创新|开发|定制
专注于软路由|网络技术领域

ROS防火墙-如何拒绝端口扫描

前言:

为保护路由器不受端口扫描的探测,我们可以记录下试图探测你的IP,并使用IP地址列表记录下,然后拒绝这些IP访问。

/ip firewall filter

add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”Port scanners to list ” disabled=no

TCP flags的各种端口扫描表现组合情况:

add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”NMAP FIN Stealth scan”

add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list=”port scanners”address-list-timeout=2w comment=”SYN/FIN scan

add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list=”port scannersaddress-list-timeout=2w comment=”SYN/RST scan

add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list=”port scanners address-list-timeout=2w comment=”FIN/PSH/URG scan

add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list=”port scanners address-list-timeout=2w comment=”ALL/ALL scan

add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=”port scanners address-list-timeout=2w comment=”NMAP NULL scan

这里丢弃那些试图探测你的IP地址:

add chain=input src-address-list=”port scanners action=drop comment=”dropping port scanners disabled=no
赞(0) 打赏
转载请注明出处:Ros资源网 » ROS防火墙-如何拒绝端口扫描

评论 抢沙发

评论前必须登录!

 

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

微信扫一扫打赏