Showing posts with label MIKROTIK. Show all posts
Showing posts with label MIKROTIK. Show all posts

Anti Scanning Port pada Mikrotik

3:25 PM predi 2 comments
Scaning port pada server adalah salah satu teknik untuk mencari celah keamanan yang bisa dimanfaatkan oleh penyerang/intruder.

Di mikrotik kita bisa melakukan block terhadap serangan jenis ini dan sekaligus mengeblok ip asal penyerang , berikut scriptnya :

#---- script ---

/ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"

# block ip penyerang

/ip firewall filter add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no

#---------- end

Selamat mencoba ;)

Read more »

Konfigurasi Mikrotik sebagai gateway Internet

10:25 PM predi No comments
Untuk menjadikan mikrotik sebagai gateway internet ikuti dan sesuaikan langkah-langkah berikut ;

========================================================
/interface set ether1 name=local
/interface set ether2 name=speedy1
/ip address add address add=192.168.1.1/24 interface=local
/ip address add address add=192.168.2.2/30 interface=speedy1
/ip dns set servers=203.134.193.74,202.134.0.155
/ip firewall nat add chain=srcnat out-interface=speedy1 action=masquerade

================================================================

oke untuk selanjutnya silahkan test koneksi internet anda dan pastikan IP di client sesuai dengan kelas di mikrotik (local)

good luck ;)
Read more »

Backup dan Restore Konfigurasi Mikrotik

2:22 PM predi No comments
Setelah sekian banyak melakukan konfigurasi di mikrotik, ada baiknya kita buat backup konfigurasi kita tersebut agar jika terjadi hal yang membuat rusak/kacau bisa kita kembalikan dengan cepat ( restore ), untuk melakukan backup berikut peintahnya :

system backup save name=file_backup

sedangkan untuk melakukan restore-nya :

system backup load name=file_backup

jika lupa nama file backup bisa dicek dengan perintah print

oke, selamat mencoba .
Read more »

Security Mikrotik

2:15 PM predi No comments
Dari modul yang saya dapat berikut adalah perintah-perintah untuk melakukan proteksi keamanan di mikrotik, dengan melakukan blocking terhadap beberapa IP dan port.


berikut baris perintah tersebut ;

/ip firewall filter add chain=forward src-address=0.0.0.0/8 action=drop
/ip firewall filter add chain=forward dst-address=0.0.0.0/8 action=drop
/ip firewall filter add chain=forward src-address=127.0.0.0/8 action=drop
/ip firewall filter add chain=forward dst-address=127.0.0.0/8 action=drop
/ip firewall filter add chain=forward src-address=224.0.0.0/8 action=drop
/ip firewall filter add chain=forward dst-address=224.0.0.0/8 action=drop

/ip firewall filter add chain=forward protocol=tcp action=jump jump-target=tcp
/ip firewall filter add chain=forward protocol=udp action=jump jump-target=udp
/ip firewall filter add chain=forward protocol=icmp action=jump jump-target=icmp

/ip firewall filter add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
/ip firewall filter add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
/ip firewall filter add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
/ip firewall filter add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
/ip firewall filter add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
/ip firewall filter add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOrifice"

/ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address- list="port scaners" address-list-timeout=2w comment="port scanners to list" disabled=no

lebih detail mungkin nanti akan penulis jabarkan pada artikel yang lain. :D

thanks

Read more »

Blok Access Internet terhadap IP tertentu

8:02 AM predi No comments
Mau ngeblok IP tertentu silahkan masukkan perintah berikut ;

/ip firewall filter add action=drop chain=forward src-address=192.168.1.189

lebih mudah dikelompokkan berdasarkan group daftar ip address yang boleh konek ke internet, kemudian dibuat ip firewall filter selain ip yg ada di address list tadi, di drop , peintah :

/ip firewall filter chain=forward action=drop src-address-list=!local_ip

selamat mencoba ^_^
Read more »

Nge-Blok Website di Mikrotik

9:29 PM predi No comments
Pengeblokan website a.k.a situs bisa dilakukan melalui web proxy atau melalui firewall, nah karena belum mengaktifkan web proxy, kali inipenulis melakukan pengeblokan melalui firewall di mikrotik, dengan perintah seperti contoh berikut ;

ip firewall filter add chain=forward dst-address=209.11.168.112/32 action=reject disabled=no

IP 209.11.168.112 , adalah ip situs yang diblok.

dengan pengumpulan ip address berdasakan content

/ip firewall mangle add action=add-dst-to-address-list address-list=youtube

\... address-list-timeout=1m chain=prerouting content=youtube.com disabled=no comment="block youtube"

/ip firewall filter add action=drop chain=forward comment="drop youtube" disabled=no dst-address-list=youtube

Ok silahkan mencoba. ^_^
Read more »

Load Balancing PCC Mikrotik dengan 2 Speedy

2:08 PM predi 1 comment
Keterangan
IP MODEM 1 : 192.168.2.1
IP MODEM 2 : 192.168.3.1
IP LOKAL : 192.168.1.1/24
IP ETHERNET1 ( SPEEDY1 ): 192.168.2.2
IP ETHERNET2 ( SPEEDY2 ): 192.168.3.2
DNS : 203.134.193.74,202.134.0.155

----Konfigurasi Router Mikotik --------

/interface set ether1 name=local
/interface set ether2 name=speedy1
/interface set ether3 name=speedy2

/ip address add address add=192.168.1.1/24 interface=local
/ip address add address add=192.168.2.2/30 interface=speedy1
/ip address add address add=192.168.3.2/30 interface=speedy2

/ip dns set servers=203.134.193.74,202.134.0.155

/ip route add dst-address=0.0.0.0/0 gateway=192.168.2.1 distance=1 check-gateway=ping
/ip route add dst-address=0.0.0.0/0 gateway=192.168.3.1 distance=2 check-gateway=ping

/ip firewall mangle add chain=input in-interface=speedy1 action=mark-connection new-connection-mark=jalur01
/ip firewall mangle add chain=input in-interface=speedy2 action=mark-connection new-connection-mark=jalur02

/ip firewall mangle add chain=output connection-mark=jalur01 action=mark-routing new-routing-mark=ke_jalur02
/ip firewall mangle add chain=output connection-mark=jalur02 action=mark-routing new-routing-mark=ke_jalur03

/ip firewall mangle add chain=prerouting dst-address=192.168.2.0/24 action=accept in-interface=local
/ip firewall mangle add chain=prerouting dst-address=192.168.3.0/24 action=accept in-interface=local

/ip firewall mangle add chain=prerouting dst-address-type=!local in-interface=local per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=jalur01 passthrough=yes
/ip firewall mangle add chain=prerouting dst-address-type=!local in-interface=local per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=jalur02 passthrough=yes

/ip firewall mangle add chain=prerouting connection-mark=jalur01 in-interface=local action=mark-routing new-routing-mark=ke_jalur01
/ip firewall mangle add chain=prerouting connection-mark=jalur02 in-interface=local action=mark-routing new-routing-mark=ke_jalur02

/ip route add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=ke_jalur01 check-gateway=ping
/ip route add dst-address=0.0.0.0/0 gateway=192.168.3.1 routing-mark=ke_jalur02 check-gateway=ping

/ip route add dst-address=0.0.0.0/0 gateway=192.168.2.1 distance=1 check-ateway=ping
/ip route add dst-address=0.0.0.0/0 gateway=192.168.3.1 distance=2 check-gateway=ping

/ip firewall nat add chain=srcnat out-interface=speedy1 action=masquerade
/ip firewall nat add chain=srcnat out-interface=speedy2 action=masquerade


------ selesai -----


Jangan lupa untuk Modem 1 di port ethernet 2, Modem 2 di port ethernet 3 dan untuk LAN Lokal di port ethernet 1.

Selamat Mencoba ...mikrotiker ^_^
Read more »

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | cheap international voip calls