Block Brute Force Via Firewall Scripting Unto Various Mikrot

Hi

i have recently stumbled upon various ssh, telnet and ftp firewall script rules, and i would like to distribute them into my mikrotiks via scripting

example: i have 192.168.1.2, 192.168.1.100, 10.10.1.2 (there is no clear address range)

1. i would like to export an ip list of my routers unto a sequential connection script
2. telnet into them one by one
3. implement the scripts
4. logout
5. move on to the next one

should i use prizm or some other tool to simplify the solution?


here are the ssh, ftp and telnet scripts (the original post came fromhttp://forum.mikrotik.com//viewtopic.php?f=9&t=17292) the others are simple name and port variations

ssh blocker

/ ip firewall filter
add chain=input protocol=tcp dst-port=22 src-address-list=black_list action=drop
comment=“drop ssh brute forcers” disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=black_list address-list-timeout=1d
comment=“” disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m
comment=“” disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new
src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m
comment=“” disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new
action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m comment=“”
disabled=no


ftp blocker

/ ip firewall filter
add chain=input protocol=tcp dst-port=21 src-address-list=black_list action=drop
comment=“drop ftp brute forcers” disabled=no
add chain=input protocol=tcp dst-port=21 connection-state=new
src-address-list=ftp_stage3 action=add-src-to-address-list address-list=black_list address-list-timeout=1d
comment=“” disabled=no
add chain=input protocol=tcp dst-port=21 connection-state=new
src-address-list=ftp_stage2 action=add-src-to-address-list address-list=ftp_stage3 address-list-timeout=1m
comment=“” disabled=no
add chain=input protocol=tcp dst-port=21 connection-state=new
src-address-list=ftp_stage1 action=add-src-to-address-list address-list=ftp_stage2 address-list-timeout=1m
comment=“” disabled=no
add chain=input protocol=tcp dst-port=21 connection-state=new
action=add-src-to-address-list address-list=ftp_stage1 address-list-timeout=1m comment=“”
disabled=no

telnet blocker

/ ip firewall filter
add chain=input protocol=tcp dst-port=23 src-address-list=black_list action=drop
comment=“drop telnet brute forcers” disabled=no
add chain=input protocol=tcp dst-port=23 connection-state=new
src-address-list=telnet_stage3 action=add-src-to-address-list address-list=black_list address-list-timeout=1d
comment=“” disabled=no
add chain=input protocol=tcp dst-port=23 connection-state=new
src-address-list=telnet_stage2 action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=1m
comment=“” disabled=no
add chain=input protocol=tcp dst-port=23 connection-state=new
src-address-list=telnet_stage1 action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m
comment=“” disabled=no
add chain=input protocol=tcp dst-port=23 connection-state=new
action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m comment=“”
disabled=no

You can write perl or tcl/expect script that will telnet to router and apply firewall rules.

Hi,

thank you for answering my question so promptly

i installed ActiveTCL, but i have yet to find the way to create a list of the mikrotiks i wish to manipulate, and later implement the firewall changes

would you happen to have an examlpe tcl except script i could start with

on the other hand

couldn’t i do this sequentially with prizm or the dude?

JFER