Bruteforce login prevention

tomiso · March 4, 2008, 11:43am

Hello.
I’ve just got my RB333 and got overwhelmed by the large number of login attempts on SSH.
I tried to run the bruteforce login prevention “script” i found on the Wiki-page (http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention_(FTP_%26_SSH)), but couldnt get it to work.

Im running RouterOS v3.3, is there a “better” script for achieving the same thing?

normis · March 4, 2008, 11:49am

change port for SSH, allow access only to trusted sources.

tomiso · March 4, 2008, 12:19pm

Love your answer, simple and to the point

Thanks!

miahac · April 6, 2008, 2:29pm

Blocking ssh and/or using alternate ports is great. But I love the honeypot aspect of this script, which is why I added the last section to the wiki, blocking downstream access. I would even go a step further and block all ports not just 22.

What I would really like to do now is publish the rule to all my other routers, making an rbl for brute bots. Any clues as to where to start?

dansoftware · April 7, 2008, 8:42am

What’s the problem? I use this technology very well. I adapted it to WinBox and combined with a port knocking technique (http://wiki.mikrotik.com/wiki/Securing_New_RouterOs_Router#Port_Knocking):

/ip firewall filter add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop comment="Drop FTP brute forcers" disabled=no

/ip firewall filter add chain=input protocol=tcp connection-state=established action=accept comment="Allow packets belonging to existing connections" disabled=no
/ip firewall filter add chain=input connection-state=related action=accept comment="Allow packets related to existing connections" disabled=no

/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=safe action=accept comment="Allow SSH safe hosts" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="Drop SSH brute forcers" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=10d comment="SSH brute forcers blacklisting" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m comment="SSH brute forcers the third stage" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="SSH brute forcers the second stage" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m comment="SSH brute forcers the first stage" disabled=no

/ip firewall filter add chain=input protocol=tcp dst-port=8291 connection-state=new src-address-list=safe action=accept comment="Allow WinBox safe hosts" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=8291 src-address-list=wb_blacklist action=drop comment="Drop WinBox brute forcers" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=8291 connection-state=new src-address-list=wb_stage3 action=add-src-to-address-list address-list=wb_blacklist address-list-timeout=10d comment="WinBox brute forcers blacklisting" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=8291 connection-state=new src-address-list=wb_stage2 action=add-src-to-address-list address-list=wb_stage3 address-list-timeout=1m comment="WinBox brute forcers the third stage" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=8291 connection-state=new src-address-list=wb_stage1 action=add-src-to-address-list address-list=wb_stage2 address-list-timeout=1m comment="WinBox brute forcers the second stage" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=8291 connection-state=new action=add-src-to-address-list address-list=wb_stage1 address-list-timeout=1m comment="WinBox brute forcers the first stage" disabled=no

/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new action=accept comment="Allow SSH" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=8291 connection-state=new action=accept comment="Allow WinBox" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=20-21 connection-state=new action=accept comment="Allow FTP" disabled=no

/ip firewall filter add chain=input protocol=tcp dst-port=1337 action=add-src-to-address-list address-list=knock address-list-timeout=15s comment="Port knocking the first stage" disabled=no 
/ip firewall filter add chain=input protocol=tcp dst-port=7331 src-address-list=knock action= add-src-to-address-list address-list=safe address-list-timeout=15m comment="Port knocking whitelisting" disabled=no

/ip firewall filter add chain=input action=drop comment="Drop everything else"

/ip firewall filter add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m comment="Allow only 10 FTP login incorrect answers per minute" disabled=no
/ip firewall filter add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" address-list=ftp_blacklist address-list-timeout=3h comment="FTP brute forcers blacklisting" disabled=no

jerryroy1 · February 21, 2010, 5:26pm

So Can I just copy and paste this? Are there additional notes. I am remote and I do not want to deny myself. I don’t see any lines that suggest I won’t be denied as well.

Thanks,

JR

tetecko · February 25, 2010, 9:58pm

just put this line on ip/firewall/filter

chain=input action=drop connection-state=new src-address-list=!TRUSTED
in-interface=uplink_1

and make sure you have in TRUSTED address-list your IP address

SurferTim · February 26, 2010, 11:36am

If you need to login from remote locations that may not be trusted all the time, Google “port knocking” to add addresses temporarily to the trusted address list.

ADD: I see dansoftware suggested this already.

What’s the problem? I use this technology very well. I adapted it to WinBox and combined with a port knocking technique (> http://wiki.mikrotik.com/wiki/Securing_New_RouterOs_Router#Port_Knocking> ):

partizoni · May 1, 2010, 1:17pm

Hello.
I block with firewall filter rules the winbox port 2891 and now can not login in mikrotik.
What can i do ?

fewi · May 3, 2010, 3:19pm

Log in via some other method and remove the rule. Worst case get on the same broadcast domain and use a Winbox connection on layer 2.

miahac · October 4, 2011, 2:39pm

DO NOT DO THIS VERBATIM! it will drop all of your untrusted traffic to the router itself , not just the flagged IP’s ELIMINATING THE HONEYPOT! If you do use this rule, make sure to add your ip to the trusted list first, or you will be locked out. /ip firewall address-list add address=192.168.0.x disabled-no list=TRUSTED

You would be better off with:

/ip firewall filter add chain=input action=accept connection-state=new src-address-list=trusted place-before=0 comment=“Allow Trusted”

NetVicious · May 16, 2017, 11:43am

Hi!

IMHO the RouterOS should have a bruteforce protection system for it’s services. If you want to protect a service which Mikrotik forwards+NAT you should use Mikrotirk filters or another solution on the destination box.

That should include the Mikrotik services SSH, Winbox, VPNs (L2TP, PPTP, IPSec, …)

If we use filters to fix this problem we are overloading the firewall filters to fix a service problem.

So please, use inside RouterOS a solution like fail2ban or another one to protect us against bruteforce attacks.