Home

gkoufoud

Welcome to your wiki!

This is the default page, edit it as you see fit. To add a new page simply reference it within brackets, e.g.: [SamplePage].

The wiki uses Markdown syntax.

Project Admins:


  • gkoufoud
    gkoufoud
    2012-07-23

    This projects is an intrusion detection + prevention system for RouterOS (mikrotik).


    Prerequisites to work:

    i. A Routerboard device (or RouterOS installed on any device) acting as a firewall for your internal network
    ii. An available linux PC (or server)
    iii. /ip firewall filter : add your allow rules first and after that drop any connection from outside example:
    1)chain=forward action=accept connection-state=related
    2)chain=input action=accept connection-state=established
    3)chain=input action=accept connection-state=related
    4)chain=forward action=accept connection-state=new src-address-list=internal
    5)chain=forward action=accept protocol=tcp dst-address=192.168.1.10 dst-port=80
    6)chain=forward action=accept protocol=tcp dst-address=192.168.1.11 dst-port=25
    7)chain=forward action=accept protocol=tcp dst-address=192.168.1.11 dst-port=110
    8)chain=forward action=accept protocol=tcp dst-address=192.168.1.11 dst-port=143
    .
    .
    .
    100)chain=forward action=drop dst-address-list=internal
    iv. Before any other rule in filter add : chain=forward action=drop src-address-list=attackers dst-address-list=internal
    v. Before rule 100 add : chain=forward action=log connection-state=new protocol=tcp dst-address-list=internal dst-port=20-35,445,1433,1521,1524,1526,1812,2082,2483,2484,3306,3872 log-prefix="Service Scanner x:"
    (You can add any ports you want for attacker detection.)
    vi. Add a new remote logging target at ROS device : /system logging action add name="remotelog" remote=192.168.1.100 remote-port=5555 bsd-syslog=yes target=remote syslog-facility=23 syslog-severity=6
    vii. Add a new logging /system logging add action=remotelog topics=firewall
    viii. Download source code to your linux machine
    ix. Compile with : g++ main.cpp attackleases.cpp configfilereader.cpp connection.cpp -o gkmtfirewall -lpthread -lssh
    x. Move the executable to /usr/sbin/.
    xi. Edit contents of gkmtfirewall.conf to adapt your needs
    xii. Move gkmtfirewall.conf to /etc/gkmtfirewall.conf
    xiii. Move gkmtfirewall.init to /etc/init.d/gkmtfirewall
    xiv. Move IpToCountry.csv to /etc/gkmtfirewall/IpToCountry.csv (it would be better to download a newer version from http://software77.net/geo-ip/)
    xv. Move rules to /etc/gkmtfirewall/rules
    xvi. Change rules to adapt your needs (countrycode samePacketScore ipScannerScore portScannerScore unknownScannerScore) If a country is not listed in rules then default scores will be applied
    xvii. Change permissions of /etc/init.d/gkmtfirewall to 755
    xviii. Type /etc/init.d/gkmtfirewall start to start the program
    xix. Take a look at syslog to determine possible problems
    xx. !!! Remember to update regularly IpToCountry.csv from http://software77.net/geo-ip/ (restart gkmtfirewall after update this file)

     
    Last edit: gkoufoud 2013-11-09