Příloha č. 2 Základní konfigurce. Základní konfigurace. Zařízení mikrotik

Příloha č. 2 Základní konfigurce Základní konfigurace Zařízení mikrotik

OBSAH Základní konfigurace... 1 Zařízení mikrotik... 1 1 Konfigurace... 3 1.1 Odmazání všech výchozích továrních nastavení... 3 1.2 Základní ochrana protokolu SSH a FTP... 3 1.3 Nastavení času a časového pásma... 5 1.4 Nastavení síťových interface... 5 1.5 Nastavení výchozí brány... 6 1.6 Nastavení mailu... 6 1.7 Aktivace snmp... 6 1.8 DNS... 6 1.9 Povolení IPv6... 6 1.10 Zkouška e-mailu... 7 1.11 Automatické zálohy na e-mail... 7 2

1 Konfigurace 1.1 Odmazání všech výchozích továrních nastavení #Odmazání filter rules,nat,mangle /ip firewall filter remove [/ip firewall filter find]; /ip firewall nat remove [/ip firewall nat find]; /ip firewall mangle remove [/ip firewall mangle find]; /ip firewall address-list remove [/ip firewall address-list find]; #/ip pool remove [/ip pool find]; #/ip dhcp-client remove [/ip dhcp-client find]; #/ip dhcp-server remove [/ip dhcp-server find]; #/ip dhcp-server network remove [/ip dhcp-server network find]; #/ip dhcp-server option remove [/ip dhcp-server option find]; 1.2 Základní ochrana protokolu SSH a FTP Zdroj následujících údajů: Microtic Documentation. Mikrotik.com. [online]. [cit. 2015-04- 02]. Dostupné z http://wiki.mikrotik.com/. #přidání ssh and ftp brutefoce prevence /ip firewall filter add action=drop chain=input comment="drop anyone in the Black List (SSH)" src-addresslist="black List (SSH)" add action=drop chain=input comment="drop anyone in the Black List (Telnet)" src-addresslist="black List (Telnet)" add action=drop chain=input comment="drop anyone in the Black List (Winbox)" srcaddress-list="black List (Winbox)" 3

add action=jump chain=input comment="jump to TSG SSH Chain" jump-target="tsg SSH Chain" add action=add-src-to-address-list address-list="black List (SSH)" address-list-timeout=1d chain="tsg SSH Chain" comment="transfer repeated attempts from SSH Stage 3 to Black- List" connection-state=new dst-port=22 protocol=tcp src-address-list="ssh Stage 3" add action=add-src-to-address-list address-list="ssh Stage 3" address-list-timeout=3m chain="tsg SSH Chain" comment="add succesive attempts to SSH Stage 3" connectionstate=new dst-port=22 protocol=tcp src-address-list="ssh Stage 2" add action=add-src-to-address-list address-list="ssh Stage 2" address-list-timeout=3m chain="tsg SSH Chain" comment="add succesive attempts to SSH Stage 2" connectionstate=new dst-port=22 protocol=tcp src-address-list="ssh Stage 1" add action=add-src-to-address-list address-list="ssh Stage 1" address-list-timeout=3m chain="tsg SSH Chain" comment="add intial attempt to SSH Stage 1 List" connectionstate=new dst-port=22 protocol=tcp add action=return chain="tsg SSH Chain" comment="return From TSG SSH Chain" add action=jump chain=input comment="jump to TSG Telnet Chain" jump-target="tsg Telnet Chain" add action=add-src-to-address-list address-list="black List (Telnet)" address-list-timeout=1d chain="tsg Telnet Chain" comment="transfer repeated attempts from Telnet Stage 3 to Black-List" connection-state=new dst-port=23 protocol=tcp src-address-list="telnet Stage 3" add action=add-src-to-address-list address-list="telnet Stage 3" address-list-timeout=3m chain="tsg Telnet Chain" comment="add succesive attempts to Telnet Stage 3" connectionstate=new dst-port=23 protocol=tcp src-address-list="telnet Stage 2" add action=add-src-to-address-list address-list="telnet Stage 2" address-list-timeout=3m chain="tsg Telnet Chain" comment="add succesive attempts to Telnet Stage 2" connectionstate=new dst-port=23 protocol=tcp src-address-list="telnet Stage 1" add action=add-src-to-address-list address-list="telnet Stage 1" address-list-timeout=3m chain="tsg Telnet Chain" comment="add Intial attempt to Telnet Stage 1" connectionstate=new dst-port=23 protocol=tcp 4

add action=return chain="tsg Telnet Chain" comment="return From TSG Telnet Chain" add action=jump chain=input comment="jump to TSG Winbox Chain" jump-target="tsg Winbox Chain" add action=add-src-to-address-list address-list="black List (Winbox)" address-listtimeout=1d chain="tsg Winbox Chain" comment="transfer repeated attempts from Winbox Stage 3 to Black-List" connection-state=new dst-port=8291 protocol=tcp src-addresslist="winbox Stage 3" add action=add-src-to-address-list address-list="winbox Stage 3" address-list-timeout=3m chain="tsg Winbox Chain" comment="add succesive attempts to Winbox Stage 3" connection-state=new dst-port=8291 protocol=tcp src-address-list="winbox Stage 2" add action=add-src-to-address-list address-list="winbox Stage 2" address-list-timeout=3m chain="tsg Winbox Chain" comment="add succesive attempts to Winbox Stage 2" connection-state=new dst-port=8291 protocol=tcp src-address-list="winbox Stage 1" add action=add-src-to-address-list address-list="winbox Stage 1" address-list-timeout=3m chain="tsg Winbox Chain" comment="add Intial attempt to Winbox Stage 1" connectionstate=new dst-port=8291 protocol=tcp add action=return chain="tsg Winbox Chain" comment="return From TSG Winbox Chain" 1.3 Nastavení času a časového pásma #datum a čas bráno z tik.cesnet.cz 195.113.144.201 /system clock set time-zone-name=europe/prague; /system ntp client set enabled=yes mode=unicast primary-ntp=195.113.144.201; 1.4 Nastavení síťových interface # nastavení IPv4 na rozhraní ether1 ip X.X.X.X/ZZ /ip address add interface=ether1 address=x.x.x.x/zz # nastavení IPv6 na rozhraní ether1 ipv6 např.: 2001:db8:1234::/64 s advertise /ipv6 address add interface=ether1 address=2001:db8:1234::/64 advertise=yes 5

1.5 Nastavení výchozí brány # nastavení IPv4 výchozí bráy X.X.X.X /ip address add gateway=x.x.x.x # nastavení IPv6 výchozí brány ipv6 např.: 2001:db8:1234::1 /ipv6 address add gateway=2001:db8:1234::1 1.6 Nastavení mailu #nastavení mailové služby X.X.X.X = smtp server /tool e-mail set address=x.x.x.x port=25 from=([/system identity get name]. "@bivs.cz") 1.7 Aktivace snmp #snmp /ip accounting web-access set accessible-via-web=yes; /ip accounting set enabled=yes account-local-traffic=yes; /snmp set contact=public enabled=yes; /snmp set contact=public enabled=yes trap-community=public; 1.8 DNS #dns X.X.X.X a Y.Y.Y.Y dns servery i IPv6 /ip dns set allow-remote-requests=no; /ip dns set servers=x.x.x.x,y.y.y.y; /ip dns static remove [/ip dns static find]; 1.9 Povolení IPv6 #povolení balíčku IPv6 6

/system package enable [/system package find where name =ipv6]; 1.10 Zkouška e-mailu #odeslání test mailu na XXX@bivs.cz /tool e-mail send to=backup@jinonice.cz subject=("test ". [/system identity get name]. " -- ". [/system clock get date]. " -- RB". [/system routerboard get model]. " -- ".[/system resource get version] ); 1.11 Automatické zálohy na e-mail # script pro zasílání záloh na xxx@bivs.cz každých 20 dní :local sysname :local time :local date :set sysname [/system identity get name] :set time [/system clock get time] :set date [/system clock get date] /system backup save name=([/system identity get name]. "-". [:pick [/system clock get date] 7 11]. [:pick [/system clock get date] 0 3]. [:pick [/system clock get date] 4 6]); :delay 30 /tool e-mail send to=xxx@bivs.cz subject=("backup ". sysname. " -- ". date. " -- RB". [/system routerboard get model]. " -- ".[/system resource get version]) file=([/system identity get name]. "-". [:pick [/system clock get date] 7 11]. [:pick [/system clock get date] 0 3]. [:pick [/system clock get date] 4 6]); :delay 20 file remove ([/system identity get name]. "-". [:pick [/system clock get date] 7 11]. [:pick [/system clock get date] 0 3]. [:pick [/system clock get date] 4 6]); 7

:log warning "Zaloha byla odeslana na email!" /system scheduler add interval=20d name="autobackup" on-event=autobackup 8