gkoufoud - 2012-07-23

This projects is an intrusion detection + prevention system for RouterOS (mikrotik).

Prerequisites to work:

i. A Routerboard device (or RouterOS installed on any device) acting as a firewall for your internal network
ii. An available linux PC (or server)
iii. /ip firewall filter : add your allow rules first and after that drop any connection from outside example:

   1)chain=forward action=accept connection-state=related
   2)chain=input action=accept connection-state=established
   3)chain=input action=accept connection-state=related
   4)chain=forward action=accept connection-state=new src-address-list=internal
   5)chain=forward action=accept protocol=tcp dst-address= dst-port=80
   6)chain=forward action=accept protocol=tcp dst-address= dst-port=25
   7)chain=forward action=accept protocol=tcp dst-address= dst-port=110
   8)chain=forward action=accept protocol=tcp dst-address= dst-port=143
   100)chain=forward action=drop dst-address-list=internal

iv. Before any other rule in filter add : chain=forward action=drop src-address-list=attackers dst-address-list=internal
v. Before rule 100 add : chain=forward action=log connection-state=new protocol=tcp dst-address-list=internal dst-port=20-35,445,1433,1521,1524,1526,1812,2082,2483,2484,3306,3872 log-prefix="Service Scanner x:"
(You can add any ports you want for attacker detection.)
vi. Add a new remote logging target at ROS device : /system logging action add name="remotelog" remote= remote-port=5555 bsd-syslog=yes target=remote syslog-facility=23 syslog-severity=6
vii. Add a new logging /system logging add action=remotelog topics=firewall
viii. Download source code to your linux machine
ix. Compile with : g++ main.cpp attackleases.cpp configfilereader.cpp connection.cpp -o gkmtfirewall -lpthread -lssh
x. Move the executable to /usr/sbin/.
xi. Edit contents of gkmtfirewall.conf to adapt your needs
xii. Move gkmtfirewall.conf to /etc/gkmtfirewall.conf
xiii. Move gkmtfirewall.init to /etc/init.d/gkmtfirewall
xiv. Move IpToCountry.csv to /etc/gkmtfirewall/IpToCountry.csv (it would be better to download a newer version from http://software77.net/geo-ip/)
xv. Move rules to /etc/gkmtfirewall/rules
xvi. Change rules to adapt your needs (countrycode samePacketScore ipScannerScore portScannerScore unknownScannerScore) If a country is not listed in rules then default scores will be applied
xvii. Change permissions of /etc/init.d/gkmtfirewall to 755
xviii. Type /etc/init.d/gkmtfirewall start to start the program
xix. Take a look at syslog to determine possible problems
xx. !!! Remember to update regularly IpToCountry.csv from http://software77.net/geo-ip/ (restart gkmtfirewall after update this file)

Last edit: gkoufoud 2013-11-09