ClubEnsayos.com - Ensayos de Calidad, Tareas y Monografias
Buscar

Seguridad paso a paso en Mikrotik

Jose SanchezTrabajo21 de Octubre de 2015

5.163 Palabras (21 Páginas)236 Visitas

Página 1 de 21

Pasos basicos para asegurar Mikrotik

  • Renombrar Administrador

/user set 0 password=mygreatpassword
        /user set 0 name=tikadmin

  • Desabilitar Neighbor Discovery

/ip neighbor discovery settings set default=no default-for-dynamic=no

/ip neighbor discovery set [find] discover=no

  • Ataque interno DDoS por virus (RPF remueve trafico “spoofed”)

/ip settings set rp-filter=strict

  • Checar servicios

/ip service disable 0,1,2,4,5,7

/tool bandwidth-server set enabled=no
/ip dns set allow-remote-requests=no
/ip socks set enabled=no

/ip ssh set strong-crypto=yes

  • Bogon’s

/ip firewall address-list
add address=192.168.0.0/16 list=Bogon
add address=10.0.0.0/8 list=Bogon
add address=172.16.0.0/12 list=Bogon
add address=127.0.0.0/8 list=Bogon
add address=0.0.0.0/8 list=Bogon
add address=169.254.0.0/16 list=Bogon

  • Firewall

INPUT

/ip firewall filter

add chain=input comment="Accept Established / Related Input" connection-state=established,related

add chain=input comment="Allow Management Input" src-address=10.0.0.0/12

add action=drop chain=input in-interface=WAN

OUTPUT

/ip firewall filter

add chain=output connection-state=established,related

add chain=output comment="Allow Management Input" src-address=10.0.0.0/12

add chain=output ipv4-options=any protocol=icmp

add action=drop chain=output out-interface=ether1

add action=drop chain=output in-interface=WAN

add action=drop chain=input comment="Drop Input" log=yes log-prefix="Input Drop"
add action=fasttrack-connection chain=forward comment="Fast Track Established / Related Forward" connection-state=\
   established,related
add chain=forward comment="Accept Established / Related Forward" connection-state=established,related
add chain=forward comment="Allow client LAN traffic out WAN" out-interface=ether1-gateway src-address=192.168.0.0/24
add action=drop chain=forward comment="Drop Bogon Forward -> Ether1" in-interface=ether1-gateway log=yes log-prefix="Bogon Forward Drop" src-address-list=Bogon
add action=drop chain=forward comment="Drop All Forward"

FORWARD

VIRUS PORTS

/ip firewall filter

add action=drop chain=forward dst-port=135-139 protocol=tcp

add action=drop chain=forward dst-port=135-139 protocol=udp

add action=drop chain=forward dst-port=444 protocol=tcp

add action=drop chain=forward dst-port=444 protocol=udp

add action=drop chain=forward dst-port=996-999 protocol=tcp

add action=drop chain=forward dst-port=996-999 protocol=udp

add action=drop chain=forward dst-port=3127 protocol=tcp

add action=drop chain=forward dst-port=3129-3149 protocol=tcp

add action=drop chain=forward dst-port=3127-3149 protocol=udp

add action=drop chain=forward dst-port=445 protocol=tcp

add action=drop chain=forward dst-port=445 protocol=udp

add action=drop chain=forward dst-port=1434 protocol=tcp

add action=drop chain=forward dst-port=1434 protocol=udp

add action=drop chain=forward dst-port=80 protocol=udp

add action=reject chain=forward dst-port=113 protocol=tcp

/queue type

set 0 pfifo-limit=60

add kind=pcq name=pcq_2M_DN_Res pcq-burst-rate=12M pcq-burst-threshold=1500k pcq-burst-time=2m40s pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=2M pcq-src-address6-mask=64

add kind=pcq name=pcq_2M_UP_Res pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=2M pcq-src-address6-mask=64

add kind=pcq name=pcq-download-base pcq-classifier=dst-address pcq-limit=100

add kind=pcq name=pcq-upload-base pcq-classifier=src-address pcq-limit=100

add kind=pfifo name=laredonet pfifo-limit=60

/queue simple

add disabled=yes limit-at=500M/500M max-limit=500M/500M name="LaredoNet - Redes - 180M" priority=1/1 queue=wireless-default/wireless-default target="216.150.43.0/24,216.150.44.0/24,216.150.45.0/24,216.150.46.0/24,216.150.47.0/24" total-queue=default

add limit-at=512k/512k max-limit=30M/30M name=ns2.netscorp.net priority=7/7 queue=default/default target=216.150.32.3/32 total-queue=default

add limit-at=512k/512k max-limit=30M/30M name="queue TEMPORAL setup ns2" priority=7/7 queue=ethernet-default/ethernet-default target=216.150.32.6/32 total-queue=default

add limit-at=2M/2M max-limit=50M/50M name="Monitoring PC  - The DudeN" priority=7/7 queue=default/default target=216.150.32.9/32 total-queue=default

add limit-at=2M/2M max-limit=10M/10M name="Red Local APL - 10M " priority=7/7 queue=default/default target=216.150.32.10/32 total-queue=default

add limit-at=5M/5M max-limit=10M/10M name=radius2.autophone.net priority=2/2 queue=default/default target=216.150.32.11/32 total-priority=2 total-queue=default

add limit-at=2M/2M max-limit=2M/2M name="Paging Transmitter Client NT" priority=7/7 queue=default/default target=216.150.32.13/32 total-queue=default

add burst-limit=2536k/2536k burst-threshold=1536k/1536k burst-time=20s/20s \

   limit-at=1512k/1512k max-limit=2M/2M name=\

   "Pager Main Computer - Alpha Paging" priority=5/5 queue=default/default \

   target=216.150.32.17/32 total-queue=default

add limit-at=1512k/1512k max-limit=10M/10M name=backup001.classifile.mx \

   priority=5/5 queue=default/default target=216.150.32.18/32 total-queue=\

   default

add limit-at=512k/512k max-limit=10M/10M name="WiFi APL - 10M" priority=7/7 \

   queue=default/default target=216.150.32.20/32 total-queue=default

add comment="German Gonzalez Netflix" limit-at=5M/5M max-limit=10M/10M name=\

   "German Gonzalez" priority=7/7 queue=default/default target=\

   216.150.32.30/32 total-queue=default

add limit-at=50M/50M max-limit=150M/150M name=ns1.netscorp.net priority=7/7 \

   queue=default/default target=216.150.32.33/32 total-queue=default

add burst-limit=1M/1M burst-threshold=512k/512k burst-time=1m/1m limit-at=\

   512k/512k max-limit=640k/640k name="RX Networks - GPS - 512K" priority=\

   7/7 queue=default/default target=216.150.32.80/32 total-queue=default

add limit-at=5M/5M max-limit=15M/15M name="Enlaces af24" priority=5/5 queue=\

   default/default target=216.150.32.249/32 total-queue=default

add limit-at=5M/5M max-limit=15M/15M name="AF 24 " priority=5/5 queue=\

   default/default target=216.150.32.250/32 total-queue=default

add limit-at=5M/5M max-limit=15M/15M name="Af 24 251" priority=5/5 queue=\

   default/default target=216.150.32.251/32 total-queue=default

add limit-at=5M/5M max-limit=50M/50M name="Wireless Router Test" priority=5/5 \

   queue=default/default target=216.150.32.252/32 total-queue=default

add limit-at=5M/5M max-limit=20M/20M name="Mainswitch - 20M" priority=6/6 \

   queue=default/default target=216.150.32.253/32 total-queue=default

add limit-at=10M/10M max-limit=100M/100M name="Ricardo Pantoja laptop" \

   priority=5/5 queue=default/default target=216.150.32.254/32 total-queue=\

   default

add comment=Serial limit-at=512k/512k max-limit=536k/536k name=\

   "BP Newman Serial - 512K" priority=5/5 queue=default/default target=\

   216.150.33.4/30 total-queue=default

add limit-at=1M/1M max-limit=5M/5M name="Grupo Logistics Block - 5M" \

   priority=7/7 queue=default/default target=216.150.33.8/30,216.150.34.0/29 \

   total-queue=default

add comment="Serial Impex 1 Main feed" limit-at=512k/512k max-limit=512k/512k \

   name="Impex1 Serial -  512K" priority=5/5 queue=default/default target=\

   216.150.33.12/30 total-queue=default

add limit-at=5M/5M max-limit=10M/10M name="Powell Watson - 10M" priority=6/6 \

   queue=default/default target=216.150.33.28/30,216.150.34.16/29 \

   total-queue=default

add limit-at=1M/1M max-limit=1M/1M name="Enrique Buendia - 1M" priority=6/6 \

   queue=default/default target=216.150.33.24/30,216.150.35.16/28 \

...

Descargar como (para miembros actualizados) txt (56 Kb) pdf (146 Kb) docx (28 Kb)
Leer 20 páginas más »
Leer documento completo Guardar
Disponible sólo en Clubensayos.com