Seguridad paso a paso en Mikrotik
Enviado por Jose Sanchez • 21 de Octubre de 2015 • Trabajos • 5.163 Palabras (21 Páginas) • 175 Visitas
Pasos basicos para asegurar Mikrotik
- Renombrar Administrador
/user set 0 password=mygreatpassword
/user set 0 name=tikadmin
- Desabilitar Neighbor Discovery
/ip neighbor discovery settings set default=no default-for-dynamic=no
/ip neighbor discovery set [find] discover=no
- Ataque interno DDoS por virus (RPF remueve trafico “spoofed”)
/ip settings set rp-filter=strict
- Checar servicios
/ip service disable 0,1,2,4,5,7
/tool bandwidth-server set enabled=no
/ip dns set allow-remote-requests=no
/ip socks set enabled=no
/ip ssh set strong-crypto=yes
- Bogon’s
/ip firewall address-list
add address=192.168.0.0/16 list=Bogon
add address=10.0.0.0/8 list=Bogon
add address=172.16.0.0/12 list=Bogon
add address=127.0.0.0/8 list=Bogon
add address=0.0.0.0/8 list=Bogon
add address=169.254.0.0/16 list=Bogon
- Firewall
INPUT
/ip firewall filter
add chain=input comment="Accept Established / Related Input" connection-state=established,related
add chain=input comment="Allow Management Input" src-address=10.0.0.0/12
add action=drop chain=input in-interface=WAN
OUTPUT
/ip firewall filter
add chain=output connection-state=established,related
add chain=output comment="Allow Management Input" src-address=10.0.0.0/12
add chain=output ipv4-options=any protocol=icmp
add action=drop chain=output out-interface=ether1
add action=drop chain=output in-interface=WAN
add action=drop chain=input comment="Drop Input" log=yes log-prefix="Input Drop"
add action=fasttrack-connection chain=forward comment="Fast Track Established / Related Forward" connection-state=\
established,related
add chain=forward comment="Accept Established / Related Forward" connection-state=established,related
add chain=forward comment="Allow client LAN traffic out WAN" out-interface=ether1-gateway src-address=192.168.0.0/24
add action=drop chain=forward comment="Drop Bogon Forward -> Ether1" in-interface=ether1-gateway log=yes log-prefix="Bogon Forward Drop" src-address-list=Bogon
add action=drop chain=forward comment="Drop All Forward"
FORWARD
VIRUS PORTS
/ip firewall filter
add action=drop chain=forward dst-port=135-139 protocol=tcp
add action=drop chain=forward dst-port=135-139 protocol=udp
add action=drop chain=forward dst-port=444 protocol=tcp
add action=drop chain=forward dst-port=444 protocol=udp
add action=drop chain=forward dst-port=996-999 protocol=tcp
add action=drop chain=forward dst-port=996-999 protocol=udp
add action=drop chain=forward dst-port=3127 protocol=tcp
add action=drop chain=forward dst-port=3129-3149 protocol=tcp
add action=drop chain=forward dst-port=3127-3149 protocol=udp
add action=drop chain=forward dst-port=445 protocol=tcp
add action=drop chain=forward dst-port=445 protocol=udp
add action=drop chain=forward dst-port=1434 protocol=tcp
add action=drop chain=forward dst-port=1434 protocol=udp
add action=drop chain=forward dst-port=80 protocol=udp
add action=reject chain=forward dst-port=113 protocol=tcp
/queue type
set 0 pfifo-limit=60
add kind=pcq name=pcq_2M_DN_Res pcq-burst-rate=12M pcq-burst-threshold=1500k pcq-burst-time=2m40s pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=2M pcq-src-address6-mask=64
add kind=pcq name=pcq_2M_UP_Res pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=2M pcq-src-address6-mask=64
add kind=pcq name=pcq-download-base pcq-classifier=dst-address pcq-limit=100
add kind=pcq name=pcq-upload-base pcq-classifier=src-address pcq-limit=100
add kind=pfifo name=laredonet pfifo-limit=60
/queue simple
add disabled=yes limit-at=500M/500M max-limit=500M/500M name="LaredoNet - Redes - 180M" priority=1/1 queue=wireless-default/wireless-default target="216.150.43.0/24,216.150.44.0/24,216.150.45.0/24,216.150.46.0/24,216.150.47.0/24" total-queue=default
add limit-at=512k/512k max-limit=30M/30M name=ns2.netscorp.net priority=7/7 queue=default/default target=216.150.32.3/32 total-queue=default
add limit-at=512k/512k max-limit=30M/30M name="queue TEMPORAL setup ns2" priority=7/7 queue=ethernet-default/ethernet-default target=216.150.32.6/32 total-queue=default
add limit-at=2M/2M max-limit=50M/50M name="Monitoring PC - The DudeN" priority=7/7 queue=default/default target=216.150.32.9/32 total-queue=default
add limit-at=2M/2M max-limit=10M/10M name="Red Local APL - 10M " priority=7/7 queue=default/default target=216.150.32.10/32 total-queue=default
add limit-at=5M/5M max-limit=10M/10M name=radius2.autophone.net priority=2/2 queue=default/default target=216.150.32.11/32 total-priority=2 total-queue=default
add limit-at=2M/2M max-limit=2M/2M name="Paging Transmitter Client NT" priority=7/7 queue=default/default target=216.150.32.13/32 total-queue=default
add burst-limit=2536k/2536k burst-threshold=1536k/1536k burst-time=20s/20s \
limit-at=1512k/1512k max-limit=2M/2M name=\
"Pager Main Computer - Alpha Paging" priority=5/5 queue=default/default \
target=216.150.32.17/32 total-queue=default
add limit-at=1512k/1512k max-limit=10M/10M name=backup001.classifile.mx \
priority=5/5 queue=default/default target=216.150.32.18/32 total-queue=\
default
add limit-at=512k/512k max-limit=10M/10M name="WiFi APL - 10M" priority=7/7 \
queue=default/default target=216.150.32.20/32 total-queue=default
add comment="German Gonzalez Netflix" limit-at=5M/5M max-limit=10M/10M name=\
"German Gonzalez" priority=7/7 queue=default/default target=\
216.150.32.30/32 total-queue=default
...