firewall - ataques & dicas
TRANSCRIPT
-
8/12/2019 Firewall - Ataques & Dicas
1/19
PRINCIPAIS ATAQUES (E DEFESAS)
-
8/12/2019 Firewall - Ataques & Dicas
2/19
ATAQUES PORT SCAN
Como funciona esse ataque?O atacante utiliza um programa para rastrear as
portas abertas do seu roteador (ou um host na
sua rede) e posteriormente lanar um ataque.
Como proteger a sua rede?
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-
address-list address-list="port scanners" address-list-timeout=2wcomment="Port scanners to list " disabled=no
add chain=input src-address-list="port scanners" action=drop
comment="dropping port scanners" disabled=no
-
8/12/2019 Firewall - Ataques & Dicas
3/19
ATAQUES PORT SCAN
Como proteger a sua rede?
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="NMAP FIN Stealth scan"
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-
address-list address-list="port scanners" address-list-timeout=2w
comment="SYN/FIN scan"
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-
address-list address-list="port scanners" address-list-timeout=2w
comment="SYN/RST scan"
-
8/12/2019 Firewall - Ataques & Dicas
4/19
ATAQUES PORT SCAN
Como proteger a sua rede?
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="FIN/PSH/URG scan"
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="ALL/ALL scan"
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="NMAP NULL scan"
-
8/12/2019 Firewall - Ataques & Dicas
5/19
ATAQUES DOS (DENIAL OF SERVICE)
Como funciona esse ataque?
Um ataque de negao de servio(DOS), uma tentativa em tornar os recursos de umsistema indisponveis para seus utilizadores. No
se trata de uma invaso do sistema, mas sim da
sua invalidao por sobrecarga. Ataques DDOSso a mesma coisa que o ataque DOS, porm
este de forma distribuda.
-
8/12/2019 Firewall - Ataques & Dicas
6/19
ATAQUES DOS (DENIAL OF SERVICE)
Como proteger a sua rede?Limitando as conexes de entrada:
/ip firewall filter
add chain=input protocol=tcp connection-limit=100,32 \
action=add-src-to-address-list address-list=end_bloqueadosaddress-list-timeout=1d
/ip firewall filter
add chain=input protocol=tcp src-address-list=end_bloqueados\
connection-limit=3,32 action=tarpit
-
8/12/2019 Firewall - Ataques & Dicas
7/19
ATAQUES DOS (DENIAL OF SERVICE)
Como proteger a sua rede?
Filtragem do estado SYN (TCP):/ip firewall filter
add chain=forward protocol=tcp tcp-flags=syn connection-
state=new \ action=jump jump-target=SYN-Protect
comment="SYN Flood protect" disabled=yes
add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5
connection-state=new \ action=accept comment="" disabled=no
add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-
state=new \ action=drop comment="" disabled=no
/ip firewall connection tracking set tcp-syncookie=yes
Habilitando os Cookies do estado SYN (TCP):
-
8/12/2019 Firewall - Ataques & Dicas
8/19
-
8/12/2019 Firewall - Ataques & Dicas
9/19
ATAQUES BRUTE FORCE
Como proteger a sua rede?
Proteo para FTP:/ip firewall filteradd chain=input protocol=tcp dst-port=21 src-address-
list=ftp_blacklist action=drop \ comment="drop ftp brute
forcers"
add chain=output action=accept protocol=tcp
content="530 Login incorrect" dst-limit=1/1m,9,dst-
address/1m
add chain=output action=add-dst-to-address-list
protocol=tcp content="530 Login incorrect" \ address-
list=ftp_blacklist address-list-timeout=3h
-
8/12/2019 Firewall - Ataques & Dicas
10/19
ATAQUES BRUTE FORCE
Como proteger a sua rede?
Proteo para SSH:add chain=input protocol=tcp dst-port=22 src-address-
list=ssh_blacklist action=drop \ comment="drop ssh
brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-
state=new \ src-address-list=ssh_stage3 action=add-src-
to-address-list address-list=ssh_blacklist \ address-list-timeout=10d comment="" disabled=no
-
8/12/2019 Firewall - Ataques & Dicas
11/19
ATAQUES BRUTE FORCE
Como proteger a sua rede?
Proteo para SSH:add chain=input protocol=tcp dst-port=22 connection-
state=new \ src-address-list=ssh_stage2 action=add-src-
to-address-list address-list=ssh_stage3 \ address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-
state=new src-address-list=ssh_stage1 \ action=add-src-to-address-list address-list=ssh_stage2 address-list-
timeout=1m comment="" disabled=no
-
8/12/2019 Firewall - Ataques & Dicas
12/19
ATAQUES BRUTE FORCE
Como proteger a sua rede?
Proteo para SSH:add chain=input protocol=tcp dst-port=22 connection-
state=new action=add-src-to-address-list \ address-
list=ssh_stage1 address-list-timeout=1m comment=""disabled=no
-
8/12/2019 Firewall - Ataques & Dicas
13/19
DICAS & TRUQUES
-
8/12/2019 Firewall - Ataques & Dicas
14/19
PROTEES MNIMAS
/ ip firewall filter
add chain=input connection-state=established comment="Accept
established connections"add chain=input connection-state=related comment="Accept related
connections" add chain=input connection-state=invalid action=drop
comment="Drop invalid connections"
add chain=input protocol=udp action=accept comment="UDP"
disabled=noadd chain=input protocol=icmp limit=50/5s,2 comment="Allow limited
pings"
add chain=input protocol=icmp action=drop comment="Drop excess
pings"
add chain=input protocol=tcp dst-port=22 comment="SSH"
add chain=input protocol=tcp dst-port=8291 comment="winbox"
add chain=input src-address=SUAS_REDES comment=Aceita redes"
add chain=input action=log log-prefix="DROP INPUT" comment="Log
everything else"add chain=input action=drop comment="Drop everything else"
-
8/12/2019 Firewall - Ataques & Dicas
15/19
BLOQUEANDO O ULTRASURF
/ip firewall address-listadd address=65.49.0.0/17 comment="" disabled=no
list=UltraSurfServers add address=204.107.140.0/24 comment=""
disabled=no list=UltraSurfServers
/ip firewall mangleadd action=add-src-to-address-list address-list=UltraSurfUsers \
address-list-timeout=5m chain=prerouting
comment=UltraSurfUsers disabled=\ no dst-address-
list=UltraSurfServers dst-port=443 protocol=tcp
/ip firewall filter
add action=drop chain=forward comment="Block UltraSurf"
disabled=no dst-port=\ 443 protocol=tcp src-address-
list=UltraSurfUsers
-
8/12/2019 Firewall - Ataques & Dicas
16/19
BLOQUEANDO O ARES
/ip firewall layer7-protocol
add name=ares regexp="^\03[]Z].\?.\?\05\$
/ip firewall filter
add action=drop chain=forward disabled=yes in-interface=local \
layer7-protocol=ares
-
8/12/2019 Firewall - Ataques & Dicas
17/19
MANIPULANDO MEDIDORES
1Criar uma lista de endereos com todos os endereos dos
medidores;
2Criar uma regra no mangle, marcando a conexo destes
pacotes;
3Criar uma regra no mangle, marcando os pacotes desta
conexo;
4Criar uma regra no queue-tree, informando a velocidade dos
medidores e selecionando os pacotes marcados anteriormente.
-
8/12/2019 Firewall - Ataques & Dicas
18/19
OUTRAS DICAS
/ip firewall mangle
add action=change-ttl chain=postrouting comment=\
"BLOQUEIO DE COMPARTILHAMENTO" disabled=yes new-
ttl=set:127 \
out-interface=local passthrough=noadd action=change-ttl chain=postrouting comment="BLOQUEIO
DE P2P" disabled=\
yes new-ttl=set:1 p2p=all-p2p passthrough=no
add action=change-ttl chain=forward comment="BLOQUEIO DETRACERT/TRACEROUTE" \
disabled=yes new-ttl=set:30 passthrough=yes protocol=icmp
-
8/12/2019 Firewall - Ataques & Dicas
19/19
MUITO OBRIGADO!!
www.teleclubrasil.com.br
OI (21) 8833-7141
TIM (21) 6928-0110
http://www.catvbrasil.com.br/mailto:[email protected]:[email protected]://www.catvbrasil.com.br/http://www.catvbrasil.com.br/