ROS如何拒绝端口扫描

风一样的男孩

为保护路由器不受端口扫描的探测，我们可以记录下试图探测你的IP，并使用IP地址列表记录下，然后拒绝这些IP访问。
在

1. /ip firewall filter
3. add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no

复制代码

TCP flags的各种端口扫描表现组合情况：

1. add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"
3. add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners"address-list-timeout=2w comment="SYN/FIN scan"
5. add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners"address-list-timeout=2w comment="SYN/RST scan"
7. add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"
9. add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"
11. add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"

复制代码

这里丢弃那些试图探测你的IP地址：

1. add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no

复制代码

同样，你也可以丢弃通过路由器探测内网的IP，将这些规则用到forward链表中，但要把该规则放到forward规则之上。

为保护路由器不受端口扫描的探测，我们可以记录下试图探测你的IP，并使用IP地址列表记录下，然后拒绝这些IP访问。
在

1. /ip firewall filter
3. add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no

复制代码

TCP flags的各种端口扫描表现组合情况：

1. add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"
3. add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners"address-list-timeout=2w comment="SYN/FIN scan"
5. add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners"address-list-timeout=2w comment="SYN/RST scan"
7. add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"
9. add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"
11. add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"

复制代码

这里丢弃那些试图探测你的IP地址：

1. add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no

复制代码

同样，你也可以丢弃通过路由器探测内网的IP，将这些规则用到forward链表中，但要把该规则放到forward规则之上。