chain=virus comment=Backage disabled=no dst-port=334 \
protocol=tcp
add action=drop chain=virus comment=Backage disabled=no dst-port=411 \
protocol=tcp
add action=drop chain=virus comment="Breach, Incognito" disabled=no dst-port=\
420 protocol=tcp
add action=drop chain=virus comment="TCP Wrappers trojan" disabled=no \
dst-port=421 protocol=tcp
add action=drop chain=virus comment="Hackers Paradise" disabled=no dst-port=\
456 protocol=tcp
add action=drop chain=virus comment="Grlogin & RPC Backdoor" disabled=no \
dst-port=513-514 protocol=tcp
add action=drop chain=virus comment="Net666, Rasmin" disabled=no dst-port=531 \
protocol=tcp
add action=drop chain=virus comment="711 trojan, Seven Eleven, Ini-Killer, Net\
\_Administrator, Phase Zero, Phase-0, Stealth Spy" disabled=no dst-port=\
555 protocol=tcp
add action=drop chain=virus comment="Secret Service" disabled=no dst-port=605 \
protocol=tcp
add action=drop chain=virus comment="Attack FTP, Back Construction, BLA trojan\
, Cain & Abel, NokNok, Satans Back Door SBD, ServU, Shadow Phyre, th3r1pp3\
rz Therippers SniperNet" disabled=no dst-port=666-667 protocol=tcp
add action=drop chain=virus comment="DP trojan" disabled=no dst-port=669 \
protocol=tcp
add action=drop chain=virus comment=GayOL disabled=no dst-port=692 protocol=\
tcp
add action=drop chain=virus comment="AimSpy, Undetected" disabled=no \
dst-port=777 protocol=tcp
add action=drop chain=virus comment=WinHole disabled=no dst-port=808 \
protocol=tcp
add action=drop chain=virus comment="Dark Shadow" disabled=no dst-port=911 \
protocol=tcp
add action=drop chain=virus comment="Deep Throat, Foreplay, WinSatan & Der Spa\
eher, Direct Connection & Der Spaeher, Le Guardien, Silencer, WebEx" \
disabled=no dst-port=999 protocol=tcp
add action=drop chain=virus comment="Doly Trojan" disabled=no dst-port=\
1010-1016 protocol=tcp
add action=drop chain=virus comment=Vampire disabled=no dst-port=1020 \
protocol=tcp
add action=drop chain=virus comment="Remote Storm" disabled=no dst-port=1025 \
protocol=udp
add action=drop chain=virus comment=Multidropper disabled=no dst-port=1035 \
protocol=tcp
add action=drop chain=virus comment="BLA trojan" disabled=no dst-port=1042 \
protocol=tcp
add action=drop chain=virus comment=Rasmin disabled=no dst-port=1045 \
protocol=tcp
add action=drop chain=virus comment="sbin initd" disabled=no dst-port=1049 \
protocol=tcp
add action=drop chain=virus comment=MiniCommand disabled=no dst-port=1050 \
protocol=tcp
add action=drop chain=virus comment="The Thief & AckCmd" disabled=no \
dst-port=1053-1054 protocol=tcp
add action=drop chain=virus comment=WinHole disabled=no dst-port=1080-1083 \
protocol=tcp
add action=drop chain=virus comment=Xtreme disabled=no dst-port=1090 \
protocol=tcp
add action=drop chain=virus comment="Remote Administration Tool RAT, Blood Fes\
t Evolution, Remote Administration Tool RAT" disabled=no dst-port=\
1095-1099 protocol=tcp
add action=drop chain=virus comment=Orion disabled=no dst-port=1150-1151 \
protocol=tcp
add action=drop chain=virus comment=\
"Psyber Stream Server PSS, Streaming Audio Server, Voice" disabled=no \
dst-port=1170 protocol=tcp
add action=drop chain=virus comment=NoBackO disabled=no dst-port=1200-1201 \
protocol=udp
add action=drop chain=virus comment="SoftWAR & Infector" disabled=no \
dst-port=1207-1208 protocol=tcp
add action=drop chain=virus comment=Kaos disabled=no dst-port=1212 protocol=\
tcp
add action=drop chain=virus comment="SubSeven Java client, Ultors Trojan" \
disabled=no dst-port=1234 protocol=tcp
add action=drop chain=virus comment=\
"BackDoor-G, SubSeven, SubSeven Apocalypse, Tiles" disabled=no dst-port=\
1243 protocol=tcp
add action=drop chain=virus comment="VooDoo Doll" disabled=no dst-port=1245 \
protocol=tcp
add action=drop chain=virus comment="Scarab & Project nEXT" disabled=no \
dst-port=1255-1256 protocol=tcp
add action=drop chain=virus comment=Matrix disabled=no dst-port=1269 \
protocol=tcp
add action=drop chain=virus comment="The Matrix" disabled=no dst-port=1272 \
protocol=tcp
add action=drop chain=virus comment=NETrojan disabled=no dst-port=1313 \
protocol=tcp
add action=drop chain=virus comment="Millenium Worm" disabled=no dst-port=\
1338 protocol=tcp
add action=drop chain=virus comment="Bo dll" disabled=no dst-port=1349 \
protocol=tcp
add action=drop chain=virus comment="GoFriller, Backdoor G-1" disabled=no \
dst-port=1394 protocol=tcp
add action=drop chain=virus comment="Remote Storm" disabled=no dst-port=1441 \
protocol=tcp
add action=drop chain=virus comment=FTP99CMP disabled=no dst-port=1492 \
protocol=tcp
add action=drop chain=virus comment=Trinoo disabled=no dst-port=1524 \
protocol=tcp
add action=drop chain=virus comment="Remote Hack" disabled=no dst-port=1568 \
protocol=tcp
add action=drop chain=virus comment="Direct Connection, Shivka-Burka" \
disabled=no dst-port=1600 protocol=tcp
add action=drop chain=virus comment=Exploiter disabled=no dst-port=1703 \
protocol=tcp
add action=drop chain=virus comment=Scarab disabled=no dst-port=1777 \
protocol=tcp
add action=drop chain=virus comment=SpySender disabled=no dst-port=1807 \
protocol=tcp
add action=drop chain=virus comment="Fake FTP & WM FTP Server" disabled=no \
dst-port=1966-1967 protocol=tcp
add action=drop chain=virus comment="OpC BO" disabled=no dst-port=1969 \
protocol=tcp
add action=drop chain=virus comment="Bowl, Shockrave" disabled=no dst-port=\
1981 protocol=tcp
add action=drop chain=virus comment="Back Door, SubSeven, TransScout, Der Spae\
her, Insane Network, Last 2000, Remote Explorer 2000, Senna Spy Trojan Gen\
erator, Der Spaeher, Trojan Cow" disabled=no dst-port=1999-2001 protocol=\
tcp
add action=drop chain=virus comment="Ripper Pro" disabled=no dst-port=2023 \
protocol=tcp
add action=drop chain=virus comment=WinHole disabled=no dst-port=2080 \
protocol=tcp
add action=drop chain=virus comment=Bugs disabled=no dst-port=2115 protocol=\
tcp
add action=drop chain=virus comment="Mini Backlash" disabled=no dst-port=2130 \
protocol=udp
add action=drop chain=virus comment="The Invasor" disabled=no dst-port=2140 \
protocol=tcp
add action=drop chain=virus comment="Deep Throat, Foreplay" disabled=no \
dst-port=2140 protocol=udp
add action=drop chain=virus comment="Illusion Mailer" disabled=no dst-port=\
2155 protocol=tcp
add action=drop chain=virus comment=Nirvana disabled=no dst-port=2255 \
protocol=tcp
add action=drop chain=virus comment="Hvl RAT" disabled=no dst-port=2283 \
protocol=tcp
add action=drop chain=virus comment=Xplorer disabled=no dst-port=2300 \
protocol=tcp
add action=drop chain=virus comment="Studio 54" disabled=no dst-port=2311 \
protocol=tcp
add action=drop chain=virus comment=Contact disabled=no dst-port=2330-2339 \
protocol=tcp
add action=drop chain=virus comment="Voice Spy" disabled=no dst-port=2339 \
protocol=udp
add action=drop chain=virus comment="Doly Trojan" disabled=no dst-port=2345 \
protocol=tcp
add action=drop chain=virus comment="Striker trojan" disabled=no dst-port=\
2565 protocol=tcp
add action=drop chain=virus comment=WinCrash disabled=no dst-port=2583 \
protocol=tcp
add action=drop chain=virus comment="Digital RootBeer" disabled=no dst-port=\
2600 protocol=tcp
add action=drop chain=virus comment="The Prayer" disabled=no dst-port=2716 \
protocol=tcp
add action=drop chain=virus comment="SubSeven, SubSeven 2.1 Gold" disabled=no \
dst-port=2773-2774 protocol=tcp
add action=drop chain=virus comment="Phineas Phucker" disabled=no dst-port=\
2801 protocol=tcp
add action=drop chain=virus comment="Remote Administration Tool RAT" \
disabled=no dst-port=2989 protocol=udp
add action=drop chain=virus comment="Remote Shut" disabled=no dst-port=3000 \
protocol=tcp
add action=drop chain=virus comment=WinCrash disabled=no dst-port=3024 \
protocol=tcp
add action=drop chain=virus comment=Microspy disabled=no dst-port=3031 \
protocol=tcp
add action=drop chain=virus comment="The Invasor" disabled=no dst-port=3150 \
protocol=tcp
add action=drop chain=virus comment="Deep Throat, Foreplay, Mini Backlash" \
disabled=no dst-port=3150 protocol=udp
add action=drop chain=virus comment="Terror trojan" disabled=no dst-port=3456 \
protocol=tcp
add action=drop chain=virus comment="Eclipse 2000, Sanctuary" disabled=no \
dst-port=3459 protocol=tcp
add action=drop chain=virus comment="Portal of Doom" disabled=no dst-port=\
3700 protocol=tcp
add action=drop chain=virus comment=PsychWard disabled=no dst-port=3777 \
protocol=tcp
add action=drop chain=virus comment="Total Solar Eclypse" disabled=no \
dst-port=3791-3801 protocol=tcp
add action=drop chain=virus comment=SkyDance disabled=no dst-port=4000 \
protocol=tcp
add action=drop chain=virus comment=WinCrash disabled=no dst-port=4092 \
protocol=tcp
add action=drop chain=virus comment="Virtual Hacking Machine VHM" disabled=no \
dst-port=4242 protocol=tcp
add action=drop chain=virus comment=BoBo disabled=no dst-port=4321 protocol=\
tcp
add action=drop chain=virus comment="File Nail" disabled=no dst-port=4567 \
protocol=tcp
add action=drop chain=virus comment="ICQ Trojan" disabled=no dst-port=4590 \
protocol=tcp
add action=drop chain=virus comment="ICQ Trogen Lm" disabled=no dst-port=4950 \
protocol=tcp
add action=drop chain=virus comment="Back Door Setup, Blazer5, Bubbel, ICKille\
r, Ra1d, Sockets des Troie, Back Door Setup, Sockets des Troie, cd00r, Sha\
ft" disabled=no dst-port=5000-5002 protocol=tcp
add action=drop chain=virus comment="Solo & One of the Last Trojans OOTLT, One\
\_of the Last Trojans OOTLT, modified" disabled=no dst-port=5010-5011 \
protocol=tcp
add action=drop chain=virus comment="WM Remote KeyLogger" disabled=no \
dst-port=5025 protocol=tcp
add action=drop chain=virus comment="Net Metropolitan" disabled=no dst-port=\
5031-5032 protocol=tcp
add action=drop chain=virus comment=Firehotcker disabled=no dst-port=5321 \
protocol=tcp
add action=drop chain=virus comment="Backage, NetDemon" disabled=no dst-port=\
5333 protocol=tcp
add action=drop chain=virus comment="wCrat WC Remote Administration Tool" \
disabled=no dst-port=5343 protocol=tcp
add action=drop chain=virus comment="Back Construction, Blade Runner" \
disabled=no dst-port=5400-5402 protocol=tcp
add action=drop chain=virus comment="Illusion Mailer" disabled=no dst-port=\
5512 protocol=tcp
add action=drop chain=virus comment="The Flu" disabled=no dst-port=5534 \
protocol=tcp
add action=drop chain=virus comment=Xtcp disabled=no dst-port=5550 protocol=\
tcp
add action=drop chain=virus comment=ServeMe disabled=no dst-port=5555-5557 \
protocol=tcp
add action=drop chain=virus comment=Robo-Hack disabled=no dst-port=5569 \
protocol=tcp
add action=drop chain=virus comment="PC Crasher" disabled=no dst-port=\
5637-5638 protocol=tcp
add action=drop chain=virus comment=WinCrash disabled=no dst-port=5742 \
protocol=tcp
add action=drop chain=virus comment="Portmap Remote Root Linux Exploit" \
disabled=no dst-port=5760 protocol=tcp
add action=drop chain=virus comment="Y3K RAT" disabled=no dst-port=5880-5889 \
protocol=tcp
add action=drop chain=virus comment="The Thing" disabled=no dst-port=6000 \
protocol=tcp
add action=drop chain=virus comment="Bad Blood" disabled=no dst-port=6006 \
protocol=tcp
add action=drop chain=virus comment="Secret Service" disabled=no dst-port=\
6272 protocol=tcp
Block Torrents
add action=drop chain=forward disabled=no p2p=all-p2p
add action=drop chain=forward comment="torrent-DHT-Out-Magnet d1:ad2:id20:" \
content=d1:ad2:id20: disabled=no dst-port=1025-65535 packet-size=95-190 \
protocol=udp
add action=drop chain=forward comment="torrent-DHT-Out-Magnet d1:ad2:id20:" \
disabled=no dst-port=30000-65535 protocol=udp
add action=drop chain=forward comment="torrent /announce..." content=\
"info_hash=" disabled=no dst-port=2710,80 protocol=tcp
Disable unnecessary services in Mikrotik or port services that you have never use.
/ip firewall service-port
set ftp disabled=yes ports=21
set tftp disabled=yes ports=69
set irc disabled=yes ports=6667
set h323 disabled=no
set sip disabled=yes ports=5060,5061 sip-direct-media=yes
set pptp disabled=yes
/ip service
set telnet address="" disabled=no port=23
set ftp address="" disabled=yes port=21
set www address="" disabled=no port=80
set ssh address="" disabled=no port=22
set www-ssl address="" certificate=none disabled=yes port=443
set api address="" disabled=yes port=8728
set winbox address="" disabled=no port=8291
Disable unneccessary tools or that you have never use.
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set [ find default=yes ] disabled=yes
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
/tool mac-server ping
set enabled=no
/routing bgp instance
set default as=65530 disabled=yes
/routing ospf instance
set [ find default=yes ] disabled=yes
/routing ospf area
set [ find default=yes ] area-id=0.0.0.0 disabled=yes