Hello Guys See you again on the Mikrotik Indonesia Youtube Channel in this video we will discuss Port Scanning as we know it, Port Scanning is an early indication of an attack on our Router or Server then how do you deal with it? curious about the details like what? watch this video until it’s finished and for those of you who haven’t subscribed, please subscribe first don’t forget to also turn on the bell button so you can get notifications when there is a new video from us because we will discuss how to tackle Port Scanning, of course we have to know first what The Port Scanning Port Scanning is a technique used to find out which ports are open on a device, it can be on a Server device or a Router device even though the open ports cannot be exploded directly, but this open port can be dangerous if there is one. problems with the service such as configuration errors, weak security, or there are bugs in the service if we think of the IP address as the home address, and the port is the door or window of the house, the perpetrator of this Port Scanning is like a thief who is trying to observe a door or which windows can dig use to enter to carry out the action to handle this Port Scan Detection, Mikrotik RouterOS already provides a feature called Port Scan Detection.
This feature can be found on the Extra tab when we add settings in the IP-Firewall-Filter menu to simulate this Port Scan Detection.
I have prepared 1 router that is connected to the internet via ether1 then ether2 i use it to remote configuration from my laptop because ether1 or the interface that leads to the internet requires an extra level of security so here i will apply this Port Scan Detection on my ether1 router how to configure Port Scan Detection, first we have to enter the IP-Firewall menu first then in Filter Rules we click Add to add a new rule because what we are going to secure here is our router itself, then we select the Chain parameter Input Port Scan Detection.
Will only run if we m I use the TCP / UDP protocol, therefore the Protocol parameter here I choose TCP because most of the services running on Mikrotik RouterOS use the TCP protocol because we will protect our Router from Port Scanning from the internet, then the In parameter. The interface we select the interface that leads to the Internet (ether1) then to activate Port Scan Detection we have to go to the Extra tab, here there will be a PSD parameter, after we click it, 4 new parameters will appear, namely Weight Threshold, Delay Threshold, Low Port Weight and High Port Weight because of the characteristics of Port Scanning, it will send requests to many ports in a very short time, so the way the Port Scan Detection works is quite simple The router will give points every time a Host sends a Request to a different port in a vulnerable time Delay Threshold which we determine the points given when sending a request from Port 1-1024 will be in accordance with the points we set in the Low Port Weight parameter while for vulnerable ports above 1024, the points to be given will be in accordance with the value we specify in the next High Port Weight parameter a Host will be assessed as carrying out a Port Scanning attack if the Value is accumulated The review is more than the Weight Threshold value in the Weight Threshold parameter that I have specified here, Points will be given if there is a Host that makes a Request to a different Port in a vulnerable time for 3 seconds then Points will be given if the Host accesses Port 1- 1024, each port will be given a point value of 3 for ports above 1024, then each port has a value of 1 and the host will be considered doing port scanning if the accumulated value is more than 21 (Weight Threshold value) then I will add the IP address of the perpetrator Port Scanning is into the Address List called “Port Scanner” so that later I can more freely determine what actions to take on this Port Scanner actor to do it, I need to enter the Action tab then select the Action parameter with “Add To Address List” then enter the name of the Address List with “port-scanner” my Timeout parameter will te It will be 00:01:00 (one hour) after completion we can apply this configuration after we add this Rule, then the IP address of the Host of the Port Scanning actor will be added to the Address List called port-scanner to prevent many ports from being read and cannot carry out further attacks the easiest step we can do is to block the connection so that here we need 1 more Rule to block connections sourced from IP addresses listed in the Address List “port-scanner” how we add 1 Rule new on the Filter Rules tab with Chain = Input then go to the Advanced tab and select the Src parameter.
Address List = port-scanner, then enter the action tab, we select the Action = drop parameter, after we finish applying this configuration, actually ether1 on my router is connected to the network on Citraweb to simulate attacks from the internet, I will use my laptop with a network connection wireless in Citraweb after successfully connecting via a wireless network, I will use the nmap method to scan from Port 20-100 and also Port 8291 towards the IP address of ether1 My router here the scanning process is running after the nmap scanning process is complete, on The Address List on my router has appeared a new Address List with the name port-scanner and contains the IP address 192.168.
77.206 which is the IP address of my wireless laptop, then on the Filter Rule menu, on the Rule Drop it has also been seen that a packet is running, my current state is still can do Remote to Router because my laptop is also connected k e Router via ether2 because my laptop’s IP address has been entered into the “port-scanner” Address List, so to prove that I am blocked or not here I will do a Remote via my laptop’s wireless connection here it has been proven if I do Remote via Citraweb Wireless connection and my router is also connected to the Citraweb network via ether1, then the status on Winbox that I use for remote Router will stop at the status “Connecting” which means that my laptop’s wireless IP address has been blocked by the router as was the explanation and how to deal with Port Scanning on the network we besides we can implement basic security on our router, such as changing usernames and passwords, turning off unused services, securing services that are being used, we can also add security by implementing this Port Scan Detection on our network so that by implementing this Port Scan Detection feature we will minimize the risk of our router being attacked by irresponsible parties Thank you for watching this video until it’s finished for those of you who have not subscribed, please subscribe first and turn on the bell so that you always get notifications when we upload the latest video if there are questions please write in the column comments and don’t forget to share this video so that it can be more useful for other Mikrotik users see you on the next Mikrotik video tutorial