Mastechno™: 06/01/2009

/ip firewall filter

add chain=forward protocol=tcp dst-port=25 src-address-list=spammer

action=drop comment="BLOCK SPAMMERS OR INFECTED USERS"

add chain=forward protocol=tcp dst-port=25 connection-limit=30,32 limit=50,5

action=add-src-to-address-list

address-list=spammer address-list-timeout=1d comment="Detect and add-list SMTP

virus or spammers"

/system script

add name="spammers" source=":log error \"----------Users detected like \

SPAMMERS -------------\";

\n:foreach i in \[/ip firewall address-list find \

list=spammer\] do={:set usser \[/ip firewall address-list get \$i \

address\];

\n:foreach j in=\[/ip hotspot active find address=\$usser\] \

do={:set ip \[/ip hotspot active get \$j user\];

\n:log error \$ip;

\n:log \

error \$usser} };" policy=ftp,read,write,policy,test,winbox

yang ini buat virus2

/ip firewall filter

add chain=forward connection-state=established comment="allow established

connections"

add chain=forward connection-state=related comment="allow related connections"

add chain=forward connection-state=invalid action=drop comment="drop invalid

connections"

add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop Blaster

Worm"

add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop Messenger

Worm"

add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster Worm"

add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster Worm"

add chain=virus protocol=tcp dst-port=593 action=drop comment="________"

add chain=virus protocol=tcp dst-port=1024-1030 action=drop

comment="________"

add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom"

add chain=virus protocol=tcp dst-port=1214 action=drop comment="________"

add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester"

add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server"

add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast"

add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx"

add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid"

add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm"

add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus"

add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y"

add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle"

add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop Beagle.C-K"

add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop

MyDoom"

add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor

OptixPro"

add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm"

add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm"

add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser"

add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B"

add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop Dabber.A-B"

add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop Dumaru.Y"

add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop MyDoom.B"

add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus"

add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2"

add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop SubSeven"

add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot,

Agobot, Gaobot"

add chain=forward action=jump jump-target=virus comment="jump to the virus chain"

add chain=forward action=accept protocol=tcp dst-port=80 comment="Allow HTTP"

add chain=forward action=accept protocol=tcp dst-port=25 comment="Allow SMTP"

add chain=forward protocol=tcp comment="allow TCP"

add chain=forward protocol=icmp comment="allow ping"

add chain=forward protocol=udp comment="allow udp"

add chain=forward action=drop comment="drop everything else"

may/20/2009 08:44:37 by RouterOS 2.9.27

# software id = EM5K-LJN

/ interface ethernet

set "lan on board" name="lan on board" mtu=1500 mac-address=00:1C:F0:EC:11:16 arp=enabled disable-running-check=yes \

auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps comment="" disabled=no

set modem1 name="modem1" mtu=1500 mac-address=00:1C:F0:BC:74:55 arp=enabled disable-running-check=yes \

auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps comment="" disabled=no

set modem2 name="modem2" mtu=1500 mac-address=00:02:44:48:88:29 arp=enabled disable-running-check=yes \

auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps comment="" disabled=no

set lokal name="lokal" mtu=1500 mac-address=00:E0:4D:23:E7:58 arp=enabled disable-running-check=yes \

auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps comment="" disabled=no

/ interface l2tp-server server

set enabled=no max-mtu=1460 max-mru=1460 authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption

/ interface pptp-server server

set enabled=no max-mtu=1460 max-mru=1460 authentication=mschap1,mschap2 keepalive-timeout=30 \

default-profile=default-encryption

/ ip accounting

set enabled=no account-local-traffic=no threshold=256

/ ip accounting web-access

set accessible-via-web=no address=0.0.0.0/0

/ ip service

set telnet port=23 address=0.0.0.0/0 disabled=no

set ftp port=21 address=0.0.0.0/0 disabled=no

set www port=80 address=0.0.0.0/0 disabled=no

set ssh port=22 address=0.0.0.0/0 disabled=no

set www-ssl port=443 address=0.0.0.0/0 certificate=none disabled=yes

/ ip upnp

set enabled=no allow-disable-external-interface=yes show-dummy-rule=yes

/ ip arp

/ ip socks

set enabled=no port=1080 connection-idle-timeout=2m max-connections=200

/ ip dns

set primary-dns=202.134.0.155 secondary-dns=202.134.1.10 allow-remote-requests=yes cache-size=2048KiB \

cache-max-ttl=1w

/ ip traffic-flow

set enabled=no interfaces=all cache-entries=4k active-flow-timeout=30m inactive-flow-timeout=15s

/ ip address

add address=192.168.1.2/24 network=192.168.1.0 broadcast=192.168.1.255 interface=modem1 comment="" disabled=no

add address=192.168.2.2/24 network=192.168.2.0 broadcast=192.168.2.255 interface=modem2 comment="" disabled=no

add address=192.168.3.1/24 network=192.168.3.0 broadcast=192.168.3.255 interface=lokal comment="" disabled=no

/ ip proxy

set enabled=no port=8080 parent-proxy=0.0.0.0:0 maximal-client-connecions=1000 maximal-server-connectons=1000

/ ip proxy access

add dst-port=23-25 action=deny comment="block telnet & spam e-mail relaying" disabled=no

/ ip neighbor discovery

set "lan on board" discover=yes

set modem1 discover=yes

set modem2 discover=yes

set lokal discover=yes

/ ip route

add dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=255 target-scope=10 routing-mark=satu comment="" disabled=no

add dst-address=0.0.0.0/0 gateway=192.168.2.1 scope=255 target-scope=10 routing-mark=dua comment="" disabled=no

add dst-address=0.0.0.0/0 gateway=192.168.2.1 scope=255 target-scope=10 comment="" disabled=no

/ ip firewall mangle

add chain=prerouting in-interface=lokal connection-state=new nth=1,1,0 action=mark-connection \

new-connection-mark=satu passthrough=yes comment="" disabled=no

add chain=prerouting in-interface=lokal connection-mark=satu action=mark-routing new-routing-mark=satu passthrough=no \

comment="" disabled=no

add chain=prerouting in-interface=lokal connection-state=new nth=1,1,1 action=mark-connection new-connection-mark=dua \

passthrough=yes comment="" disabled=no

add chain=prerouting in-interface=lokal connection-mark=dua action=mark-routing new-routing-mark=dua passthrough=no \

comment="" disabled=no

/ ip firewall nat

add chain=srcnat out-interface=modem1 connection-mark=satu action=src-nat to-addresses=192.168.1.2 to-ports=0-65535 \

comment="" disabled=no

add chain=srcnat out-interface=modem2 connection-mark=dua action=src-nat to-addresses=192.168.2.2 to-ports=0-65535 \

comment="" disabled=no

/ ip firewall connection tracking

set enabled=yes tcp-syn-sent-timeout=2s tcp-syn-received-timeout=2s tcp-established-timeout=1d \

tcp-fin-wait-timeout=5s tcp-close-wait-timeout=5s tcp-last-ack-timeout=5s tcp-time-wait-timeout=5s \

tcp-close-timeout=5s udp-timeout=5s udp-stream-timeout=1m icmp-timeout=5s generic-timeout=5m tcp-syncookie=no

/ ip firewall filter

add chain=virus protocol=udp dst-port=1 action=drop comment="Sockets des Troie" disabled=no

add chain=virus protocol=tcp dst-port=2 action=drop comment="Death" disabled=no

add chain=virus protocol=tcp dst-port=20 action=drop comment="Senna Spy FTP server" disabled=no

add chain=virus protocol=tcp dst-port=21 action=drop comment="Back Construction, Blade Runner, Cattivik FTP Server, \

CC Invader, Dark FTP, Doly Trojan, Fore, Invisible FTP, Juggernaut 42, Larva, MotIv FTP, Net Administrator, \

Ramen, Senna Spy FTP server, The Flu, Traitor 21, WebEx, WinCrash" disabled=no

add chain=virus protocol=tcp dst-port=22 action=drop comment="Shaft" disabled=no

add chain=virus protocol=tcp dst-port=23 action=drop comment="Fire HacKer, Tiny Telnet Server TTS, Truva Atl" \

disabled=no

add chain=virus protocol=tcp dst-port=25 action=drop comment="Ajan, Antigen, Barok, Email Password Sender EPS, EPS \

II, Gip, Gris, Happy99, Hpteam mail, Hybris, I love you, Kuang2, Magic Horse, MBT Mail Bombing Trojan, Moscow \

Email trojan, Naebi, NewApt worm, ProMail trojan, Shtirlitz, Stealth, Tapiras, Terminator, WinPC, WinSpy" \

disabled=no

add chain=virus protocol=tcp dst-port=30 action=drop comment="Agent 40421" disabled=no

add chain=virus protocol=tcp dst-port=31 action=drop comment="Agent 31, Hackers Paradise, Masters Paradise" \

disabled=no

add chain=virus protocol=tcp dst-port=41 action=drop comment="Deep Throat, Foreplay" disabled=no

add chain=virus protocol=tcp dst-port=48 action=drop comment="DRAT" disabled=no

add chain=virus protocol=tcp dst-port=50 action=drop comment="DRAT" disabled=no

add chain=virus protocol=tcp dst-port=58 action=drop comment="DMSetup" disabled=no

add chain=virus protocol=tcp dst-port=59 action=drop comment="DMSetup" disabled=no

add chain=virus protocol=tcp dst-port=79 action=drop comment="CDK, Firehotcker" disabled=no

add chain=virus protocol=tcp dst-port=80 action=drop comment="711 trojan, Seven Eleven, AckCmd, Back End, Back \

Orifice 2000 Plug-Ins, Cafeini, CGI Backdoor, Executor, God Message, God Message Creator, Hooker, IISworm, MTX, \

NCX, Reverse WWW Tunnel Backdoor, RingZero, Seeker, WAN Remote, Web Server CT, WebDownloader" disabled=no

add chain=virus protocol=tcp dst-port=81 action=drop comment="RemoConChubo" disabled=no

add chain=virus protocol=tcp dst-port=99 action=drop comment="Hidden Port, NCX" disabled=no

add chain=virus protocol=tcp dst-port=110 action=drop comment="ProMail trojan" disabled=no

add chain=virus protocol=tcp dst-port=113 action=drop comment="Invisible Identd Deamon, Kazimas" disabled=no

add chain=virus protocol=tcp dst-port=119 action=drop comment="Happy99" disabled=no

add chain=virus protocol=tcp dst-port=121 action=drop comment="Attack Bot, God Message, JammerKillah" disabled=no

add chain=virus protocol=tcp dst-port=123 action=drop comment="Net Controller" disabled=no

add chain=virus protocol=tcp dst-port=133 action=drop comment="Farnaz" disabled=no

add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Blaster worm" disabled=no

add chain=forward protocol=tcp dst-port=25 src-address-list=spammer action=accept comment="" disabled=no

add chain=forward protocol=tcp dst-port=25 connection-limit=30,32 limit=50,5 action=accept comment="" disabled=no

/ ip firewall service-port

set ftp ports=21 disabled=no

set tftp ports=69 disabled=no

set irc ports=6667 disabled=no

set h323 disabled=yes

set quake3 disabled=no

set gre disabled=yes

set pptp disabled=yes

/ ip hotspot service-port

set ftp ports=21 disabled=no

/ ip hotspot profile

set default name="default" hotspot-address=0.0.0.0 dns-name="" html-directory=hotspot rate-limit="" \

http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d split-user-domain=no \

use-radius=no

/ ip hotspot user profile

set default name="default" idle-timeout=none keepalive-timeout=2m status-autorefresh=1m shared-users=1 \

transparent-proxy=yes open-status-page=always advertise=no

/ ip dhcp-server config

set store-leases-disk=5m

/ ip ipsec proposal

add name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m lifebytes=0 pfs-group=modp1024 disabled=no

/ ip web-proxy

set enabled=no src-address=0.0.0.0 port=3128 hostname="proxy" transparent-proxy=no parent-proxy=0.0.0.0:0 \

cache-administrator="webmaster" max-object-size=4096KiB cache-drive=system max-cache-size=none \

max-ram-cache-size=unlimited

/ ip web-proxy access

add dst-port=23-25 action=deny comment="block telnet & spam e-mail relaying" disabled=no

/ ip web-proxy cache

add url=":cgi-bin \\?" action=deny comment="don't cache dynamic http pages" disabled=no

/ system logging

add topics=info prefix="" action=memory disabled=no

add topics=error prefix="" action=memory disabled=no

add topics=warning prefix="" action=memory disabled=no

add topics=critical prefix="" action=echo disabled=no

/ system logging action

set memory name="memory" target=memory memory-lines=100 memory-stop-on-full=no

set disk name="disk" target=disk disk-lines=100 disk-stop-on-full=no

set echo name="echo" target=echo remember=yes

set remote name="remote" target=remote remote=0.0.0.0:514

/ system upgrade mirror

set enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 check-interval=1d user=""

/ system script

add name="spammers" source=":log error \"----------Users detected like SPAMMERS -------------\";\n\n:foreach i in \

\[/ip firewall address-list find list=spammer\] do={:set usser \[/ip firewall address-list get \$i \

address\];\n\n:foreach j in=\[/ip hotspot active find address=\$usser\] do={:set ip \[/ip hotspot active get \$j \

user\];\n\n:log error \$ip;\n\n:log error \$usser} };" policy=ftp,read,write,policy,test,winbox

/ system clock dst

set dst-delta=+00:00 dst-start="jan/01/1970 00:00:00" dst-end="jan/01/1970 00:00:00"

/ system watchdog

set reboot-on-failure=yes watch-address=none watchdog-timer=yes no-ping-delay=5m automatic-supout=yes \

auto-send-supout=no

/ system console

add port=serial0 term="" disabled=no

set FIXME term="linux" disabled=no

/ system console screen

set line-count=25

/ system identity

set name="premiernet"

/ system note

set show-at-login=yes note=""

/ port

set serial0 name="serial0" baud-rate=9600 data-bits=8 parity=none stop-bits=1 flow-control=hardware

/ ppp profile

set default name="default" use-compression=default use-vj-compression=default use-encryption=default only-one=default \

change-tcp-mss=yes comment=""

set default-encryption name="default-encryption" use-compression=default use-vj-compression=default \

use-encryption=yes only-one=default change-tcp-mss=yes comment=""

/ ppp aaa

set use-radius=no accounting=yes interim-update=0s

/ queue type

set default name="default" kind=pfifo pfifo-limit=50

set ethernet-default name="ethernet-default" kind=pfifo pfifo-limit=50

set wireless-default name="wireless-default" kind=sfq sfq-perturb=5 sfq-allot=1514

set synchronous-default name="synchronous-default" kind=red red-limit=60 red-min-threshold=10 red-max-threshold=50 \

red-burst=20 red-avg-packet=1000

set hotspot-default name="hotspot-default" kind=sfq sfq-perturb=5 sfq-allot=1514

add name="default-small" kind=pfifo pfifo-limit=10

/ queue simple

add name="Lokal" dst-address=0.0.0.0/0 interface=all parent=none direction=both priority=8 \

queue=default-small/default-small limit-at=0/0 max-limit=0/0 total-queue=default-small \

time=0s-1d,sun,mon,tue,wed,thu,fri,sat disabled=no

/ user

add name="----" group=write address=0.0.0.0/0 comment="system default user" disabled=no

add name="----" group=full address=0.0.0.0/0 comment="" disabled=no

/ user group

add name="read" policy=local,telnet,ssh,reboot,read,test,winbox,password,web,!ftp,!write,!policy

add name="write" policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,!ftp,!policy

add name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web

/ user aaa

set use-radius=no accounting=yes interim-update=0s default-group=read

/ radius incoming

set accept=no port=1700

/ driver

/ snmp

set enabled=no contact="" location=""

/ snmp community

set public name="public" address=0.0.0.0/0 read-access=yes

/ tool bandwidth-server

set enabled=yes authenticate=yes allocate-udp-ports-from=2000 max-sessions=10

/ tool mac-server ping

set enabled=yes

/ tool e-mail

set server=0.0.0.0 from="<>"

/ tool sniffer

set interface=all only-headers=no memory-limit=10 file-name="" file-limit=10 streaming-enabled=no \

streaming-server=0.0.0.0 filter-stream=yes filter-protocol=ip-only filter-address1=0.0.0.0/0:0-65535 \

filter-address2=0.0.0.0/0:0-65535

/ tool graphing

set store-every=5min

/ tool graphing queue

add simple-queue=all allow-address=0.0.0.0/0 store-on-disk=yes allow-target=yes disabled=no

/ tool graphing resource

add allow-address=0.0.0.0/0 store-on-disk=yes disabled=no

/ tool graphing interface

add interface=all allow-address=0.0.0.0/0 store-on-disk=yes disabled=no

/ routing ospf

set router-id=0.0.0.0 distribute-default=never redistribute-connected=no redistribute-static=no redistribute-rip=no \

redistribute-bgp=no metric-default=1 metric-connected=20 metric-static=20 metric-rip=20 metric-bgp=20

/ routing ospf area

set backbone area-id=0.0.0.0 type=default translator-role=translate-candidate authentication=none \

prefix-list-import="" prefix-list-export="" disabled=no

/ routing bgp

set enabled=no as=1 router-id=0.0.0.0 redistribute-static=no redistribute-connected=no redistribute-rip=no \

redistribute-ospf=no

/ routing rip

set redistribute-static=no redistribute-connected=no redistribute-ospf=no redistribute-bgp=no metric-static=1 \

metric-connected=1 metric-ospf=1 metric-bgp=1 update-timer=30s timeout-timer=3m garbage-timer=2m

Thursday, June 25, 2009

Virus II

Virus I

No Special In Here

Mastechno™

Blog Archive

Labels