# aug/02/2021 13:48:02 by RouterOS 6.47.6 # software id = UEEE-LREP # # model = RB750Gr3 # serial number = D5030D65BC82 /interface bridge add name=LAN_INET /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip hotspot profile set [ find default=yes ] html-directory=flash/hotspot /snmp community add addresses=190.61.4.34/32,190.61.4.170/32,190.61.4.35/32 name=ifxcliente write-access=yes /user group set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp /interface bridge port add bridge=LAN_INET interface=ether2 add bridge=LAN_INET interface=ether3 add bridge=LAN_INET interface=ether4 add bridge=LAN_INET interface=ether5 /ip neighbor discovery-settings set discover-interface-list=!dynamic /ip address add address=10.35.33.86/30 interface=ether1 network=10.35.33.84 add address=190.61.96.151/24 interface=LAN_INET network=190.61.96.0 /ip firewall filter add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=ftp_blacklist add action=drop chain=input comment="drop Telnet brute forcers" dst-port=23 protocol=tcp src-address-list=telnet_blacklist add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp add action=add-dst-to-address-list address-list=telnet_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=drop chain=input comment="drop telnet brute forcers" dst-port=23 protocol=tcp src-address-list=telnet_blacklist add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp add action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 protocol=tcp src-address-list=ssh_blacklist /ip route add distance=1 gateway=10.35.33.85 /ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set ssh address=190.60.0.0/16,190.61.0.0/16,172.16.0.0/16,172.17.0.0/16,10.0.120.0/24,200.62.0.0/16,200.91.0.0/16,192.168.21.0/24,200.78.196.69/32 set winbox address=190.60.0.0/16,200.62.0.0/16,200.91.0.0/16,192.168.21.0/24,200.78.196.69/32 /snmp set enabled=yes trap-community=ifxcliente /system identity set name=SID_OPENSYSTEM rate-limit output access-group 10 30720000 5760000 11520000 conform-action transmit exceed-action drop rate-limit input access-group 10 30720000 5760000 11520000 conform-action transmit exceed-action drop