1. 基础端口禁止规则
/ip firewall filter # 允许列表中的IP访问管理端口 add chain=input protocol=tcp dst-port=21,22,23,8291 src-address-list=allow-addresses action=accept comment="允许白名单IP访问管理端口" disabled=no # 禁止其他所有IP访问管理端口 add chain=input protocol=tcp dst-port=21,22,23,8291 action=drop comment="禁止公网访问管理端口" disabled=no
2. 暴力破解防护(改进版)
/ip firewall filter # 先检查黑名单 add chain=input protocol=tcp dst-port=21,22,23,8291 src-address-list=login_blacklist action=drop comment="丢弃黑名单IP" disabled=no # 分级防护机制 add chain=input protocol=tcp dst-port=21,22,23,8291 connection-state=new src-address-list=login_stage3 action=add-src-to-address-list address-list=login_blacklist address-list-timeout=1d comment="3次以上尝试加入黑名单" disabled=no add chain=input protocol=tcp dst-port=21,22,23,8291 connection-state=new src-address-list=login_stage2 action=add-src-to-address-list address-list=login_stage3 address-list-timeout=1m comment="第3次尝试" disabled=no add chain=input protocol=tcp dst-port=21,22,23,8291 connection-state=new src-address-list=login_stage1 action=add-src-to-address-list address-list=login_stage2 address-list-timeout=1m comment="第2次尝试" disabled=no add chain=input protocol=tcp dst-port=21,22,23,8291 connection-state=new action=add-src-to-address-list address-list=login_stage1 address-list-timeout=1m comment="首次尝试记录" disabled=no
3. 防端口扫描(优化版)
/ip firewall filter # 端口扫描检测 add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w comment="检测端口扫描" disabled=no # 各种扫描技术检测 add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w comment="NMAP FIN扫描" add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w comment="SYN/FIN扫描" add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w comment="SYN/RST扫描" add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w comment="XMAS扫描" add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w comment="NULL扫描" # 丢弃所有扫描者 add chain=input src-address-list=port_scanners action=drop comment="丢弃端口扫描者" disabled=no
使用建议
- 白名单配置:先创建允许访问的IP列表routeros复制下载/ip firewall address-list add list=allow-addresses address=192.168.1.0/24 comment=”内网网段” add list=allow-addresses address=您的公网IP comment=”管理IP”
- 规则顺序:确保规则按以下顺序执行
- 白名单规则
- 黑名单规则
- 防护检测规则
- 最终禁止规则
- 超时调整:根据安全需求调整超时时间
- 轻度防护:黑名单1-6小时
- 严格防护:黑名单1-7天
这样配置后,您的设备将具备多层安全防护,有效防止暴力破解和端口扫描攻击。