I've implemented the tiered address list firewall rules to try to drop brute force intrusion attempts to our email server.
I've followed the rules seen on this page. http://wiki.mikrotik.com/wiki/Bruteforc ... ion_%28FTP
Only adjustment I've made was changed the ports from just port 21 to ports 21-23. up to this point no one has been added to the actual blacklist which the drop rule uses.
this morning going over our email server logs I see someone attempted brute force via ssh for a few hours consistently.
I don't understand why this traffic i not being dropped.
Come to think of it there was one other modification I made to only the drop rule, to the drop rule i added a !source address our /20 so we don't affect any of our customers.
Anyone have any input?
Looking over the webpage I followed instructions from I didn't implement the rules on the top half of the page, only
dd chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
was implemented but like i said i altered the dst ports to be 21-23 instead of just 22.
and the drop rule has ! source address our /20.
An Addendum: our server log shows the attempts coming from an offnetwork address.
I know i can easily create a drop rule using their ip but this isn't a solution as I can't watch the logs 24/7.
Also I did change the above firewall rules to be in the forward chain so the problem isn't due to me having the rules in the wrong chain.