# _____ _ _ _ _ _ _ _ _ # | ___|__ | | | _____ __ | |_| |__ ___ ___ ___ (_)_ __ ___| |_ _ __ _ _ ___| |_(_) ___ _ __ ___ # | |_ / _ \| | |/ _ \ \ /\ / / | __| '_ \ / _ \/ __|/ _ \ | | '_ \/ __| __| '__| | | |/ __| __| |/ _ \| '_ \/ __| # | _| (_) | | | (_) \ V V / | |_| | | | __/\__ \ __/ | | | | \__ \ |_| | | |_| | (__| |_| | (_) | | | \__ \ # |_| \___/|_|_|\___/ \_/\_/ \__|_| |_|\___||___/\___| |_|_| |_|___/\__|_| \__,_|\___|\__|_|\___/|_| |_|___/ # # ****Important**** After using "Quick Set" for basic setup, remove all the default "Defcon" rules in Firewall or Mangleing of IPs will fail. # # Section 4: As well as Section 7, if scanning out of LAN, comment out the [forward] LAN for "Drop anyone in the LAN Port Scanner List" # Section 6 ~ 6.4: This is for VPN brute force protection, uncomment if running a VPN server. # Section 7: As well as Section 4, if you are going todo port scanning, comment out "LAN Port Scanners" rule or you will blacklist yourself. # Section 10.1: If you are running a Public DNS server uncomment this section. # Section 10.2: This is for larger router and for sites that do not browse the internet. Placing this in the router will block normal trafic to sites outside the US. # Section 11: Be sure to check if your IPs you have programmed in your network are not listed in this section. # Section 13: This disables Telnet, FTP, SSH, WWW-SSL, API, API SSL. If using these services, change disabled state to "no" # Section 15: Uncomment and change email server IP, from address and password for SMTP server. Change the senders email "User". Change [Router-NAME] to router name and email to address. # Section 16.4: Be aware even though they are disabled, this section changes the default ports for Telnet, FTP, SSH, WWW-SSL, API, API SSL. # Section 16.7: Failing to put in correct subnet will deny access to router, curently it is set to default 192.168.880/24 network. # Section 16.8 This turns off Network Discovery on th WAN interface that stops broadcasting router information on the WAN side. There is a 50/50 opinion on whether is needed. # Section 16.9 This is the allowed list, copy and paste for more IPs and ensure you have included the correct local Subnets or Subnets # Section 17 !!!!! Very Important !!!!! In this section you will need to ad users and password. The user "0" is the admin user and you will need to set a password here. # # Properly protecting router will allow you to enter the gates of Valhalla, shiny and chrome! # Failure todo so will result in.... # # ...----.... # ..-:"'' ''"-.. # .-' '-. # .' . . '. # .' . . . . .''. # .' . . . . . . . ..:. # .' . . . . . . .. . . ....::. # .. . . . . . . .. . ....:IA. # .: . . . . . . .. . .. .. ....:IA. # .: . . .. . . . . .. . ... ....:.:VHA. # '.. . .. . . . . .. . .. . .....:.::IHHB. # .:. . . . . . . . . . . ...:.:... .......:HIHMM. # .:.... . . ."::"'.. . . . .:.:.:II;,. .. ..:IHIMMA # ':.:.. ..::IHHHHHI::. . . ...:.::::.,,,. . ....VIMMHM # .:::I. .AHHHHHHHHHHAI::. .:...,:IIHHHHHHMMMHHL:. . VMMMM # .:.:V.:IVHHHHHHHMHMHHH::..:" .:HIHHHHHHHHHHHHHMHHA. .VMMM. # :..V.:IVHHHHHMMHHHHHHHB... . .:VPHHMHHHMMHHHHHHHHHAI.:VMMI # ::V..:VIHHHHHHMMMHHHHHH. . .I":IIMHHMMHHHHHHHHHHHAPI:WMM # ::". .:.HHHHHHHHMMHHHHHI. . .:..I:MHMMHHHHHHHHHMHV:':H:WM # :: . :.::IIHHHHHHMMHHHHV .ABA.:.:IMHMHMMMHMHHHHV:'. .IHWW # '. ..:..:.:IHHHHHMMHV" .AVMHMA.:.'VHMMMMHHHHHV:' . :IHWV # :. .:...:".:.:TPP" .AVMMHMMA.:. "VMMHHHP.:... .. :IVAI # .:. '... .:"' . ..HMMMHMMMA::. ."VHHI:::.... .:IHW' # ... . . ..:IIPPIH: ..HMMMI.MMMV:I:. .:ILLH:.. ...:I:IM # : . .'"' .:.V". .. . :HMMM:IMMMI::I. ..:HHIIPPHI::'.P:HM. # :. . . .. ..:.. . :AMMM IMMMM..:...:IV":T::I::.".:IHIMA # 'V:.. .. . .. . . . 'VMMV..VMMV :....:V:.:..:....::IHHHMH # "IHH:.II:.. .:. . . . . " :HB"" . . ..PI:.::.:::..:IHHMMV" # :IP""HHII:. . . . . .'V:. . . ..:IH:.:.::IHIHHMMMMM" # :V:. VIMA:I.. . . . .. . . .:.I:I:..:IHHHHMMHHMMM # :"VI:.VWMA::. .: . .. .:. ..:.I::.:IVHHHMMMHMMMMI # :."VIIHHMMA:. . . .: .:.. . .:.II:I:AMMMMMMHMMMMMI # :..VIHIHMMMI...::.,:.,:!"I:!"I!"I!"V:AI:VAMMMMMMHMMMMMM' # ':.:HIHIMHHA:"!!"I.:AXXXVVXXXXXXXA:."HPHIMMMMHHMHMMMMMV # V:H:I:MA:W'I :AXXXIXII:IIIISSSSSSXXA.I.VMMMHMHMMMMMM # 'I::IVA ASSSSXSSSSBBSBMBSSSSSSBBMMMBS.VVMMHIMM'"' # I:: VPAIMSSSSSSSSSBSSSMMBSSSBBMMMMXXI:MMHIMMI # .I::. "H:XIIXBBMMMMMMMMMMMMMMMMMBXIXXMMPHIIMM' # :::I. ':XSSXXIIIIXSSBMBSSXXXIIIXXSMMAMI:.IMM # :::I:. .VSSSSSISISISSSBII:ISSSSBMMB:MI:..:MM # ::.I:. ':"SSSSSSSISISSXIIXSSSSBMMB:AHI:..MMM. # ::.I:. . ..:"BBSSSSSSSSSSSSBBBMMMB:AHHI::.HMMI # :..::. . ..::":BBBBBSSBBBMMMB:MMMMHHII::IHHMI # ':.I:... ....:IHHHHHMMMMMMMMMMMMMMMHHIIIIHMMV" # "V:. ..:...:.IHHHMMMMMMMMMMMMMMMMHHHMHHMHP' # ':. .:::.:.::III::IHHHHMMMMMHMHMMHHHHM" # "::....::.:::..:..::IIIIIHHHHMMMHHMV" # "::.::.. .. . ...:::IIHHMMMMHMV" # "V::... . .I::IHHMMV"' # '"VHVHHHAHHHHMMV:"' # ################################################ #### Version 4.3.1 ##### ################################################ /ip firewall connection tracking set enabled=yes # _ _ __ _ # | \ | \ _ (_ |_) ._ _ _|_ _ _ _|_ o _ ._ # |_/ |_/ (_) __) | | (_) |_ (/_ (_ |_ | (_) | | # ########################################################################################################################### #### This is the way to prevent (D)DoS Attack from your users to attacked resources, and drop (D)DoS directed #### #### to your clients. #### ########################################################################################################################### # Section 1 Under Construction #/ip firewall filter #add action=jump chain=forward comment=Detect-Ddos connection-state=new \ #disabled=no in-interface=ether1 jump-target=detect-ddos #add chain=forward connection-state=new action=jump jump-target=detect-ddos ######### exceptions below, change and uncomment ######### add your DNS here or they will end up dropping #add chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s action=return #add chain=detect-ddos src-address=8.8.8.8 action=return #add chain=detect-ddos src-address=8.8.4.4 action=return #add chain=detect-ddos src-address=9.9.9.9 action=return #add chain=detect-ddos src-address=192.168.88.2 action=return #add chain=detect-ddos src-address=192.168.88.0/24 action=return #add chain=detect-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m #add chain=detect-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m #add chain=forward connection-state=new src-address-list=ddoser dst-address-list=ddosed action=drop #add chain=output comment="DDos Protection Rule End" disabled=yes # _ ___ # | \ ._ _ ._ | ._ _. | o _| # |_/ | (_) |_) _|_ | | \/ (_| | | (_| # | ########################################################################################################################### #### To make this more useful, create a copy of the forward chain rule and set the interface for each LAN intface #### #### on your network. Remember to remove the orginal rule. #### ########################################################################################################################### # Section 2 /ip firewall filter add action=drop chain=input comment="Drop Invalid Connections" connection-state=invalid disabled=no add action=drop chain=forward comment="Drop Invalid Connections" connection-state=invalid disabled=no # _ # |_ _ _ ._ _ ._ _|_ # |_ >< (_ (/_ | | | |_) |_ # | ########################################################################################################################### #### Must Add Admin IP Addresses in the Address List for Administering the Network in "Exempt Addresses" ##### ########################################################################################################################### # Section 3 add action=accept chain=input comment="Accept Exempt IP Addresses" disabled=no src-address-list="Exempt Addresses" add action=accept chain=forward comment="Accept Exempt IP Addresses" disabled=no src-address-list="Exempt Addresses" # _ # |_) | _. _ | | o _ _|_ _ # |_) | (_| (_ |< | | _> |_ _> # ############################################################################################################################ #### Multiple "Black Lists" have been created to help identify why any given person has been blocked.####################### #### By default Port Scanners Black List is disabled. The Firewall will continue to add these people to the ################ #### the Black List, but will not block them unless the Black List is enabled. Use with caution!!!! ######################## #### Once someone is on a Black List they are permanently recorded there. To remove them, go to the address list.########### ############################################################################################################################ # Section 4 add action=drop chain=input comment="Drop anyone in the Black List (Manually Added)" disabled=no src-address-list="Black List" add action=drop chain=forward comment="Drop anyone in the Black List (Manually Added)" disabled=no src-address-list="Black List" add action=drop chain=input comment="Drop anyone in the Black List (SSH)" disabled=no src-address-list="Black List (SSH)" add action=drop chain=forward comment="Drop anyone in the Black List (SSH)" disabled=no src-address-list="Black List (SSH)" add action=drop chain=input comment="Drop anyone in the Black List (Telnet)" disabled=no src-address-list="Black List (Telnet)" add action=drop chain=forward comment="Drop anyone in the Black List (Telnet)" disabled=no src-address-list="Black List (Telnet)" add action=drop chain=input comment="Drop anyone in the Black List (Winbox)" disabled=no src-address-list="Black List (Winbox)" add action=drop chain=forward comment="Drop anyone in the Black List (Winbox)" disabled=no src-address-list="Black List (Winbox)" add action=drop chain=input comment="Drop anyone in the WAN Port Scanner List" disabled=no src-address-list="WAN Port Scanners" add action=drop chain=forward comment="Drop anyone in the WAN Port Scanner List" disabled=no src-address-list="WAN Port Scanners" add action=drop chain=input comment="Drop anyone in the LAN Port Scanner List" disabled=no src-address-list="LAN Port Scanners" add action=drop chain=forward comment="Drop anyone in the LAN Port Scanner List" disabled=no src-address-list="LAN Port Scanners" add action=drop chain=input comment="Drop all Bogons" disabled=no src-address-list=Bogons add action=drop chain=forward comment="Drop all Bogons" disabled=no src-address-list=Bogons add action=drop chain=forward comment="Drop all P2P" disabled=yes p2p=all-p2p # _ _ # |_) ._ _|_ _ |_ _ ._ _ _ # |_) | |_| |_ (/_ | (_) | (_ (/_ # ########################################################################################################################### #### Detect & Block Brute Force Login Attempts #### ########################################################################################################################### # Section 5 # __ __ # (_ (_ |_| # __) __) | | # add action=jump chain=input comment="Jump to RFC SSH Chain" disabled=no jump-target="RFC SSH Chain" add action=add-src-to-address-list address-list="Black List (SSH)" address-list-timeout=0s chain="RFC SSH Chain" comment="Transfer repeated attempts from SSH Stage 3 to Black-List" connection-state=new disabled=no dst-port=10022 protocol=tcp src-address-list="SSH Stage 3" add action=add-src-to-address-list address-list="SSH Stage 3" address-list-timeout=1m chain="RFC SSH Chain" comment="Add succesive attempts to SSH Stage 3" connection-state=new disabled=no dst-port=10022 protocol=tcp src-address-list="SSH Stage 2" add action=add-src-to-address-list address-list="SSH Stage 2" address-list-timeout=1m chain="RFC SSH Chain" comment="Add succesive attempts to SSH Stage 2" connection-state=new disabled=no dst-port=10022 protocol=tcp src-address-list="SSH Stage 1" add action=add-src-to-address-list address-list="SSH Stage 1" address-list-timeout=1m chain="RFC SSH Chain" comment="Add intial attempt to SSH Stage 1 List" connection-state=new disabled=no dst-port=10022 protocol=tcp add action=return chain="RFC SSH Chain" comment="Return From RFC SSH Chain" disabled=no add chain=output comment="Section Break" disabled=yes # ___ # | _ | ._ _ _|_ # | (/_ | | | (/_ |_ # add action=jump chain=input comment="Jump to RFC Telnet Chain" disabled=no jump-target="RFC Telnet Chain" add action=add-src-to-address-list address-list="Black List (Telnet)" address-list-timeout=0s chain="RFC Telnet Chain" comment="Transfer repeated attempts from Telnet Stage 3 to Black-List" connection-state=new disabled=no dst-port=10023 protocol=tcp src-address-list="Telnet Stage 3" add action=add-src-to-address-list address-list="Telnet Stage 3" address-list-timeout=1m chain="RFC Telnet Chain" comment="Add succesive attempts to Telnet Stage 3" connection-state=new disabled=no dst-port=10023 protocol=tcp src-address-list="Telnet Stage 2" add action=add-src-to-address-list address-list="Telnet Stage 2" address-list-timeout=1m chain="RFC Telnet Chain" comment="Add succesive attempts to Telnet Stage 2" connection-state=new disabled=no dst-port=10023 protocol=tcp src-address-list="Telnet Stage 1" add action=add-src-to-address-list address-list="Telnet Stage 1" address-list-timeout=1m chain="RFC Telnet Chain" comment="Add Intial attempt to Telnet Stage 1" connection-state=new disabled=no dst-port=10023 protocol=tcp add action=return chain="RFC Telnet Chain" comment="Return From RFC Telnet Chain" disabled=no add chain=output comment="Section Break" disabled=yes # # \ / o ._ |_ _ # \/\/ | | | |_) (_) >< # add action=jump chain=input comment="Jump to RFC Winbox Chain" disabled=no jump-target="RFC Winbox Chain" add action=add-src-to-address-list address-list="Black List (Winbox)" address-list-timeout=0s chain="RFC Winbox Chain" comment="Transfer repeated attempts from Winbox Stage 3 to Black-List" connection-state=new disabled=no dst-port=8291 protocol=tcp src-address-list="Winbox Stage 3" add action=add-src-to-address-list address-list="Winbox Stage 3" address-list-timeout=1m chain="RFC Winbox Chain" comment="Add succesive attempts to Winbox Stage 3" connection-state=new disabled=no dst-port=8291 protocol=tcp src-address-list="Winbox Stage 2" add action=add-src-to-address-list address-list="Winbox Stage 2" address-list-timeout=1m chain="RFC Winbox Chain" comment="Add succesive attempts to Winbox Stage 2" connection-state=new disabled=no dst-port=8291 protocol=tcp src-address-list="Winbox Stage 1" add action=add-src-to-address-list address-list="Winbox Stage 1" address-list-timeout=1m chain="RFC Winbox Chain" comment="Add Intial attempt to Winbox Stage 1" connection-state=new disabled=no dst-port=8291 protocol=tcp add action=return chain="RFC Winbox Chain" comment="Return From RFC Winbox Chain" disabled=no add chain=output comment="Section Break" disabled=yes # _ _ _ # |_) | \ |_) # | \ |_/ | # ########################################################################################################################### #### Detect & Block Brute Force RDP Login Attempts #### ########################################################################################################################### # Section 6 ########### RDP Port ########### Port 3389 add action=accept chain=forward comment="Drop rdp brute forcers - Allow Address list rule on top" dst-port=3389 \ protocol=tcp src-address-list=rdp_acceptlist add action=drop chain=forward dst-port=3389 protocol=tcp src-address-list=\ rdp_blacklist add action=add-src-to-address-list address-list=rdp_blacklist \ address-list-timeout=1w3d chain=forward connection-state=new dst-port=3389 \ protocol=tcp src-address-list=rdp_stage2 add action=add-src-to-address-list address-list=rdp_stage2 \ address-list-timeout=1m chain=forward connection-state=new dst-port=3389 \ protocol=tcp src-address-list=rdp_stage1 add action=add-src-to-address-list address-list=rdp_stage1 \ address-list-timeout=1m chain=forward connection-state=new dst-port=3389 \ protocol=tcp add chain=output comment="RDP Brute Force Rule End" disabled=yes # # | /|)|\ | |) |- _ # |/ | | \| | ()|`|__\ # ########################################################################################################################### #### Detect & Block Brute Force VPN Login Attempts #### ########################################################################################################################### ### Section 6.1 ########### 1723 Port #add chain=forward protocol=tcp dst-port=1723 src-address-list=1723_blacklist action=drop \ #comment="drop 1723 brute forcers" disabled=no #add chain=forward protocol=tcp dst-port=1723 connection-state=new \ #src-address-list=1723_stage3 action=add-src-to-address-list address-list=1723_blacklist \ #address-list-timeout=10d comment="" disabled=no #add chain=forward protocol=tcp dst-port=1723 connection-state=new \ #src-address-list=1723_stage2 action=add-src-to-address-list address-list=1723_stage3 \ #address-list-timeout=1m comment="" disabled=no #add chain=forward protocol=tcp dst-port=1723 connection-state=new src-address-list=1723_stage1 \ #action=add-src-to-address-list address-list=1723_stage2 address-list-timeout=1m comment="" disabled=no #add chain=forward protocol=tcp dst-port=1723 connection-state=new action=add-src-to-address-list \ 3address-list=1723_stage1 address-list-timeout=1m comment="" disabled=no ### Section 6.2 ########### 500 Port #add chain=forward protocol=udp dst-port=500 src-address-list=500_blacklist action=drop \ #comment="drop 500 brute forcers" disabled=no #add chain=forward protocol=udp dst-port=500 connection-state=new \ #src-address-list=500_stage3 action=add-src-to-address-list address-list=500_blacklist \ #address-list-timeout=10d comment="" disabled=no #add chain=forward protocol=udp dst-port=500 connection-state=new \ #src-address-list=500_stage2 action=add-src-to-address-list address-list=500_stage3 \ #address-list-timeout=1m comment="" disabled=no #add chain=forward protocol=udp dst-port=500 connection-state=new src-address-list=500_stage1 \ #action=add-src-to-address-list address-list=500_stage2 address-list-timeout=1m comment="" disabled=no #add chain=forward protocol=udp dst-port=500 connection-state=new action=add-src-to-address-list \ #address-list=500_stage1 address-list-timeout=1m comment="" disabled=no ### Section 6.3 ########### Port 4500 #add chain=forward protocol=udp dst-port=4500 src-address-list=4500_blacklist action=drop \ #comment="drop 4500 brute forcers" disabled=no #add chain=forward protocol=udp dst-port=4500 connection-state=new \ #src-address-list=4500_stage3 action=add-src-to-address-list address-list=4500_blacklist \ #address-list-timeout=10d comment="" disabled=no #add chain=forward protocol=udp dst-port=4500 connection-state=new \ #src-address-list=4500_stage2 action=add-src-to-address-list address-list=4500_stage3 \ #address-list-timeout=1m comment="" disabled=no #add chain=forward protocol=udp dst-port=4500 connection-state=new src-address-list=4500_stage1 \ #action=add-src-to-address-list address-list=4500_stage2 address-list-timeout=1m comment="" disabled=no #add chain=forward protocol=udp dst-port=4500 connection-state=new action=add-src-to-address-list \ #address-list=4500_stage1 address-list-timeout=1m comment="" disabled=no ### Section 6.4 ########### Port 1701 #add chain=forward protocol=udp dst-port=1701 src-address-list=1701_blacklist action=drop \ #comment="drop 1701 brute forcers" disabled=no #add chain=forward protocol=udp dst-port=1701 connection-state=new \ #src-address-list=1701_stage3 action=add-src-to-address-list address-list=1701_blacklist \ #address-list-timeout=10d comment="" disabled=no #add chain=forward protocol=udp dst-port=1701 connection-state=new \ #src-address-list=1701_stage2 action=add-src-to-address-list address-list=1701_stage3 \ #address-list-timeout=1m comment="" disabled=no #add chain=forward protocol=udp dst-port=1701 connection-state=new src-address-list=1701_stage1 \ #action=add-src-to-address-list address-list=1701_stage2 address-list-timeout=1m comment="" disabled=no #add chain=forward protocol=udp dst-port=1701 connection-state=new action=add-src-to-address-list \ #address-list=1701_stage1 address-list-timeout=1m comment="" disabled=no #add chain=output comment="VPN Brute Force Rule End" disabled=yes # __ # (_ _ _. ._ ._ _ ._ _ # __) (_ (_| | | | | (/_ | _> # ########################################################################################################################### #### Detect & Manage Port Scanners #### ########################################################################################################################### # Section 7 /ip firewall filter add action=add-src-to-address-list address-list="Wan Port Scanners" chain=input comment="Add TCP Port Scanners to Address List" protocol=tcp psd=40,3s,2,1 add action=add-src-to-address-list address-list="LAN Port Scanners" chain=forward comment="Add TCP Port Scanners to Address List" protocol=tcp psd=40,3s,2,1 # _ # |_| o _ |_ / _ ._ ._ _ _ _|_ o _ ._ _ # | | | (_| | | \_ (_) | | | | (/_ (_ |_ | (_) | | _> # _| ########################################################################################################################### #### Detect & Manage High Connection Rates (Helps find abuse) #### ########################################################################################################################### # Section 8 /ip firewall filter add action=add-src-to-address-list address-list="(WAN High Connection Rates)" chain=input comment="Add WAN High Connections to Address List" connection-limit=100,32 protocol=tcp add action=add-src-to-address-list address-list="(LAN High Connection Rates)" chain=forward comment="Add LAN High Connections to Address List" connection-limit=100,32 protocol=tcp # _ # \ / o ._ _ / |_ _. o ._ # \/ | | |_| _> \_ | | (_| | | | # ############################################################################################################################ #### The Virus Chain has been added at the request of customers, but there is no guarantee expressed or implied with the ### #### Virus Chain. If a device will not connect, check here first to disable rule and test device ### ############################################################################################################################ # Section 9 add action=jump chain=input comment="Jump to Virus Chain" disabled=no jump-target=Virus add action=drop chain=Virus comment="Drop Blaster Worm" disabled=no dst-port=135-139 protocol=tcp add action=drop chain=Virus comment="Drop Blaster Worm" disabled=no dst-port=445 protocol=tcp add action=drop chain=Virus comment="Drop Blaster Worm" disabled=no dst-port=445 protocol=udp add action=drop chain=Virus comment="Drop Messenger Worm" disabled=no dst-port=135-139 protocol=udp add action=drop chain=Virus comment=Conficker disabled=no dst-port=593 protocol=tcp add action=drop chain=Virus comment=Worm disabled=yes dst-port=1024-1030 protocol=tcp add action=drop chain=Virus comment="ndm requester" disabled=no dst-port=1363 protocol=tcp add action=drop chain=Virus comment="ndm server" disabled=no dst-port=1364 protocol=tcp add action=drop chain=Virus comment="screen cast" disabled=no dst-port=1368 protocol=tcp add action=drop chain=Virus comment=hromgrafx disabled=no dst-port=1373 protocol=tcp add action=drop chain=Virus comment="Drop MyDoom" disabled=no dst-port=1080 protocol=tcp add action=drop chain=Virus comment=cichlid disabled=no dst-port=1377 protocol=tcp add action=drop chain=Virus comment=Worm disabled=no dst-port=1433-1434 protocol=tcp add action=drop chain=Virus comment="Drop Dumaru.Y" disabled=no dst-port=2283 protocol=tcp add action=drop chain=Virus comment="Drop Beagle" disabled=no dst-port=2535 protocol=tcp add action=drop chain=Virus comment="Drop Beagle.C-K" disabled=no dst-port=2745 protocol=tcp add action=drop chain=Virus comment="Drop MyDoom" disabled=no dst-port=3127-3128 protocol=tcp add action=drop chain=Virus comment="Drop Backdoor OptixPro" disabled=no dst-port=3410 protocol=tcp add action=drop chain=Virus comment="Drop Sasser" disabled=yes dst-port=5554 protocol=tcp add action=drop chain=Virus comment=Worm disabled=no dst-port=4444 protocol=tcp add action=drop chain=Virus comment=Worm disabled=no dst-port=4444 protocol=udp add action=drop chain=Virus comment="Drop Beagle.B" disabled=yes dst-port=8866 protocol=tcp add action=drop chain=Virus comment="Drop Dabber.A-B" disabled=no dst-port=9898 protocol=tcp add action=drop chain=Virus comment="Drop Dumaru.Y" disabled=yes dst-port=10000 protocol=tcp add action=drop chain=Virus comment="Drop MyDoom.B" disabled=no dst-port=10080 protocol=tcp add action=drop chain=Virus comment="Drop NetBus" disabled=no dst-port=12345 protocol=tcp add action=drop chain=Virus comment="Drop SubSeven" disabled=no dst-port=27374 protocol=tcp add action=drop chain=Virus comment="Drop PhatBot, Agobot, Gaobot" disabled=no dst-port=65506 protocol=tcp add action=return chain=Virus comment="Return From Virus Chain" disabled=no add chain=output comment="Virus Chain End Section Break" disabled=yes # _ _ # / _ ._ _ ._ _ _ ._ |_) _ ._ _|_ _ # \_ (_) | | | | | | (_) | | | (_) | |_ _> # ############################################################################################################################################## #### This is a list of all common ports as found on http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers and other sources. ## #### By default they are enabled to prevent immediate problems when applying the script. Carefully review the list of ## #### ports and remove or disable entries that are not needed. ## ############################################################################################################################################## # Section 10 /ip firewall filter add action=jump chain=forward comment="Jump to \"Manage Common Ports\" Chain" jump-target="Manage Common Ports" add chain="Manage Common Ports" comment="\"All hosts on this subnet\" Broadcast" src-address=224.0.0.1 add chain="Manage Common Ports" comment="\"All routers on this subnet\" Broadcast" src-address=224.0.0.2 add chain="Manage Common Ports" comment="DVMRP (Distance Vector Multicast Routing Protocol)" src-address=224.0.0.4 add chain="Manage Common Ports" comment="OSPF - All OSPF Routers Broadcast" src-address=224.0.0.5 add chain="Manage Common Ports" comment="OSPF - OSPF DR Routers Broadcast" src-address=224.0.0.6 add chain="Manage Common Ports" comment="RIP Broadcast" src-address=224.0.0.9 add chain="Manage Common Ports" comment="EIGRP Broadcast" src-address=224.0.0.10 add chain="Manage Common Ports" comment="PIM Broadcast" src-address=224.0.0.13 add chain="Manage Common Ports" comment="VRRP Broadcast" src-address=224.0.0.18 add chain="Manage Common Ports" comment="IS-IS Broadcast" src-address=224.0.0.19 add chain="Manage Common Ports" comment="IS-IS Broadcast" src-address=224.0.0.20 add chain="Manage Common Ports" comment="IS-IS Broadcast" src-address=224.0.0.21 add chain="Manage Common Ports" comment="IGMP Broadcast" src-address=224.0.0.22 add chain="Manage Common Ports" comment="GRE Protocol (Local Management)" protocol=gre add chain="Manage Common Ports" comment="FTPdata transfer" port=10020 protocol=tcp add chain="Manage Common Ports" comment="FTPdata transfer " port=10020 protocol=udp add chain="Manage Common Ports" comment="FTPcontrol (command)" port=10021 protocol=tcp add chain="Manage Common Ports" comment="Secure Shell(SSH)" port=10022 protocol=tcp add chain="Manage Common Ports" comment="Secure Shell(SSH) " port=10022 protocol=udp add chain="Manage Common Ports" comment=Telnet port=10023 protocol=tcp add chain="Manage Common Ports" comment=Telnet port=10023 protocol=udp add chain="Manage Common Ports" comment="Priv-mail: any privatemailsystem." port=24 protocol=tcp add chain="Manage Common Ports" comment="Priv-mail: any privatemailsystem. " port=24 protocol=udp add chain="Manage Common Ports" comment="Simple Mail Transfer Protocol(SMTP)" port=25 protocol=tcp add chain="Manage Common Ports" comment="Simple Mail Transfer Protocol(SMTP) " port=25 protocol=udp add chain="Manage Common Ports" comment="TIME protocol" port=37 protocol=tcp add chain="Manage Common Ports" comment="TIME protocol " port=37 protocol=udp add chain="Manage Common Ports" comment="ARPA Host Name Server Protocol & WINS" port=42 protocol=tcp add chain="Manage Common Ports" comment="ARPA Host Name Server Protocol & WINS " port=42 protocol=udp add chain="Manage Common Ports" comment="WHOIS protocol" port=43 protocol=tcp add chain="Manage Common Ports" comment="WHOIS protocol" port=43 protocol=udp # _ _ __ # |_) |_ | o _ | \ |\ | (_ # | |_| |_) | | (_ |_/ | \| __) # # Section 10.1 ########### Uncomment the two "add chain" rules below if you are running a public DNS server behind this firewall ########### #add chain="Manage Common Ports" comment="Domain Name System (DNS)" port=53 protocol=tcp #add chain="Manage Common Ports" comment="Domain Name System (DNS)" port=53 protocol=udp ########### add chain="Manage Common Ports" comment="Mail Transfer Protocol(RFC 780)" port=57 protocol=tcp add chain="Manage Common Ports" comment="(BOOTP) Server & (DHCP) " port=67 protocol=udp add chain="Manage Common Ports" comment="(BOOTP) Client & (DHCP) " port=68 protocol=udp add chain="Manage Common Ports" comment="Trivial File Transfer Protocol (TFTP) " port=69 protocol=udp add chain="Manage Common Ports" comment="Gopher protocol" port=70 protocol=tcp add chain="Manage Common Ports" comment="Finger protocol" port=79 protocol=tcp add chain="Manage Common Ports" comment="Hypertext Transfer Protocol (HTTP)" port=80 protocol=tcp add chain="Manage Common Ports" comment="RemoteTELNETService protocol" port=107 protocol=tcp add chain="Manage Common Ports" comment="Post Office Protocolv2 (POP2)" port=109 protocol=tcp add chain="Manage Common Ports" comment="Post Office Protocolv3 (POP3)" port=110 protocol=tcp add chain="Manage Common Ports" comment="IdentAuthentication Service/Identification Protocol" port=113 protocol=tcp add chain="Manage Common Ports" comment="Authentication Service (auth) " port=113 protocol=udp add chain="Manage Common Ports" comment="Simple File Transfer Protocol (SFTP)" port=115 protocol=tcp add chain="Manage Common Ports" comment="Network Time Protocol(NTP)" port=123 protocol=udp add chain="Manage Common Ports" comment="NetBIOSNetBIOS Name Service" port=137 protocol=tcp add chain="Manage Common Ports" comment="NetBIOSNetBIOS Name Service " port=137 protocol=udp add chain="Manage Common Ports" comment="NetBIOSNetBIOS Datagram Service" port=138 protocol=tcp add chain="Manage Common Ports" comment="NetBIOSNetBIOS Datagram Service " port=138 protocol=udp add chain="Manage Common Ports" comment="NetBIOSNetBIOS Session Service" port=139 protocol=tcp add chain="Manage Common Ports" comment="NetBIOSNetBIOS Session Service " port=139 protocol=udp add chain="Manage Common Ports" comment="Internet Message Access Protocol (IMAP)" port=143 protocol=tcp add chain="Manage Common Ports" comment="Background File Transfer Program (BFTP)" port=152 protocol=tcp add chain="Manage Common Ports" comment="Background File Transfer Program (BFTP) " port=152 protocol=udp add chain="Manage Common Ports" comment="SGMP,Simple Gateway Monitoring Protocol" port=153 protocol=tcp add chain="Manage Common Ports" comment="SGMP,Simple Gateway Monitoring Protocol " port=153 protocol=udp add chain="Manage Common Ports" comment="DMSP, Distributed Mail Service Protocol" port=158 protocol=tcp add chain="Manage Common Ports" comment="DMSP, Distributed Mail Service Protocol " port=158 protocol=udp add chain="Manage Common Ports" comment="Simple Network Management Protocol(SNMP) " port=161 protocol=udp add chain="Manage Common Ports" comment="Simple Network Management ProtocolTrap (SNMPTRAP)" port=162 protocol=tcp add chain="Manage Common Ports" comment="Simple Network Management ProtocolTrap (SNMPTRAP) " port=162 protocol=udp add chain="Manage Common Ports" comment="BGP (Border Gateway Protocol)" port=179 protocol=tcp add chain="Manage Common Ports" comment="Internet Message Access Protocol (IMAP), version 3" port=220 protocol=tcp add chain="Manage Common Ports" comment="Internet Message Access Protocol (IMAP), version 3" port=220 protocol=udp add chain="Manage Common Ports" comment="BGMP, Border Gateway Multicast Protocol" port=264 protocol=tcp add chain="Manage Common Ports" comment="BGMP, Border Gateway Multicast Protocol " port=264 protocol=udp add chain="Manage Common Ports" comment="Lightweight Directory Access Protocol (LDAP)" port=389 protocol=tcp add chain="Manage Common Ports" comment="Lightweight Directory Access Protocol (LDAP)" port=389 protocol=udp add chain="Manage Common Ports" comment="SSTP TCP Port 443 (Local Management) & HTTPS" port=443 protocol=tcp add chain="Manage Common Ports" comment="Microsoft-DSActive Directory, Windows shares" port=445 protocol=tcp add chain="Manage Common Ports" comment="L2TP/ IPSEC UDP Port 500 (Local Management)" port=500 protocol=udp add chain="Manage Common Ports" comment="Modbus, Protocol" port=502 protocol=tcp add chain="Manage Common Ports" comment="Modbus, Protocol " port=502 protocol=udp add chain="Manage Common Ports" comment="Shell (Remote Shell, rsh, remsh)" port=514 protocol=tcp add chain="Manage Common Ports" comment="Syslog - used for system logging " port=514 protocol=udp add chain="Manage Common Ports" comment="Routing Information Protocol (RIP) " port=520 protocol=udp add chain="Manage Common Ports" comment="e-mail message submission (SMTP)" port=587 protocol=tcp add chain="Manage Common Ports" comment="LDP,Label Distribution Protocol" port=646 protocol=tcp add chain="Manage Common Ports" comment="LDP,Label Distribution Protocol" port=646 protocol=udp add chain="Manage Common Ports" comment="FTPS Protocol (data):FTP over TLS/SSL" port=989 protocol=tcp add chain="Manage Common Ports" comment="FTPS Protocol (data):FTP over TLS/SSL" port=989 protocol=udp add chain="Manage Common Ports" comment="FTPS Protocol (control):FTP over TLS/SSL" port=990 protocol=tcp add chain="Manage Common Ports" comment="FTPS Protocol (control):FTP over TLS/SSL" port=990 protocol=udp add chain="Manage Common Ports" comment="TELNET protocol overTLS/SSL" port=992 protocol=tcp add chain="Manage Common Ports" comment="TELNET protocol overTLS/SSL" port=992 protocol=udp add chain="Manage Common Ports" comment="Internet Message Access Protocol over TLS/SSL (IMAPS)" port=993 protocol=tcp add chain="Manage Common Ports" comment="Post Office Protocol3 over TLS/SSL (POP3S)" port=995 protocol=tcp add chain="Manage Common Ports" comment="OVPN TCP Port 1194 (Local Management)" port=1194 protocol=tcp add chain="Manage Common Ports" comment="PPTP Port 1723 (Local Management)" port=1723 protocol=tcp add chain="Manage Common Ports" comment="L2TP UDP Port 1701 (Local Management)" port=1701 protocol=udp add chain="Manage Common Ports" comment="L2TP UDP Port 4500 (Local Management)" port=4500 protocol=udp add chain=output comment="Common Ports End Section Break" disabled=yes # ___ _ _ _ # | |_) / _ ._ _|_ ._ |_) | _ _ | # _|_ | \_ (_) |_| | | |_ | \/ |_) | (_) (_ |< # / # Section 10.2 ########################################################################################################################## #### Firewal Filter see note below Countries for details ### ######################################################################################################################################################################################################################################## ### This list includes network data on the following countries: Generated by thormaster ### ### AFGHANISTAN, ALAND ISLANDS, ALBANIA, ALGERIA, AMERICAN SAMOA, ANDORRA, ANGOLA, ANGUILLA, ANTARCTICA, ANTIGUA AND BARBUDA, ARGENTINA, ARMENIA, ARUBA, ASIA PACIFIC, AUSTRALIA, AUSTRIA, AZERBAIJAN, BAHAMAS, BAHRAIN, BANGLADESH, ### ### BARBADOS, BELARUS, BELGIUM, BELIZE, BENIN, BERMUDA, BHUTAN, BOLIVIA, BONAIRE, SAINT EUSTATIUS AND SABA, BOSNIA AND HERZEGOVINA, BOTSWANA, BOUVET ISLAND, BRAZIL, BRITISH INDIAN OCEAN TERRITORY, BRUNEI DARUSSALAM, BULGARIA, ### ### BURKINA FASO, BURUNDI, CAMBODIA, CAMEROON, CANADA, CAPE VERDE, CAYMAN ISLANDS, CENTRAL AFRICAN REPUBLIC, CHAD, CHILE, CHINA, CHRISTMAS ISLAND, COCOS (KEELING) ISLANDS, COLOMBIA, COMOROS, CONGO - BRAZZAVILLE, CONGO, ### ### THEDEMOCRATICREPUBLICOFTHECOOK ISLANDS, COSTA RICA, COTE D'IVOIRE, CROATIA, CUBA, CURACAO, CYPRUS, CZECH REPUBLIC, DENMARK, DJIBOUTI, DOMINICA, DOMINICAN REPUBLIC, ECUADOR, EGYPT, ELSALVADOR, EQUATORIAL GUINEA, ERITREA, ### ### ESTONIA, ETHIOPIA, EUROPEAN UNION, FALKLAND ISLANDS (MALVINAS), FAROE ISLANDS, FIJI, FINLAND, FRANCE, FRENCH GUIANA, FRENCH POLYNESIA, FRENCH SOUTHERN TERRITORIES, GABON, GAMBIA, GEORGIA, GERMANY, GHANA, GIBRALTAR, GREECE, ### ### GREENLAND, GRENADA, GUADELOUPE, GUAM, GUATEMALA, GUERNSEY, GUINEA, GUINEA-BISSAU, GUYANA, HAITI, HEARD AND MC DONALD ISLANDS, HOLY SEE, HONDURAS, HONG KONG, HUNGARY, ICELAND, INDIA, INDONESIA, IRAN, ISLAMIC REPUBLIC OF, IRAQ,### ### IRELAND, ISLE OF MAN, ISRAEL, ITALY, JAMAICA, JAPAN, JERSEY, JORDAN, KAZAKHSTAN, KENYA, KIRIBATI, KOREA, DEMOCRATIC PEOPLE'S REPUBLIC OF, KOREA, REPUBLIC OF, KOSOVO, KUWAIT, KYRGYZSTAN, LAOPEOPLESDEMOCRATICREPUBLIC, LATVIA, ### ### LEBANON, LESOTHO, LIBERIA, LIBYAN ARAB JAMAHIRIYA, LIECHTENSTEIN, LITHUANIA, LUXEMBOURG, MACAO, MACEDONIA, THE FORMER YUGOSLAV REPUBLIC OF, MADAGASCAR, MALAWI, MALAYSIA, MALDIVES, MALI, MALTA, MARSHALL ISLANDS, MARTINIQUE, ### ### MAURITANIA, MAURITIUS, MAYOTTE, MEXICO, MICRONESIA, FEDERATED STATES OF, MOLDOVA, REPUBLIC OF, MONACO, MONGOLIA, MONTENEGRO, MONTSERRAT, MOROCCO, MOZAMBIQUE, MYANMAR, NAMIBIA, NAURU, NEPAL, NETHERLANDS, NETHERLANDS ANTILLES, ### ### NEW CALEDONIA, NEW ZEALAND, NICARAGUA, NIGER, NIGERIA, NIUE, NORFOLK ISLAND, NORTHERN MARIANA ISLANDS, NORWAY, OMAN, PAKISTAN, PALAU, PALESTINIAN TERRITORY, PANAMA, PAPUA NEW GUINEA, PARAGUAY, PERU, PHILIPPINES, PITCAIRN, ### ### POLAND, PORTUGAL, PUERTO RICO, QATAR, REUNION, ROMANIA, RUSSIAN FEDERATION, RWANDA, SAINT BARTHELEMY, SAINT HELENA, SAINT KITTS AND NEVIS, SAINT LUCIA, SAINT MARTIN, SAINT PIERRE AND MIQUELON, SAINT VINCENT AND THE GRENADINES### ### SAMOA, SAN MARINO, SAO TOME AND PRINCIPE, SAUDI ARABIA, SENEGAL, SERBIA, SEYCHELLES, SIERRA LEONE, SINGAPORE, SINT MAARTEN, SLOVAKIA, SLOVENIA, SOLOMON ISLANDS, SOMALIA, SOUTH AFRICA, SOUTH GEORGIA AND THE SOUTH SANDWICH ### ### ISLANDS, SOUTH SUDAN, SPAIN, SRI LANKA, SUDAN, SURINAME, SVALBARD & JAN MAYEN ISLANDS, SWAZILAND, SWEDEN, SWITZERLAND, SYRIAN ARAB REPUBLIC, TAIWAN, PROVINCE OF CHINA, TAJIKISTAN, TANZANIA, UNITED REPUBLIC OF, THAILAND, ### ### TIMOR-LESTE, TOGO, TOKELAU, TONGA, TRINIDAD AND TOBAGO, TUNISIA, TURKEY, TURKMENISTAN, TURKS AND CAICOS ISLANDS, TUVALU, UGANDA, UKRAINE, UNITED ARAB EMIRATES, UNITED KINGDOM, UNITED STATES MINOR OUTLYING ISLANDS, URUGUAY, ### ###UZBEKISTAN, VANUATU, VENEZUELA, VIET NAM, VIRGIN ISLANDS, BRITISH, VIRGIN ISLANDS, U.S., WALLIS AND FUTUNA ISLANDS, WESTERN SAHARA, YEMEN, ZAMBIA, ZIMBABWE ### ######################################################################################################################################################################################################################################## ### Note: IP-Country.rsc file cannot be loaded by copy/paste, the script needs to be loaded CLI command in terminal "import IPBlock.rsc" then /sys script run IPBlock.rsc Make sure you have enough disk space for 18mb file! ### ### this has to be saved to the "Files Folder" It is 18mb IP Country Block. There is around 300,000 lines of code so it will take awhile. The list is not made for normal routers but only routers with 256mb ram. ### ### If the clients will be using it as a Internet Router it is not recommended to use the ACL for security. It will block them cold and you will have to remove by hand the countries or IPs from list manually. ### ### If you do not have the IPBlock.rsc file you can download here. RSC File http://peerblock.itcctv.cloud:1080/IPBlockRSC.zip Mikrotik will need to be delivered seperatly due to password in config. ### ######################################################################################################################################################################################################################################## # Section 11 # _ __ # |_) _ _ _ ._ (_ |_ _ ._ _|_ | o _ _|_ # |_) (_) (_| (_) | | __) | | (_) | |_ |_ | _> |_ # _| ########################################################################################################################### #### This is the BOGON short list. #### ####!!!!! All subnets in this list will be blocked!!! Disable or remove any subnets that you are using!!! #### ########################################################################################################################### # Section 12 /ip firewall address-list add address=0.0.0.0/8 comment="RFC 1122 \"This host on this network\"" disabled=yes list=Bogons add address=10.0.0.0/8 comment="RFC 1918 (Private Use IP Space)" disabled=yes list=Bogons add address=100.64.0.0/10 comment="RFC 6598 (Shared Address Space)" disabled=no list=Bogons add address=127.0.0.0/8 comment="RFC 1122 (Loopback)" disabled=yes list=Bogons add address=169.254.0.0/16 comment="RFC 3927 (Dynamic Configuration of IPv4 Link-Local Addresses)" disabled=yes list=Bogons add address=172.16.0.0/12 comment="RFC 1918 (Private Use IP Space)" disabled=yes list=Bogons add address=192.0.0.0/24 comment="RFC 6890 (IETF Protocol Assingments)" disabled=yes list=Bogons add address=192.0.2.0/24 comment="RFC 5737 (Test-Net-1)" disabled=no list=Bogons add address=192.168.0.0/16 comment="RFC 1918 (Private Use IP Space)" disabled=yes list=Bogons add address=198.18.0.0/15 comment="RFC 2544 (Benchmarking)" disabled=no list=Bogons add address=198.51.100.0/24 comment="RFC 5737 (Test-Net-2)" disabled=no list=Bogons add address=203.0.113.0/24 comment="RFC 5737 (Test-Net-3)" disabled=no list=Bogons add address=224.0.0.0/4 comment="RFC 5771 (Multicast Addresses) - Will affect OSPF, RIP, PIM, VRRP, IS-IS, and others. Use with caution.)" disabled=yes list=Bogons add address=240.0.0.0/4 comment="RFC 1112 (Reserved)" disabled=no list=Bogons add address=192.31.196.0/24 comment="RFC 7535 (AS112-v4)" disabled=no list=Bogons add address=192.52.193.0/24 comment="RFC 7450 (AMT)" disabled=no list=Bogons add address=192.88.99.0/24 comment="RFC 7526 (Deprecated (6to4 Relay Anycast))" disabled=no list=Bogons add address=192.175.48.0/24 comment="RFC 7534 (Direct Delegation AS112 Service)" disabled=no list=Bogons add address=255.255.255.255 comment="RFC 919 (Limited Broadcast)" disabled=yes list=Bogons # _ _ # |_) _ ._ _ _ _|_ _ |_) _ ._ _|_ _ # | \ (/_ | | | (_) |_ (/_ | (_) | |_ _> # ########################################################################################################################## #### Locking down service for remote ports ### ########################################################################################################################## # Section 13 /ip service set telnet address="" disabled=yes port=10023 set ftp address="" disabled=yes port=10021 set www address="" disabled=no port=8080 set ssh address="" disabled=yes port=10025 set www-ssl address="" certificate=none disabled=yes port=443 set api address="" disabled=yes port=8728 set winbox address="" disabled=no port=8291 set api-ssl address="" certificate=none disabled=yes port=8729 add chain=output comment="Remote Service Lockdown End Section Break" disabled=yes # _ __ _ # | \ ._ _ ._ ._ _ _| (_ ._ _ _ _|_ _ _| # |_/ | (_) |_) |_) (/_ (_| __) |_) (_) (_) | (/_ (_| # | | | ########################################################################################################################### #### IP Settings We'll also turn on Reverse Path Filtering (RPF), also known as Reverse Path Forwarding. This feature #### #### drops packet traffic that appears to be spoofed. Disable if router is multihomed, will cause issues. #### ########################################################################################################################### # Section 14 #/ip settings set rp-filter=strict #/ip ssh set strong-crypto=yes # # | _ _ _ o ._ _ # |_ (_) (_| (_| | | | (_| # _| _| _| ########################################################################################################################### #### Email when router accessed confirmed 18-100618 by thormaster #### ########################################################################################################################### # Section 15 #/tool e-mail set address=[1.2.3.4] from="[odin@valhalla.com]" password="[PASSWORD]" port=587 start-tls=yes user="[frig@fensalir.com]" #/system logging action add disk-file-count=1 disk-file-name=auth.log disk-lines-per-file=5000 name=auth target=disk #/system logging add action=auth topics=account #/system logging add action=auth topics=critical #/system script #add name=email-auth-logs owner=admin policy=\ # ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/to\ # ol e-mail send subject=\"[ROUTER-NAME] Auth Log\" to=\"[odin@valhalla.com]\ # \" file=auth.log.0.txt" #/system scheduler #add interval=1d name=email-daily-auth-log on-event=\ # "/system script run email-auth-logs " policy=read,write,sensitive \ # start-date=apr/13/2018 start-time=09:40:00 # _ _ # |\/| o _ _ / _ ._ _|_ o _ # | | | _> (_ \_ (_) | | | | (_| # _| ########################################################################################################################### #### Misc Configurations #### ########################################################################################################################### # Section 16 /system note set show-at-login=yes /system note set note="UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED." /system ntp client set primary-ntp=216.239.35.4 secondary-ntp=216.239.35.0 /system ntp client set enabled=yes server-dns-name=time.google.com,time1.google.com /ip upnp set enabled=no /ip service disable telnet,ftp,www,api,api-ss # Section 16.4 /ip service set telnet port=10023 /ip service set ssh port=10022 /ip service set ftp port=10020 /ip service set www port=8080 /ip service set www-ssl port=443 # Section 16.7 /ip service set winbox address=192.168.88.0/24 #/ip service set winbox address=10.10.10.0/24 # Section 16.8 If you have a router sitting in front of this router and want to see it, comment out the next line. /ip neighbor discovery-settings set discover-interface-list=!WAN # Section 16.9 - Add your allowed IPs below /ip firewall /ip firewall address-list add list=rdp_acceptlist address=192.168.88.0.0/24 comment="Local Network" #address-list add list=rdp_acceptlist address=[your subnets] comment="Local Network" # _ # |_) _ ._ _ _ _|_ _ | | _ _ ._ _ # | \ (/_ | | | (_) |_ (/_ |_| _> (/_ | _> # ########################################################################################################################### #### Admin User password and Remote Users #### ########################################################################################################################### # Section 17 #/user set 0 password="[password]" #/user add name=odin password="[password]" group=full comment="[remote tech1]" #/user add name=frag password="[password]" group=full comment="[remote tech2]" / # END