# Mikrotik: Drop Port Scanners + Honeypot
To protect your MikroTik router from port scanners, you can set up firewall rules that record the IP addresses of potential attackers and block them. Here’s how to configure these rules.
### Firewall Rules to Block Scanners
The following rules detect and block various scanning methods, adding the IPs to a "Hacker Scanners" list for 30 days.
```shell
/ip firewall filter
add action=add-src-to-address-list address-list="Hacker Scanners" address-list-timeout=30d0h0m chain=input comment="Port Scanners" in-interface=bridgeWAN protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="Hacker Scanners" address-list-timeout=30d0h0m chain=input comment="NMAP FIN Stealth scan" in-interface=bridgeWAN protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Hacker Scanners" address-list-timeout=30d0h0m chain=input comment="SYN/FIN scan" in-interface=bridgeWAN protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="Hacker Scanners" address-list-timeout=30d0h0m chain=input comment="SYN/RST scan" in-interface=bridgeWAN protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="Hacker Scanners" address-list-timeout=30d0h0m chain=input comment="FIN/PSH/URG scan" in-interface=bridgeWAN protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="Hacker Scanners" address-list-timeout=30d0h0m chain=input comment="ALL/ALL scan" in-interface=bridgeWAN protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="Hacker Scanners" address-list-timeout=30d0h0m chain=input comment="NMAP NULL scan" in-interface=bridgeWAN protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
/ip firewall raw
add action=drop chain=prerouting in-interface=bridgeWAN src-address-list="Hacker Scanners"
Note: bridgeWAN is the interface name for your WAN (e.g., ether1 in default configurations).
Honeypot Configuration for Specific Ports
These rules act as a honeypot to block IPs that attempt to access services like SSH, RDP, FTP, and SIP on specific ports.
/ip firewall filter
add action=add-src-to-address-list address-list="Honeypot Hacker" address-list-timeout=30d0h0m chain=input comment="block honeypot ssh rdp winbox" connection-state=new dst-port=22,3389,8291,80,443 in-interface=bridgeWAN protocol=tcp
add action=add-src-to-address-list address-list="Honeypot Hacker" address-list-timeout=30d0h0m chain=input comment="block honeypot asterisk" connection-state=new dst-port=5060,53 in-interface=bridgeWAN protocol=udp
/ip firewall raw
add action=drop chain=prerouting in-interface=bridgeWAN src-address-list="Honeypot Hacker"
Additional Information
/ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan"
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan"
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"
add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
Similarly, you can drop these port scanners in the forward chain, but using the above rules with “chain=forward”.