返回列表 發帖

mikrotik 951 setup problem

刚刚从大陆回香港老家, 把刚买的mikrotik 做设定,好不容易连到网络及设定了WiFi, 再跟网上教程设置PPTP及L2TP的VPN。 但到现在仍未能成功,不知道是script file 设置 dyndns 的问题还是 还有其他问题, 希望师兄能指教一下。
另外,当我检视我的log file 是,发觉它不停地跳动,有很多的error message, 不知那里出现问题,希望师兄帮我看看改正。
谢谢!
附件: 您需要登錄才可以下載或查看附件。沒有帳號?註冊

你开port 用 telnet 非常吸引人来攻击,用 SSH 加数码证书,安全好多

TOP

RB750G, RB2011UAS-2HnD
IP01, A580IP, AT-610

TOP

回復 14# vpn-learner
In winbox, you simply click "New terminal", a terminal pops up and you can use copy&paste these codes in #8 to build you firewall rules. Firewall works according to these rules. Script is saved in a file(winbox: system =>script) and executed by schedular or by hand.
RB750G, RB2011UAS-2HnD
IP01, A580IP, AT-610

TOP

回復 8# Qnewbie


    sorry 师兄, 请不要怪我问些傻问题。
图中的文字是否其实是一个 Firewalls 的 script, 只要在 system > scripts 增加 一个 script 项目, 把图中的text 复制上去就可以了?
而不用在 winbox 里逐条逐条指令去输入?

因为我在winbox 里有时都找不到一些 位置/项目/command等输入的地方。
谢谢!
附件: 您需要登錄才可以下載或查看附件。沒有帳號?註冊

TOP

"disabled=no" seems to be indicator to the packet processing for the firewall. I cannot find information from http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter.
RB750G, RB2011UAS-2HnD
IP01, A580IP, AT-610

TOP

Just click OK, it is alright.
RB750G, RB2011UAS-2HnD
IP01, A580IP, AT-610

TOP

回復 8# Qnewbie


    请教师兄  

图中 语法 disable=no 是什么意思? 我在winbox 里是否按住 <ok> 键 就可以呢? 还是要按 《disable》键?
但是如果我按《disable》 键, 我之前输入的东西就没有了?
附件: 您需要登錄才可以下載或查看附件。沒有帳號?註冊

TOP

本帖最後由 Qnewbie 於 2017-1-4 22:00 編輯

Other basic firewall scripts might help you:

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter

Scripts with following link might be modified after your need(be carefull!):
http://wiki.mikrotik.com/wiki/Basic_universal_firewall_script
RB750G, RB2011UAS-2HnD
IP01, A580IP, AT-610

TOP

回復 8# Qnewbie


    Thanks 师兄!

TOP

One more thing, you can block brute force attacks after you change your username:
  1. /ip firewall filter
  2. add chain=input protocol=tcp dst-port=8291 src-address-list=winbox_blacklist action=drop \
  3. comment="drop winbox brute forcers" disabled=no

  4. add chain=input protocol=tcp dst-port=8291 connection-state=new \
  5. src-address-list=winbox_stage3 action=add-src-to-address-list address-list=winbox_blacklist \
  6. address-list-timeout=10d comment="" disabled=no

  7. add chain=input protocol=tcp dst-port=8291 connection-state=new \
  8. src-address-list=winbox_stage2 action=add-src-to-address-list address-list=winbox_stage3 \
  9. address-list-timeout=1m comment="" disabled=no

  10. add chain=input protocol=tcp dst-port=8291 connection-state=new src-address-list=winbox_stage1 \
  11. action=add-src-to-address-list address-list=winbox_stage2 address-list-timeout=1m comment="" disabled=no

  12. add chain=input protocol=tcp dst-port=8291 connection-state=new action=add-src-to-address-list \
  13. address-list=winbox_stage1 address-list-timeout=1m comment="" disabled=no
複製代碼
Source: http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention with modification for winbox.
RB750G, RB2011UAS-2HnD
IP01, A580IP, AT-610

TOP

本帖最後由 Qnewbie 於 2017-1-4 21:20 編輯

1. As a basic firewall rull, allow login with "admin" only from your local network, Allowed address from 0.0.0.0/0 to something like 192.168.88.0/24.
System => user, double click admin.

2. You can change your login name.
Add your own username to your router with same rights as admin(full) with winbox.
System => user => +
附件: 您需要登錄才可以下載或查看附件。沒有帳號?註冊
RB750G, RB2011UAS-2HnD
IP01, A580IP, AT-610

TOP

为什么我的router会有这么多黑客企图入侵?能否改login的admin名字,而用其它login name?

TOP

你的秘密够长就可以,不能用普通的符号。

TOP

情况越来越严重!
附件: 您需要登錄才可以下載或查看附件。沒有帳號?註冊

TOP

返回列表