Seguridad paso a paso en Mikrotik

Pasos basicos para asegurar Mikrotik

• Renombrar Administrador

/user set 0 password=mygreatpassword
        /user set 0 name=tikadmin

• Desabilitar Neighbor Discovery

/ip neighbor discovery settings set default=no default-for-dynamic=no

/ip neighbor discovery set [find] discover=no

• Ataque interno DDoS por virus (RPF remueve trafico “spoofed”)

/ip settings set rp-filter=strict

• Checar servicios

/ip service disable 0,1,2,4,5,7

/tool bandwidth-server set enabled=no
/ip dns set allow-remote-requests=no
/ip socks set enabled=no

/ip ssh set strong-crypto=yes

• Bogon’s

/ip firewall address-list
add address=192.168.0.0/16 list=Bogon
add address=10.0.0.0/8 list=Bogon
add address=172.16.0.0/12 list=Bogon
add address=127.0.0.0/8 list=Bogon
add address=0.0.0.0/8 list=Bogon
add address=169.254.0.0/16 list=Bogon

• Firewall

INPUT

/ip firewall filter

add chain=input comment="Accept Established / Related Input" connection-state=established,related

add chain=input comment="Allow Management Input" src-address=10.0.0.0/12

add action=drop chain=input in-interface=WAN

OUTPUT

/ip firewall filter

add chain=output connection-state=established,related

add chain=output comment="Allow Management Input" src-address=10.0.0.0/12

add chain=output ipv4-options=any protocol=icmp

add action=drop chain=output out-interface=ether1

add action=drop chain=output in-interface=WAN

add action=drop chain=input comment="Drop Input" log=yes log-prefix="Input Drop"
add action=fasttrack-connection chain=forward comment="Fast Track Established / Related Forward" connection-state=\
   established,related
add chain=forward comment="Accept Established / Related Forward" connection-state=established,related
add chain=forward comment="Allow client LAN traffic out WAN" out-interface=ether1-gateway src-address=192.168.0.0/24
add action=drop chain=forward comment="Drop Bogon Forward -> Ether1" in-interface=ether1-gateway log=yes log-prefix="Bogon Forward Drop" src-address-list=Bogon
add action=drop chain=forward comment="Drop All Forward"

FORWARD

VIRUS PORTS

/ip firewall filter

add action=drop chain=forward dst-port=135-139 protocol=tcp

add action=drop chain=forward dst-port=135-139 protocol=udp

add action=drop chain=forward dst-port=444 protocol=tcp

add action=drop chain=forward dst-port=444 protocol=udp

add action=drop chain=forward dst-port=996-999 protocol=tcp

add action=drop chain=forward dst-port=996-999 protocol=udp

add action=drop chain=forward dst-port=3127 protocol=tcp

add action=drop chain=forward dst-port=3129-3149 protocol=tcp

add action=drop chain=forward dst-port=3127-3149 protocol=udp

add action=drop chain=forward dst-port=445 protocol=tcp

add action=drop chain=forward dst-port=445 protocol=udp

add action=drop chain=forward dst-port=1434 protocol=tcp

add action=drop chain=forward dst-port=1434 protocol=udp

add action=drop chain=forward dst-port=80 protocol=udp

add action=reject chain=forward dst-port=113 protocol=tcp

/queue type

set 0 pfifo-limit=60

add kind=pcq name=pcq_2M_DN_Res pcq-burst-rate=12M pcq-burst-threshold=1500k pcq-burst-time=2m40s pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=2M pcq-src-address6-mask=64

add kind=pcq name=pcq_2M_UP_Res pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=2M pcq-src-address6-mask=64

add kind=pcq name=pcq-download-base pcq-classifier=dst-address pcq-limit=100

add kind=pcq name=pcq-upload-base pcq-classifier=src-address pcq-limit=100

add kind=pfifo name=laredonet pfifo-limit=60

/queue simple

add disabled=yes limit-at=500M/500M max-limit=500M/500M name="LaredoNet - Redes - 180M" priority=1/1 queue=wireless-default/wireless-default target="216.150.43.0/24,216.150.44.0/24,216.150.45.0/24,216.150.46.0/24,216.150.47.0/24" total-queue=default

add limit-at=512k/512k max-limit=30M/30M name=ns2.netscorp.net priority=7/7 queue=default/default target=216.150.32.3/32 total-queue=default

add limit-at=512k/512k max-limit=30M/30M name="queue TEMPORAL setup ns2" priority=7/7 queue=ethernet-default/ethernet-default target=216.150.32.6/32 total-queue=default

add limit-at=2M/2M max-limit=50M/50M name="Monitoring PC  - The DudeN" priority=7/7 queue=default/default target=216.150.32.9/32 total-queue=default

add limit-at=2M/2M max-limit=10M/10M name="Red Local APL - 10M " priority=7/7 queue=default/default target=216.150.32.10/32 total-queue=default

add limit-at=5M/5M max-limit=10M/10M name=radius2.autophone.net priority=2/2 queue=default/default target=216.150.32.11/32 total-priority=2 total-queue=default

add limit-at=2M/2M max-limit=2M/2M name="Paging Transmitter Client NT" priority=7/7 queue=default/default target=216.150.32.13/32 total-queue=default

add burst-limit=2536k/2536k burst-threshold=1536k/1536k burst-time=20s/20s \

   limit-at=1512k/1512k max-limit=2M/2M name=\

   "Pager Main Computer - Alpha Paging" priority=5/5 queue=default/default \

   target=216.150.32.17/32 total-queue=default

add limit-at=1512k/1512k max-limit=10M/10M name=backup001.classifile.mx \

   priority=5/5 queue=default/default target=216.150.32.18/32 total-queue=\

   default

add limit-at=512k/512k max-limit=10M/10M name="WiFi APL - 10M" priority=7/7 \

   queue=default/default target=216.150.32.20/32 total-queue=default

add comment="German Gonzalez Netflix" limit-at=5M/5M max-limit=10M/10M name=\

   "German Gonzalez" priority=7/7 queue=default/default target=\

   216.150.32.30/32 total-queue=default

...