Dicoba dulu gan ...Originally Posted by adh1et
Berikut ini adalah hasil dari beberapa threat dan pengembangan saya sendiri, semoga membantu temen" di sini untuk melindungi mikrotik...
pertama" buat dulu address list dengan nama local-addr, di sini masukin list ip yang boleh mengakses mikrotik..
kemudian :
print screen :Code:/ip firewall filter add action=reject chain=input disabled=yes protocol=icmp reject-with=\ icmp-network-unreachable add action=drop chain=forward comment="Filter - Traceroute" disabled=yes \ icmp-options=11:0 protocol=icmp add action=drop chain=forward disabled=yes icmp-options=3:3 protocol=icmp add action=add-src-to-address-list address-list=WARN-FTP \ address-list-timeout=4w2d chain=input comment="Filter - Wan Access FTP" \ disabled=no dst-port=21 protocol=tcp src-address-list=!local-addr add action=drop chain=input disabled=no src-address-list=WARN-FTP add action=accept chain=input disabled=no dst-port=21 protocol=tcp \ src-address-list=local-addr add action=add-src-to-address-list address-list=WARN-SSH \ address-list-timeout=4w2d chain=input comment="Filter - Wan Access SSH" \ disabled=no dst-port=22 protocol=tcp src-address-list=!local-addr add action=drop chain=input disabled=no src-address-list=WARN-SSH add action=accept chain=input disabled=no dst-port=22 protocol=tcp \ src-address-list=local-addr add action=add-src-to-address-list address-list=WARN-TELNET \ address-list-timeout=4w2d chain=input comment=\ "Filter - Wan Access TELNET" disabled=no dst-port=23 protocol=tcp \ src-address-list=!local-addr add action=drop chain=input disabled=no src-address-list=WARN-TELNET add action=accept chain=input disabled=no dst-port=23 protocol=tcp \ src-address-list=local-addr add action=add-src-to-address-list address-list=WARN-WEB \ address-list-timeout=4w2d chain=input comment="Filter - Wan Access WEB" \ disabled=no dst-port=80 protocol=tcp src-address-list=!local-addr add action=drop chain=input disabled=no src-address-list=WARN-WEB add action=accept chain=input disabled=no dst-port=80 protocol=tcp \ src-address-list=local-addr add action=add-src-to-address-list address-list=WARN-WINBOX \ address-list-timeout=4w2d chain=input comment=\ "Filter - Wan Access WINBOX" disabled=no dst-port=8291 protocol=tcp \ src-address-list=!local-addr add action=drop chain=input disabled=no src-address-list=WARN-WINBOX add action=accept chain=input disabled=no dst-port=8291 protocol=tcp \ src-address-list=local-addr add action=add-src-to-address-list address-list="Filter - Port Scanners" \ address-list-timeout=2w chain=input comment="Filter - Port Scanners" \ disabled=no protocol=tcp psd=21,3s,3,1 add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\ fin,!syn,!rst,!psh,!ack,!urg add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\ fin,syn add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\ syn,rst add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\ fin,psh,urg,!syn,!rst,!ack add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\ fin,syn,rst,psh,ack,urg add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\ !fin,!syn,!rst,!psh,!ack,!urg add action=drop chain=input disabled=no src-address-list="port scanners" add action=accept chain=forward comment=Connections connection-state=\ established disabled=no add action=accept chain=forward connection-state=related disabled=no add action=drop chain=forward connection-state=invalid disabled=no
fungsi :
3 : menambahkan ke address list IP yang mencoba masuk lewat port 21 dengan nama WARN-FTP selama waktu yang di tentukan
4 : drop semua ip yang src address list nya adalah WARN-FTP
5 : terima semua ip sesuai address list yang di tentukan (local-addr)
6 : menambahkan ke address list IP yang mencoba masuk lewat port 22 dengan nama WARN-SSH selama waktu yang di tentukan
7 : drop semua ip yang src address list nya adalah WARN-SSH
8 : terima semua ip sesuai address list yang di tentukan (local-addr)
9 : menambahkan ke address list IP yang mencoba masuk lewat port 23 dengan nama WARN-TELNET selama waktu yang di tentukan
10 : drop semua ip yang src address list nya adalah WARN-TELNET
11 : terima semua ip sesuai address list yang di tentukan (local-addr)
12 : menambahkan ke address list IP yang mencoba masuk lewat port 80 dengan nama WARN-WEB selama waktu yang di tentukan
13 : drop semua ip yang src address list nya adalah WARN-WEB
14 : terima semua ip sesuai address list yang di tentukan (local-addr)
12 : menambahkan ke address list IP yang mencoba masuk lewat port 8291 dengan nama WARN-WINBOX selama waktu yang di tentukan
13 : drop semua ip yang src address list nya adalah WARN-WINBOX
14 : terima semua ip sesuai address list yang di tentukan (local-addr)
keuntungan :
anda dapat melihat list IP yang tersaring / mencoba masuk ke router anda pada bagian address-list dengan nama WARN-FTP / WARN-SSH / WARN-TELNET / WARN-WEB / WARN-WINBOX.
siapa tau mau serang balik
anda bisa menambahkan sendiri / memodifikasi sesuai keperluan.
di sini saya hanya "memainkan" address list dan port yang ingin di filter.
jika berguna, klik thanks
NB : Sorry, itu hasil print screen salah di bagian telnet, tertulis port 22, harusnya 23
Terima kasih
for already registered members
Results 16 to 30 of 42
-
LinkBack
LinkBack URL
About LinkBacks- Bookmark & Share
- Tweet this thread
-
07-02-2012, 12:07 #16Status
- Offline
- Join Date
- Jan 2012
- Location
- Surabaya
- Posts
- 5
- Reviews
- Read 0 Reviews
- Downloads
- 4
- Uploads
- 0
Baru Gabung
- Feedback Score
- 0
-
10-03-2012, 01:43 #17Status
- Offline
- Join Date
- Oct 2010
- Location
- http://mustikanet.com
- Posts
- 443
- Reviews
- Read 0 Reviews
- Downloads
- 4
- Uploads
- 0
Member Senior
- Feedback Score
- 0
----------------------------------------------------------------------
GRC Port Authority Report created on UTC: 2012-03-09 at 17:40:05
Results from scan of ports: 0-1055
0 Ports Open
0 Ports Closed
1056 Ports Stealth
---------------------
1056 Ports Tested
ALL PORTS tested were found to be: STEALTH.
TruStealth: PASSED - ALL tested ports were STEALTH,
- NO unsolicited packets were received,
- NO Ping reply (ICMP Echo) was received.
----------------------------------------------------------------------
makasih gan..ini hasilnya
-
15-03-2012, 12:42 #18Status
- Offline
- Join Date
- Mar 2012
- Location
- Bandung - Indonesia
- Posts
- 7
- Reviews
- Read 0 Reviews
- Downloads
- 0
- Uploads
- 0
Baru Gabung
- Feedback Score
- 0
Izin Coba .. mas Gan .
-
16-03-2012, 23:41 #19Status
- Offline
- Join Date
- Mar 2012
- Posts
- 2
- Reviews
- Read 0 Reviews
- Downloads
- 0
- Uploads
- 0
Baru Gabung
- Feedback Score
- 0
setelah dipasang Winbox konek ip tidak bisa dibuka, kalau pake mac bisa. tidak bisa akses userman... kenapa ya?
-
09-04-2012, 13:18 #20Status
- Offline
- Join Date
- Jul 2010
- Posts
- 350
- Reviews
- Read 0 Reviews
- Downloads
- 0
- Uploads
- 0
Member Senior
- Feedback Score
- 0
@atas whitelist nya di perhatikan gan, salah isi bisa ke blok sendiri
-
The Following User Says Thank You to adh1et For This Useful Post:
-
17-09-2012, 22:35 #21Status
- Offline
- Join Date
- Sep 2012
- Posts
- 10
- Reviews
- Read 0 Reviews
- Downloads
- 3
- Uploads
- 0
Baru Gabung
- Feedback Score
- 0
nubie boleh nanya gan..?
ini buat ngeblok dari luar atau dari dalam jaringan kita....??
kalo dari dalam.. ya pasti kita bisa ngisi daftar "white_list" nya..
klo dari luar gmn..?? mungkin saja suatu saat kita lg butuh remot MT dari luar..??
maap klo pertanyaan nya oon... maklum msh baru blajar megang MT..
thanks...
-
22-09-2012, 21:39 #22Status
- Offline
- Join Date
- Jul 2012
- Posts
- 4
- Reviews
- Read 0 Reviews
- Downloads
- 0
- Uploads
- 0
Baru Gabung
- Feedback Score
- 0
kereeen.... dah di coba ndiri dan hasilnya -------> mank maknyosss
WARN-WEB listnya ampe 200an lebih yg ke filter, buset dah
, pantes bbrpa hari ne lemot koneksi
thx
-
22-09-2012, 22:17 #23Status
- Offline
- Join Date
- Feb 2011
- Posts
- 51
- Reviews
- Read 0 Reviews
- Downloads
- 0
- Uploads
- 0
Newbie
- Feedback Score
- 0
Thank gan,.. izin salin dulu ke notepad Originally Posted by adh1et
Berikut ini adalah hasil dari beberapa threat dan pengembangan saya sendiri, semoga membantu temen" di sini untuk melindungi mikrotik...
pertama" buat dulu address list dengan nama local-addr, di sini masukin list ip yang boleh mengakses mikrotik..
kemudian :
print screen :Code:/ip firewall filter add action=reject chain=input disabled=yes protocol=icmp reject-with=\ icmp-network-unreachable add action=drop chain=forward comment="Filter - Traceroute" disabled=yes \ icmp-options=11:0 protocol=icmp add action=drop chain=forward disabled=yes icmp-options=3:3 protocol=icmp add action=add-src-to-address-list address-list=WARN-FTP \ address-list-timeout=4w2d chain=input comment="Filter - Wan Access FTP" \ disabled=no dst-port=21 protocol=tcp src-address-list=!local-addr add action=drop chain=input disabled=no src-address-list=WARN-FTP add action=accept chain=input disabled=no dst-port=21 protocol=tcp \ src-address-list=local-addr add action=add-src-to-address-list address-list=WARN-SSH \ address-list-timeout=4w2d chain=input comment="Filter - Wan Access SSH" \ disabled=no dst-port=22 protocol=tcp src-address-list=!local-addr add action=drop chain=input disabled=no src-address-list=WARN-SSH add action=accept chain=input disabled=no dst-port=22 protocol=tcp \ src-address-list=local-addr add action=add-src-to-address-list address-list=WARN-TELNET \ address-list-timeout=4w2d chain=input comment=\ "Filter - Wan Access TELNET" disabled=no dst-port=23 protocol=tcp \ src-address-list=!local-addr add action=drop chain=input disabled=no src-address-list=WARN-TELNET add action=accept chain=input disabled=no dst-port=23 protocol=tcp \ src-address-list=local-addr add action=add-src-to-address-list address-list=WARN-WEB \ address-list-timeout=4w2d chain=input comment="Filter - Wan Access WEB" \ disabled=no dst-port=80 protocol=tcp src-address-list=!local-addr add action=drop chain=input disabled=no src-address-list=WARN-WEB add action=accept chain=input disabled=no dst-port=80 protocol=tcp \ src-address-list=local-addr add action=add-src-to-address-list address-list=WARN-WINBOX \ address-list-timeout=4w2d chain=input comment=\ "Filter - Wan Access WINBOX" disabled=no dst-port=8291 protocol=tcp \ src-address-list=!local-addr add action=drop chain=input disabled=no src-address-list=WARN-WINBOX add action=accept chain=input disabled=no dst-port=8291 protocol=tcp \ src-address-list=local-addr add action=add-src-to-address-list address-list="Filter - Port Scanners" \ address-list-timeout=2w chain=input comment="Filter - Port Scanners" \ disabled=no protocol=tcp psd=21,3s,3,1 add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\ fin,!syn,!rst,!psh,!ack,!urg add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\ fin,syn add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\ syn,rst add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\ fin,psh,urg,!syn,!rst,!ack add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\ fin,syn,rst,psh,ack,urg add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\ !fin,!syn,!rst,!psh,!ack,!urg add action=drop chain=input disabled=no src-address-list="port scanners" add action=accept chain=forward comment=Connections connection-state=\ established disabled=no add action=accept chain=forward connection-state=related disabled=no add action=drop chain=forward connection-state=invalid disabled=no
fungsi :
3 : menambahkan ke address list IP yang mencoba masuk lewat port 21 dengan nama WARN-FTP selama waktu yang di tentukan
4 : drop semua ip yang src address list nya adalah WARN-FTP
5 : terima semua ip sesuai address list yang di tentukan (local-addr)
6 : menambahkan ke address list IP yang mencoba masuk lewat port 22 dengan nama WARN-SSH selama waktu yang di tentukan
7 : drop semua ip yang src address list nya adalah WARN-SSH
8 : terima semua ip sesuai address list yang di tentukan (local-addr)
9 : menambahkan ke address list IP yang mencoba masuk lewat port 23 dengan nama WARN-TELNET selama waktu yang di tentukan
10 : drop semua ip yang src address list nya adalah WARN-TELNET
11 : terima semua ip sesuai address list yang di tentukan (local-addr)
12 : menambahkan ke address list IP yang mencoba masuk lewat port 80 dengan nama WARN-WEB selama waktu yang di tentukan
13 : drop semua ip yang src address list nya adalah WARN-WEB
14 : terima semua ip sesuai address list yang di tentukan (local-addr)
12 : menambahkan ke address list IP yang mencoba masuk lewat port 8291 dengan nama WARN-WINBOX selama waktu yang di tentukan
13 : drop semua ip yang src address list nya adalah WARN-WINBOX
14 : terima semua ip sesuai address list yang di tentukan (local-addr)
keuntungan :
anda dapat melihat list IP yang tersaring / mencoba masuk ke router anda pada bagian address-list dengan nama WARN-FTP / WARN-SSH / WARN-TELNET / WARN-WEB / WARN-WINBOX.
siapa tau mau serang balik
anda bisa menambahkan sendiri / memodifikasi sesuai keperluan.
di sini saya hanya "memainkan" address list dan port yang ingin di filter.
jika berguna, klik thanks
NB : Sorry, itu hasil print screen salah di bagian telnet, tertulis port 22, harusnya 23
-
09-10-2012, 20:15 #24Status
- Offline
- Join Date
- Jul 2010
- Posts
- 350
- Reviews
- Read 0 Reviews
- Downloads
- 0
- Uploads
- 0
Member Senior
- Feedback Score
- 0
di kembangkan aja lg gan Originally Posted by R80
kereeen.... dah di coba ndiri dan hasilnya -------> mank maknyosss
WARN-WEB listnya ampe 200an lebih yg ke filter, buset dah , pantes bbrpa hari ne lemot koneksi
thx
-
The Following User Says Thank You to adh1et For This Useful Post:
-
08-12-2012, 21:45 #25Status
- Offline
- Join Date
- Nov 2010
- Posts
- 183
- Reviews
- Read 0 Reviews
- Downloads
- 0
- Uploads
- 0
Member
- Feedback Score
- 0
lihat di ip service mikrotik. mikrotik tersebut melalui port apa untuk buka mikrotik melalui web. matikan aja port tersebut. jangan hnya copas aja gan,tapi pelajari juga rule2nya biar bisa nambah ilmu. Originally Posted by anak_lolong
add action=add-src-to-address-list address-list=WARN-WEB \
address-list-timeout=4w2d chain=input comment="Filter - Wan Access WEB" \
disabled=no dst-port=80 protocol=tcp src-address-list=!local-addr
add action=drop chain=input disabled=no src-address-list=WARN-WEB
add action=accept chain=input disabled=no dst-port=80 protocol=tcp \
src-address-list=local-addr
cuplikan rule di atas jika diterapkan ke hotspot MT artinya semua klien dengan IP dinamik kita harus terdaftar di list "local-addr" , jika tidak mereka tidak bisa OL karena tidak bisa akses port 80 kan? terus apa gunanya rule itu agan?
mungkin analisa saya kementhus ..... maafin....
-
08-12-2012, 21:47 #26Status
- Offline
- Join Date
- Nov 2010
- Posts
- 183
- Reviews
- Read 0 Reviews
- Downloads
- 0
- Uploads
- 0
Member
- Feedback Score
- 0
klu masalah seperti itu berarti gan harus masukkin ip publik untuk meremote. Originally Posted by play052
nubie boleh nanya gan..?
ini buat ngeblok dari luar atau dari dalam jaringan kita....??
kalo dari dalam.. ya pasti kita bisa ngisi daftar "white_list" nya..
klo dari luar gmn..?? mungkin saja suatu saat kita lg butuh remot MT dari luar..??
maap klo pertanyaan nya oon... maklum msh baru blajar megang MT..
thanks...
-
15-04-2013, 11:31 #27Status
- Offline
- Join Date
- Jun 2012
- Posts
- 3
- Reviews
- Read 0 Reviews
- Downloads
- 1
- Uploads
- 0
Baru Gabung
- Feedback Score
- 0
agan ada tutor lengkap g tentang firewall cz ane bwt referensi SKRIPSI nh,di mohon bntuannya gan
-
28-08-2013, 17:11 #28Status
- Offline
- Join Date
- Nov 2010
- Posts
- 3
- Reviews
- Read 0 Reviews
- Downloads
- 0
- Uploads
- 0
Baru Gabung
- Feedback Score
- 0
Mohon Ijin Sedot gan Tutsnya, terimakasih yo gan......
-
02-09-2013, 19:22 #29Status
- Offline
- Join Date
- Jul 2013
- Location
- DKI jakarta
- Posts
- 1
- Reviews
- Read 0 Reviews
- Downloads
- 0
- Uploads
- 0
Baru Gabung
- Feedback Score
- 0
Izin nyimak dl gan...
-
02-10-2013, 14:10 #30Status
- Offline
- Join Date
- Oct 2013
- Location
- Padang - Sumatera Barat
- Posts
- 72
- Reviews
- Read 0 Reviews
- Downloads
- 0
- Uploads
- 0
Calon Member
- Feedback Score
- 0
Mantep gan.. ane coba..
tapi mo tanya dulu ni gan, klo block virusnya dimna y gan..?? maaf gan ane newbie
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Similar Threads
-
[ask] ttg rule firewall filter MT .. benarkah ??
By earthlink in forum General NetworkingReplies: 6Last Post: 04-09-2014, 10:19 -
yang udah pakai antena sektoral pabrikan/Oem, share disini dong..
By wawanep in forum Wireless NetworkingReplies: 58Last Post: 09-12-2012, 07:28 -
sudah ada ga yang pakai Radius Manager share dong disini
By langoday in forum HotSpot, The Dude & User ManagerReplies: 22Last Post: 07-09-2011, 00:10 -
Setting Firewall filter kok ga bisa???
By darkwatch in forum Beginner BasicsReplies: 3Last Post: 11-10-2010, 16:17 -
[HELP]remove firewall filter lists
By aaheroe in forum General NetworkingReplies: 2Last Post: 05-03-2010, 21:58
Posting Permissions
All times are GMT +8. The time now is 22:41.
Auto Closing Of Threads provided by
Threads Auto Close (Lite) -
vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
2009. Forum MikroTik Indonesia 1 add-ons Copyright © 2020 LancerForHire, LLC.
Powered by vBulletin® Version 4.2.2
Copyright © 2020 vBulletin Solutions, Inc. All rights reserved.
Search Engine Optimization by vBSEO 3.6.0
Copyright © 2020 vBulletin Solutions, Inc. All rights reserved.
Search Engine Optimization by vBSEO 3.6.0
2009. Forum MikroTik Indonesia 1 add-ons Copyright © 2020 LancerForHire, LLC.