I've implemented the tiered address list firewall rules to try to drop brute force intrusion attempts to our email server.
I've followed the rules seen on this page. http://wiki.mikrotik.com/wiki/Bruteforc ... ion_%28FTP
Only adjustment I've made was changed the ports from just port 21 to ports 21-23. up to this point no one has been added to the actual blacklist which the drop rule uses.
this morning going over our email server logs I see someone attempted brute force via ssh for a few hours consistently.
I don't understand why this traffic i not being dropped.
Come to think of it there was one other modification I made to only the drop rule, to the drop rule i added a !source address our /20 so we don't affect any of our customers.
Anyone have any input?
Looking over the webpage I followed instructions from I didn't implement the rules on the top half of the page, only
dd chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
was implemented but like i said i altered the dst ports to be 21-23 instead of just 22.
and the drop rule has ! source address our /20.
An Addendum: our server log shows the attempts coming from an offnetwork address.
I know i can easily create a drop rule using their ip but this isn't a solution as I can't watch the logs 24/7.
Also I did change the above firewall rules to be in the forward chain so the problem isn't due to me having the rules in the wrong chain.
Re: tiered address list firewall drop outside port21-23 fail
Instead of describing the changes you made (which sound reasonable), can you please post the actual rule set from your router together with all the relevant information (network topology etc.)?
Re: tiered address list firewall drop outside port21-23 fail
Ok took me abit to change our addresses I assure you the brute force attempts are not coming from any of the addresses that are x.x.x.x
I know probablyy more info here then needed but rather disclose full picture.
I can see ip addresses being added to the stage 3 list but none of them ever make it onto the actual blacklist which the drop rule uses.
As far as topology goes our email server plugged into a switch which is connected to the lan side of our edge mikrotik.
the only traffic that doesn't pass through this particular edge router to get to the server is traffic from our office which has an ip in the same subnet as the server( on our office mikrotik wan interface) allowing us to communicate directly with the server.
If anymore questions feel free to ask I know our firewall needs to be cleaned up somewhat but functionally it is sound except for the brute force rule set not actually adding real brute force attempts on our server to the address list and then dropping it.
/ip firewall address-list
add address=x.x.x.x/20 comment="" disabled=no list=valid-mail-sources
add address=x.x.x.x/24 comment="" disabled=no list=valid-mail-sources
add address=x.x.x.x/24 comment="" disabled=no list=valid-mail-sources
add address=x.x.x.x/24 comment="" disabled=no list=valid-mail-sources
add address=x.x.x.x/25 comment="" disabled=no list=valid-mail-sources
add address=x.x.x.x/29 comment="" disabled=no list=valid-mail-sources
add address=x.x.x.x/29 comment="" disabled=no list=valid-mail-sources
add address=x.x.x.x comment="" disabled=no list=valid-mail-sources
add address=x.x.x.x/25 comment="" disabled=no list=valid-mail-sources
add address=x.x.x.x comment="temp customer 03/25/09" disabled=no list=\
valid-mail-sources
add address=x.x.x.x comment="" disabled=no list=valid-mail-sources
add address=x.x.x.x/24 comment="" \
disabled=no list=valid-mail-sources
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=forward comment="allow ftp access for somebody@some company" \
disabled=no dst-address=x.x.x.x dst-port=21 protocol=tcp src-address=\
x.x.x.x
add action=accept chain=forward comment="allow established connections" \
connection-state=established disabled=no
add action=accept chain=forward comment="allow related connections" \
connection-state=related disabled=no
add action=drop chain=forward comment="drop invalid connections" \
connection-state=invalid disabled=no protocol=tcp psd=21,3s,3,1 \
src-address=!x.x.x.x/20 <---- this is our /20 from arin
add action=accept chain=input comment="" connection-state=established \
disabled=no protocol=tcp
add action=accept chain=input comment="" connection-state=related disabled=no \
protocol=tcp
add action=drop chain=input comment="" connection-state=invalid disabled=no \
protocol=tcp src-address=!x.x.x.x/20 <------- this is our /20 from arin
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2d chain=forward comment=\
"add port scanners to port scan list" disabled=no psd=21,3s,3,1
add action=drop chain=forward comment="drop port scanners from outside" \
disabled=no src-address=!x.x.x.x/20 src-address-list="port scanners" <---- again this is our /20 from arin
add action=add-src-to-address-list address-list="over 50 smtp connections" \
address-list-timeout=4d chain=forward comment=\
"add any ip with over 50 concurrent port 25 connections to address list" \
connection-limit=50,32 disabled=no dst-port=25 protocol=tcp
add action=drop chain=forward comment="drop smtp traffic from outside from sou\
rces on over 50 smtp connections address list" disabled=no src-address=\
!x.x.x.x/20 src-address-list="over 50 smtp connections"
add action=drop chain=forward comment=\ <------this is the start of brute force ruleset implemented
"drop brute force attempts from addresses on stage 3 blacklist" disabled=\
no dst-port=21-23 protocol=tcp src-address-list=bruteforce_blacklist
add action=add-src-to-address-list address-list=bruteforce_blacklist \
address-list-timeout=1w3d chain=forward comment=\
"if address is on stage3 add to blacklist" connection-state=new disabled=\
no dst-port=21-23 protocol=tcp src-address-list=brute_force_stage3
add action=add-src-to-address-list address-list=bruteforce_stage3 \
address-list-timeout=1m chain=forward comment=\
"if on stage 2 list and make another attempt add to stage 3 list" \
connection-state=new disabled=no dst-port=21-23 protocol=tcp \
src-address-list=bruteforce_stage2
add action=add-src-to-address-list address-list=bruteforce_stage2 \
address-list-timeout=1m chain=forward comment=\
"if on stage1 list and another attempt is made add source to stage2" \
connection-state=new disabled=no dst-port=21-23 protocol=tcp \
src-address-list=bruteforce_stage1
add action=add-src-to-address-list address-list=bruteforce_stage1 \
address-list-timeout=1m chain=forward comment=\
"First Attempt to access ports 21-23 add source to stage1 list" \
connection-state=new disabled=no dst-port=21-23 protocol=tcp <------ end of brute force ruleset
add action=add-src-to-address-list address-list="10+connectionsto servers" \ <--this dst address is the subnet the email server is on
address-list-timeout=48m chain=forward comment=\
"add over 10 connections to south network to address list" \
connection-limit=5,32 disabled=no dst-address=x.x.x.x/24 dst-port=21-23 \
protocol=tcp
add action=add-src-to-address-list address-list="10+connectionsto servers" \ <--this dst address is another subnet the email server is on
address-list-timeout=48m chain=forward comment=\
"add over 10 connections to south network to address list" \
connection-limit=5,32 disabled=no dst-address=x.x.x.x/24 dst-port=\
21-23 protocol=tcp
add action=log chain=forward comment="log traffic from x.x.x.x" disabled=\
no dst-port=25 log-prefix=logmailfrom.250 protocol=tcp src-address=\
x.x.x.x
add action=log chain=forward comment="log smtp traffic from outside network" \
disabled=no dst-address=x.x.x.x log-prefix=\
"log smtp from outside network" protocol=tcp src-address=0.0.0.0/0
add action=log chain=forward comment=\
"log smtp traffic from our chunk to external mail servers" disabled=no \
dst-address=0.0.0.0/0 dst-port=25 log-prefix="inside port25 traffic" \
protocol=tcp src-address=x.x.x.x/20 <----again our /20 from arin
add action=log chain=forward comment=\
"log smtp traffic from outside directed to mail server" disabled=no \ <--- dst address is our /20
dst-address=x.x.x.x/20 dst-port=25 log-prefix="outside port25 traffic" \
protocol=tcp src-address=0.0.0.0/0
add action=accept chain=forward comment=\
"allow ftp to server for example.com" disabled=no dst-address=\
x.x.x.x/24 dst-port=21 protocol=tcp src-address=x.x.x.x
add action=accept chain=input comment=IBGP disabled=no src-address=\
172.16.16.3
add action=accept chain=output comment="" disabled=no dst-address=172.16.16.3
add action=accept chain=forward comment="" disabled=no src-address=\
172.16.16.3
add action=accept chain=forward comment="" disabled=no dst-address=\
172.16.16.3
add action=accept chain=input comment="" disabled=yes src-address=\
x.x.x.x
add action=log chain=forward comment="allow ftp to server from our own chunk" \ <--- dst address is subnet on email/host server that responds to ftp requests
disabled=no dst-address=x.x.x.x/24 dst-port=21 log-prefix="" protocol=\
tcp src-address=x.x.x.x/21 <--- half our /20 from arin
add action=accept chain=forward comment=\
"allow ftp to server from our own chunk" disabled=no dst-address=\ <--- dst = server src= our /20
x.x.x.x/24 dst-port=21 protocol=tcp src-address=x.x.x.x/20
add action=log chain=forward comment="log ftp attempts to server" disabled=no \
dst-address=x.x.x.x/24 dst-port=21 log-prefix="" protocol=tcp \ <---- dst address= /24 on email server
src-address=0.0.0.0/0
add action=drop chain=forward comment="drop ftp attempts to server" disabled=\
yes dst-address=x.x.x.x/24 dst-port=21 protocol=tcp src-address=\ <---- dst address= /24 on email server
0.0.0.0/0
add action=drop chain=forward comment="drop ftp attempts to server" disabled=\
yes dst-address=x.x.x.x/24 dst-port=21 protocol=tcp src-address=\ <---- dst address= /24 on email server
0.0.0.0/0
add action=log chain=forward comment="" disabled=no dst-address=x.x.x.x \
log-prefix=""
add action=log chain=forward comment="log telnet attempts to any vhosts" \
disabled=no dst-address=x.x.x.x/24 dst-port=23 log-prefix="" protocol=\ <---- dst address= /24 on email server
udp
add action=log chain=forward comment="log telnet attempts to any vhosts" \
disabled=no dst-address=x.x.x.x/24 dst-port=23 log-prefix="" protocol=\ <---- dst address= /24 on email server
tcp
add action=log chain=forward comment="" disabled=no dst-address=x.x.x.x \
dst-port=23 log-prefix="" protocol=tcp
add action=log chain=input comment="" disabled=yes log-prefix=rogueDHCP \
protocol=udp src-mac-address=00:A0:C5:7D:7E:77 src-port=68
add action=log chain=forward comment="" disabled=yes log-prefix="" \
src-address=x.x.x.x
add action=accept chain=forward comment="" disabled=no src-address=\
x.x.x.x
add action=accept chain=input comment="" disabled=no src-address=x.x.x.x <---- address on our other edge router
add action=accept chain=forward comment="" disabled=no dst-address=\
x.x.x.x
add action=accept chain=forward comment="" disabled=no src-address=\
x.x.x.x
add action=accept chain=forward comment="il bus systems" disabled=no \
dst-address=x.x.x.x
add action=accept chain=forward comment=DNS disabled=no dst-port=53 protocol=\
tcp
add action=accept chain=forward comment="" disabled=no protocol=tcp src-port=\
53
add action=accept chain=forward comment="" disabled=no dst-port=53 protocol=\
udp
add action=accept chain=forward comment="" disabled=no protocol=udp src-port=\
53
add action=accept chain=forward comment=example.com disabled=no dst-address=\
x.x.x.x dst-port=25 protocol=tcp
add action=accept chain=forward comment="" disabled=no protocol=tcp \
src-address=x.x.x.x src-port=25
add action=accept chain=forward comment="" disabled=no dst-address=\
x.x.x.x dst-port=25 protocol=tcp
add action=accept chain=forward comment="Mail ports" disabled=no dst-port=25 \
protocol=tcp
add action=accept chain=forward comment="" disabled=no protocol=tcp src-port=\
25
add action=add-src-to-address-list address-list=mail-server-ips \
address-list-timeout=0s chain=forward comment="" disabled=no \
src-mac-address=00:11:95:22:DF:43
add action=accept chain=forward comment="" disabled=no dst-port=5224 \
protocol=tcp
add action=log chain=forward comment="" disabled=no dst-port=5224 log-prefix=\
"" protocol=tcp
add action=accept chain=forward comment="Failover Test" disabled=no \
dst-address=x.x.x.x
add action=accept chain=forward comment="" disabled=no src-address=\
x.x.x.x
add action=accept chain=forward comment=DNS disabled=no dst-address=x.x.x.x \ <--- north dns server
src-address=0.0.0.0/0
add action=log chain=forward comment="" disabled=yes dst-address=x.x.x.x \ <---- south dns
log-prefix="" src-address=0.0.0.0/0
add action=accept chain=forward comment="" disabled=no dst-address=x.x.x.x \
src-address=0.0.0.0/0
add action=accept chain=forward comment="BAM ALLOWS" disabled=no dst-address=\ <--- authentication server
x.x.x.x src-address=0.0.0.0/0
add action=accept chain=forward comment="" disabled=no dst-address=0.0.0.0/0 \
src-address=x.x.x.x
add action=accept chain=input comment="" disabled=no src-address=x.x.x.x
add action=accept chain=input comment="Allow pings to MT" disabled=no \
protocol=icmp
add action=accept chain=forward comment="Foresite Network" disabled=no \
dst-address=10.0.0.0/8
add action=accept chain=forward comment="" disabled=no src-address=10.0.0.0/8
add action=accept chain=output comment="" disabled=no dst-address=10.0.0.0/8
add action=accept chain=input comment="" disabled=no src-address=10.0.0.0/8
add action=accept chain=forward comment="" disabled=no
add action=accept chain=forward comment="" disabled=no dst-port=5224 \
protocol=tcp
add action=accept chain=forward comment="VNC for 14.2" disabled=yes \
dst-address=x.x.14.2 dst-port=5400 protocol=tcp
add action=accept chain=forward comment="" disabled=yes dst-port=5400 \
protocol=tcp src-address=x.x.14.2
add action=accept chain=input comment="BGP PORTS" disabled=no dst-port=179 \
protocol=tcp src-address=x.x.x.x <----- external upstream provider bgp
add action=drop chain=input comment=\
"Drop but don't log windows networking broadcasts." disabled=no \
packet-mark=SMB
add action=drop chain=forward comment="drop smb" disabled=no packet-mark=SMB
add action=accept chain=input comment="Accept DHCP IP requests to look for rog\
ue DHCP servers. (Typically Disabled.)" disabled=yes dst-port=68 \
in-interface="(unknown)" protocol=udp
add action=accept chain=input comment="Accept DHCP traffic." disabled=no \
dst-port=67 in-interface=ether2_LAN protocol=udp src-port=68
add action=accept chain=input comment="Accept DHCP renewal requests." \
disabled=no dst-port=67 in-interface=ether2_LAN protocol=udp
add action=accept chain=input comment=\
"Accept ICMP. Normally you may want this disabled." disabled=yes \
protocol=icmp
add action=accept chain=input comment=\
"Accept MikroTik Neighbor Discovery Protocol" disabled=no dst-address=\
255.255.255.255 dst-port=5678 protocol=udp
add action=accept chain=input comment="Allow anything over VPN." disabled=no \
protocol=gre
add action=accept chain=input comment="" disabled=no dst-port=1723 protocol=\
tcp
add action=accept chain=input comment=\
"Allow secure connections to the router." disabled=no dst-port=8291 \
protocol=tcp
add action=log chain=input comment="Allow VRRP" disabled=yes log-prefix=VRRP \
protocol=vrrp
add action=accept chain=input comment="Allow VRRP" disabled=no protocol=vrrp
add action=accept chain=input comment="Allow NTP." disabled=no dst-address=\
x.x.x.x dst-port=123 protocol=udp src-address=x.x.x.x/24 \
src-port=123
add action=accept chain=input comment="" disabled=no dst-address=x.x.x.x \ <---- our /20 src
dst-port=123 protocol=udp src-address=x.x.x.x/20 src-port=123
add action=accept chain=input comment="" disabled=no dst-address=x.x.x.x
add action=accept chain=input comment=\
"Allow SMTP response to outgoing email notifications from the router." \
disabled=no src-address=x.x.x.x <---- our domains smtp server on mail server
add action=log chain=forward comment="" disabled=yes log-prefix="" \
packet-mark=rest-of-mail
add action=accept chain=input comment="Allow DNS lookups by router." \
disabled=no protocol=udp src-address=x.x.x.x src-port=53
add action=accept chain=input comment="" disabled=no protocol=udp \
src-address=x.x.x.x src-port=53 <---- south dns server
add action=accept chain=input comment="" disabled=no protocol=udp \
src-address=x.x.x.x src-port=53 <---- north dns server
add action=accept chain=input comment="" disabled=yes dst-port=53 \
in-interface=ether1_WAN protocol=udp
add action=accept chain=input comment=\
"Allow ICMP responses to requests we initiate." connection-state=\
established disabled=no protocol=icmp
add action=accept chain=input comment="" connection-state=related disabled=no \
protocol=icmp
add action=log chain=input comment=\
"Drop and log anything else coming directly into the router." disabled=\
yes log-prefix=""
add action=drop chain=input comment="" disabled=no
add action=log chain=forward comment="" disabled=yes log-prefix="" protocol=\
tcp src-mac-address=00:50:8B:F3:75:F7 src-port=25
/ip firewall mangle
add action=mark-packet chain=prerouting comment="" disabled=no \
new-packet-mark=SMB passthrough=yes protocol=udp src-port=135
add action=mark-packet chain=prerouting comment="" disabled=no \
new-packet-mark=SMB passthrough=yes protocol=tcp src-port=135
add action=mark-packet chain=prerouting comment="" disabled=no dst-port=135 \
new-packet-mark=SMB passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment="" disabled=no dst-port=135 \
new-packet-mark=SMB passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no \
new-packet-mark=SMB passthrough=yes protocol=udp src-port=137-139
add action=mark-packet chain=prerouting comment="" disabled=no \
new-packet-mark=SMB passthrough=yes protocol=tcp src-port=137-139
add action=mark-packet chain=prerouting comment="" disabled=no dst-port=\
137-139 new-packet-mark=SMB passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment="" disabled=no dst-port=\
137-139 new-packet-mark=SMB passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no \
new-packet-mark=SMB passthrough=yes protocol=udp src-port=445
add action=mark-packet chain=prerouting comment="" disabled=no \
new-packet-mark=SMB passthrough=yes protocol=tcp src-port=445
add action=mark-packet chain=prerouting comment="" disabled=no dst-port=445 \
new-packet-mark=SMB passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment="" disabled=no dst-port=445 \
new-packet-mark=SMB passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no \
new-packet-mark=p2p p2p=all-p2p passthrough=no
/ip firewall nat
add action=dst-nat chain=dstnat comment=\
"Redirect mail for example.com to Barracuda." disabled=no \
dst-address=x.x.x.x dst-port=25 protocol=tcp src-address-list=\
!valid-mail-sources to-addresses=x.x.x.x to-ports=25 <----- to address = barracuda device ip
add action=dst-nat chain=dstnat comment=\
"Redirect mail for example1.com to Barracuda." disabled=no dst-address=\
x.x.x.x dst-port=25 protocol=tcp src-address-list=!valid-mail-sources \
to-addresses=x.x.x.x to-ports=25 <----- to address = barracuda device ip
add action=dst-nat chain=dstnat comment=\
"Redirect mail for example2.com to Barracuda." disabled=no \
dst-address=x.x.x.x dst-port=25 protocol=tcp src-address-list=\
!valid-mail-sources to-addresses=x.x.x.x to-ports=25 <----- to address = barracuda device ip
add action=dst-nat chain=dstnat comment=\
"Redirect mail for example3.com to Barracuda." disabled=no \
dst-address=x.x.x.x dst-port=25 protocol=tcp src-address-list=\
!valid-mail-sources to-addresses=x.x.x.x to-ports=25 <----- to address = barracuda device ip
add action=dst-nat chain=dstnat comment=\
"Redirect mail for example4.com to Barracuda." disabled=no \
dst-address=x.x.x.x dst-port=25 protocol=tcp src-address-list=\
!valid-mail-sources to-addresses=x.x.x.x to-ports=25 <----- to address = barracuda device ip
add action=dst-nat chain=dstnat comment=\
"Redirect mail for example5.com to Barracuda." disabled=no \
dst-address=x.x.x.x dst-port=25 protocol=tcp src-address-list=\
!valid-mail-sources to-addresses=x.x.x.x to-ports=25 <----- to address = barracuda device ip
add action=dst-nat chain=dstnat comment=\
"Redirect mail for example6.com to Barracuda." disabled=no \
dst-address=x.x.x.x dst-port=25 protocol=tcp src-address-list=\
!valid-mail-sources to-addresses=x.x.x.x to-ports=25 <----- to address = barracuda device ip
add action=dst-nat chain=dstnat comment=\
"Redirect mail for example7.com to Barracuda." disabled=no \
dst-address=x.x.x.x dst-port=25 protocol=tcp src-address-list=\
!valid-mail-sources to-addresses=x.x.x.x to-ports=25 <----- to address = barracuda device ip
add action=dst-nat chain=dstnat comment=\
"Redirect mail for example8.com to Barracuda." disabled=no \
dst-address=x.x.x.x dst-port=25 protocol=tcp src-address-list=\
!valid-mail-sources to-addresses=x.x.x.x to-ports=25 <----- to address = barracuda device ip
add action=dst-nat chain=dstnat comment=\
"Redirect mail for example9.com to Barracuda." disabled=no dst-address=\
x.x.x.x dst-port=25 protocol=tcp src-address-list=!valid-mail-sources \
to-addresses=x.x.x.x to-ports=25 <----- to address = barracuda device ip
add action=dst-nat chain=dstnat comment=\
"Redirect mail for example10.com to Barracuda." disabled=no \
dst-address=x.x.x.x dst-port=25 protocol=tcp src-address-list=\
!valid-mail-sources to-addresses=x.x.x.x to-ports=25 <----- to address = barracuda device ip
/ip firewall service-port
set ftp disabled=yes ports=21
set tftp disabled=no ports=69
set irc disabled=yes ports=6667
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=no
I know probablyy more info here then needed but rather disclose full picture.
I can see ip addresses being added to the stage 3 list but none of them ever make it onto the actual blacklist which the drop rule uses.
As far as topology goes our email server plugged into a switch which is connected to the lan side of our edge mikrotik.
the only traffic that doesn't pass through this particular edge router to get to the server is traffic from our office which has an ip in the same subnet as the server( on our office mikrotik wan interface) allowing us to communicate directly with the server.
If anymore questions feel free to ask I know our firewall needs to be cleaned up somewhat but functionally it is sound except for the brute force rule set not actually adding real brute force attempts on our server to the address list and then dropping it.
/ip firewall address-list
add address=x.x.x.x/20 comment="" disabled=no list=valid-mail-sources
add address=x.x.x.x/24 comment="" disabled=no list=valid-mail-sources
add address=x.x.x.x/24 comment="" disabled=no list=valid-mail-sources
add address=x.x.x.x/24 comment="" disabled=no list=valid-mail-sources
add address=x.x.x.x/25 comment="" disabled=no list=valid-mail-sources
add address=x.x.x.x/29 comment="" disabled=no list=valid-mail-sources
add address=x.x.x.x/29 comment="" disabled=no list=valid-mail-sources
add address=x.x.x.x comment="" disabled=no list=valid-mail-sources
add address=x.x.x.x/25 comment="" disabled=no list=valid-mail-sources
add address=x.x.x.x comment="temp customer 03/25/09" disabled=no list=\
valid-mail-sources
add address=x.x.x.x comment="" disabled=no list=valid-mail-sources
add address=x.x.x.x/24 comment="" \
disabled=no list=valid-mail-sources
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=forward comment="allow ftp access for somebody@some company" \
disabled=no dst-address=x.x.x.x dst-port=21 protocol=tcp src-address=\
x.x.x.x
add action=accept chain=forward comment="allow established connections" \
connection-state=established disabled=no
add action=accept chain=forward comment="allow related connections" \
connection-state=related disabled=no
add action=drop chain=forward comment="drop invalid connections" \
connection-state=invalid disabled=no protocol=tcp psd=21,3s,3,1 \
src-address=!x.x.x.x/20 <---- this is our /20 from arin
add action=accept chain=input comment="" connection-state=established \
disabled=no protocol=tcp
add action=accept chain=input comment="" connection-state=related disabled=no \
protocol=tcp
add action=drop chain=input comment="" connection-state=invalid disabled=no \
protocol=tcp src-address=!x.x.x.x/20 <------- this is our /20 from arin
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2d chain=forward comment=\
"add port scanners to port scan list" disabled=no psd=21,3s,3,1
add action=drop chain=forward comment="drop port scanners from outside" \
disabled=no src-address=!x.x.x.x/20 src-address-list="port scanners" <---- again this is our /20 from arin
add action=add-src-to-address-list address-list="over 50 smtp connections" \
address-list-timeout=4d chain=forward comment=\
"add any ip with over 50 concurrent port 25 connections to address list" \
connection-limit=50,32 disabled=no dst-port=25 protocol=tcp
add action=drop chain=forward comment="drop smtp traffic from outside from sou\
rces on over 50 smtp connections address list" disabled=no src-address=\
!x.x.x.x/20 src-address-list="over 50 smtp connections"
add action=drop chain=forward comment=\ <------this is the start of brute force ruleset implemented
"drop brute force attempts from addresses on stage 3 blacklist" disabled=\
no dst-port=21-23 protocol=tcp src-address-list=bruteforce_blacklist
add action=add-src-to-address-list address-list=bruteforce_blacklist \
address-list-timeout=1w3d chain=forward comment=\
"if address is on stage3 add to blacklist" connection-state=new disabled=\
no dst-port=21-23 protocol=tcp src-address-list=brute_force_stage3
add action=add-src-to-address-list address-list=bruteforce_stage3 \
address-list-timeout=1m chain=forward comment=\
"if on stage 2 list and make another attempt add to stage 3 list" \
connection-state=new disabled=no dst-port=21-23 protocol=tcp \
src-address-list=bruteforce_stage2
add action=add-src-to-address-list address-list=bruteforce_stage2 \
address-list-timeout=1m chain=forward comment=\
"if on stage1 list and another attempt is made add source to stage2" \
connection-state=new disabled=no dst-port=21-23 protocol=tcp \
src-address-list=bruteforce_stage1
add action=add-src-to-address-list address-list=bruteforce_stage1 \
address-list-timeout=1m chain=forward comment=\
"First Attempt to access ports 21-23 add source to stage1 list" \
connection-state=new disabled=no dst-port=21-23 protocol=tcp <------ end of brute force ruleset
add action=add-src-to-address-list address-list="10+connectionsto servers" \ <--this dst address is the subnet the email server is on
address-list-timeout=48m chain=forward comment=\
"add over 10 connections to south network to address list" \
connection-limit=5,32 disabled=no dst-address=x.x.x.x/24 dst-port=21-23 \
protocol=tcp
add action=add-src-to-address-list address-list="10+connectionsto servers" \ <--this dst address is another subnet the email server is on
address-list-timeout=48m chain=forward comment=\
"add over 10 connections to south network to address list" \
connection-limit=5,32 disabled=no dst-address=x.x.x.x/24 dst-port=\
21-23 protocol=tcp
add action=log chain=forward comment="log traffic from x.x.x.x" disabled=\
no dst-port=25 log-prefix=logmailfrom.250 protocol=tcp src-address=\
x.x.x.x
add action=log chain=forward comment="log smtp traffic from outside network" \
disabled=no dst-address=x.x.x.x log-prefix=\
"log smtp from outside network" protocol=tcp src-address=0.0.0.0/0
add action=log chain=forward comment=\
"log smtp traffic from our chunk to external mail servers" disabled=no \
dst-address=0.0.0.0/0 dst-port=25 log-prefix="inside port25 traffic" \
protocol=tcp src-address=x.x.x.x/20 <----again our /20 from arin
add action=log chain=forward comment=\
"log smtp traffic from outside directed to mail server" disabled=no \ <--- dst address is our /20
dst-address=x.x.x.x/20 dst-port=25 log-prefix="outside port25 traffic" \
protocol=tcp src-address=0.0.0.0/0
add action=accept chain=forward comment=\
"allow ftp to server for example.com" disabled=no dst-address=\
x.x.x.x/24 dst-port=21 protocol=tcp src-address=x.x.x.x
add action=accept chain=input comment=IBGP disabled=no src-address=\
172.16.16.3
add action=accept chain=output comment="" disabled=no dst-address=172.16.16.3
add action=accept chain=forward comment="" disabled=no src-address=\
172.16.16.3
add action=accept chain=forward comment="" disabled=no dst-address=\
172.16.16.3
add action=accept chain=input comment="" disabled=yes src-address=\
x.x.x.x
add action=log chain=forward comment="allow ftp to server from our own chunk" \ <--- dst address is subnet on email/host server that responds to ftp requests
disabled=no dst-address=x.x.x.x/24 dst-port=21 log-prefix="" protocol=\
tcp src-address=x.x.x.x/21 <--- half our /20 from arin
add action=accept chain=forward comment=\
"allow ftp to server from our own chunk" disabled=no dst-address=\ <--- dst = server src= our /20
x.x.x.x/24 dst-port=21 protocol=tcp src-address=x.x.x.x/20
add action=log chain=forward comment="log ftp attempts to server" disabled=no \
dst-address=x.x.x.x/24 dst-port=21 log-prefix="" protocol=tcp \ <---- dst address= /24 on email server
src-address=0.0.0.0/0
add action=drop chain=forward comment="drop ftp attempts to server" disabled=\
yes dst-address=x.x.x.x/24 dst-port=21 protocol=tcp src-address=\ <---- dst address= /24 on email server
0.0.0.0/0
add action=drop chain=forward comment="drop ftp attempts to server" disabled=\
yes dst-address=x.x.x.x/24 dst-port=21 protocol=tcp src-address=\ <---- dst address= /24 on email server
0.0.0.0/0
add action=log chain=forward comment="" disabled=no dst-address=x.x.x.x \
log-prefix=""
add action=log chain=forward comment="log telnet attempts to any vhosts" \
disabled=no dst-address=x.x.x.x/24 dst-port=23 log-prefix="" protocol=\ <---- dst address= /24 on email server
udp
add action=log chain=forward comment="log telnet attempts to any vhosts" \
disabled=no dst-address=x.x.x.x/24 dst-port=23 log-prefix="" protocol=\ <---- dst address= /24 on email server
tcp
add action=log chain=forward comment="" disabled=no dst-address=x.x.x.x \
dst-port=23 log-prefix="" protocol=tcp
add action=log chain=input comment="" disabled=yes log-prefix=rogueDHCP \
protocol=udp src-mac-address=00:A0:C5:7D:7E:77 src-port=68
add action=log chain=forward comment="" disabled=yes log-prefix="" \
src-address=x.x.x.x
add action=accept chain=forward comment="" disabled=no src-address=\
x.x.x.x
add action=accept chain=input comment="" disabled=no src-address=x.x.x.x <---- address on our other edge router
add action=accept chain=forward comment="" disabled=no dst-address=\
x.x.x.x
add action=accept chain=forward comment="" disabled=no src-address=\
x.x.x.x
add action=accept chain=forward comment="il bus systems" disabled=no \
dst-address=x.x.x.x
add action=accept chain=forward comment=DNS disabled=no dst-port=53 protocol=\
tcp
add action=accept chain=forward comment="" disabled=no protocol=tcp src-port=\
53
add action=accept chain=forward comment="" disabled=no dst-port=53 protocol=\
udp
add action=accept chain=forward comment="" disabled=no protocol=udp src-port=\
53
add action=accept chain=forward comment=example.com disabled=no dst-address=\
x.x.x.x dst-port=25 protocol=tcp
add action=accept chain=forward comment="" disabled=no protocol=tcp \
src-address=x.x.x.x src-port=25
add action=accept chain=forward comment="" disabled=no dst-address=\
x.x.x.x dst-port=25 protocol=tcp
add action=accept chain=forward comment="Mail ports" disabled=no dst-port=25 \
protocol=tcp
add action=accept chain=forward comment="" disabled=no protocol=tcp src-port=\
25
add action=add-src-to-address-list address-list=mail-server-ips \
address-list-timeout=0s chain=forward comment="" disabled=no \
src-mac-address=00:11:95:22:DF:43
add action=accept chain=forward comment="" disabled=no dst-port=5224 \
protocol=tcp
add action=log chain=forward comment="" disabled=no dst-port=5224 log-prefix=\
"" protocol=tcp
add action=accept chain=forward comment="Failover Test" disabled=no \
dst-address=x.x.x.x
add action=accept chain=forward comment="" disabled=no src-address=\
x.x.x.x
add action=accept chain=forward comment=DNS disabled=no dst-address=x.x.x.x \ <--- north dns server
src-address=0.0.0.0/0
add action=log chain=forward comment="" disabled=yes dst-address=x.x.x.x \ <---- south dns
log-prefix="" src-address=0.0.0.0/0
add action=accept chain=forward comment="" disabled=no dst-address=x.x.x.x \
src-address=0.0.0.0/0
add action=accept chain=forward comment="BAM ALLOWS" disabled=no dst-address=\ <--- authentication server
x.x.x.x src-address=0.0.0.0/0
add action=accept chain=forward comment="" disabled=no dst-address=0.0.0.0/0 \
src-address=x.x.x.x
add action=accept chain=input comment="" disabled=no src-address=x.x.x.x
add action=accept chain=input comment="Allow pings to MT" disabled=no \
protocol=icmp
add action=accept chain=forward comment="Foresite Network" disabled=no \
dst-address=10.0.0.0/8
add action=accept chain=forward comment="" disabled=no src-address=10.0.0.0/8
add action=accept chain=output comment="" disabled=no dst-address=10.0.0.0/8
add action=accept chain=input comment="" disabled=no src-address=10.0.0.0/8
add action=accept chain=forward comment="" disabled=no
add action=accept chain=forward comment="" disabled=no dst-port=5224 \
protocol=tcp
add action=accept chain=forward comment="VNC for 14.2" disabled=yes \
dst-address=x.x.14.2 dst-port=5400 protocol=tcp
add action=accept chain=forward comment="" disabled=yes dst-port=5400 \
protocol=tcp src-address=x.x.14.2
add action=accept chain=input comment="BGP PORTS" disabled=no dst-port=179 \
protocol=tcp src-address=x.x.x.x <----- external upstream provider bgp
add action=drop chain=input comment=\
"Drop but don't log windows networking broadcasts." disabled=no \
packet-mark=SMB
add action=drop chain=forward comment="drop smb" disabled=no packet-mark=SMB
add action=accept chain=input comment="Accept DHCP IP requests to look for rog\
ue DHCP servers. (Typically Disabled.)" disabled=yes dst-port=68 \
in-interface="(unknown)" protocol=udp
add action=accept chain=input comment="Accept DHCP traffic." disabled=no \
dst-port=67 in-interface=ether2_LAN protocol=udp src-port=68
add action=accept chain=input comment="Accept DHCP renewal requests." \
disabled=no dst-port=67 in-interface=ether2_LAN protocol=udp
add action=accept chain=input comment=\
"Accept ICMP. Normally you may want this disabled." disabled=yes \
protocol=icmp
add action=accept chain=input comment=\
"Accept MikroTik Neighbor Discovery Protocol" disabled=no dst-address=\
255.255.255.255 dst-port=5678 protocol=udp
add action=accept chain=input comment="Allow anything over VPN." disabled=no \
protocol=gre
add action=accept chain=input comment="" disabled=no dst-port=1723 protocol=\
tcp
add action=accept chain=input comment=\
"Allow secure connections to the router." disabled=no dst-port=8291 \
protocol=tcp
add action=log chain=input comment="Allow VRRP" disabled=yes log-prefix=VRRP \
protocol=vrrp
add action=accept chain=input comment="Allow VRRP" disabled=no protocol=vrrp
add action=accept chain=input comment="Allow NTP." disabled=no dst-address=\
x.x.x.x dst-port=123 protocol=udp src-address=x.x.x.x/24 \
src-port=123
add action=accept chain=input comment="" disabled=no dst-address=x.x.x.x \ <---- our /20 src
dst-port=123 protocol=udp src-address=x.x.x.x/20 src-port=123
add action=accept chain=input comment="" disabled=no dst-address=x.x.x.x
add action=accept chain=input comment=\
"Allow SMTP response to outgoing email notifications from the router." \
disabled=no src-address=x.x.x.x <---- our domains smtp server on mail server
add action=log chain=forward comment="" disabled=yes log-prefix="" \
packet-mark=rest-of-mail
add action=accept chain=input comment="Allow DNS lookups by router." \
disabled=no protocol=udp src-address=x.x.x.x src-port=53
add action=accept chain=input comment="" disabled=no protocol=udp \
src-address=x.x.x.x src-port=53 <---- south dns server
add action=accept chain=input comment="" disabled=no protocol=udp \
src-address=x.x.x.x src-port=53 <---- north dns server
add action=accept chain=input comment="" disabled=yes dst-port=53 \
in-interface=ether1_WAN protocol=udp
add action=accept chain=input comment=\
"Allow ICMP responses to requests we initiate." connection-state=\
established disabled=no protocol=icmp
add action=accept chain=input comment="" connection-state=related disabled=no \
protocol=icmp
add action=log chain=input comment=\
"Drop and log anything else coming directly into the router." disabled=\
yes log-prefix=""
add action=drop chain=input comment="" disabled=no
add action=log chain=forward comment="" disabled=yes log-prefix="" protocol=\
tcp src-mac-address=00:50:8B:F3:75:F7 src-port=25
/ip firewall mangle
add action=mark-packet chain=prerouting comment="" disabled=no \
new-packet-mark=SMB passthrough=yes protocol=udp src-port=135
add action=mark-packet chain=prerouting comment="" disabled=no \
new-packet-mark=SMB passthrough=yes protocol=tcp src-port=135
add action=mark-packet chain=prerouting comment="" disabled=no dst-port=135 \
new-packet-mark=SMB passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment="" disabled=no dst-port=135 \
new-packet-mark=SMB passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no \
new-packet-mark=SMB passthrough=yes protocol=udp src-port=137-139
add action=mark-packet chain=prerouting comment="" disabled=no \
new-packet-mark=SMB passthrough=yes protocol=tcp src-port=137-139
add action=mark-packet chain=prerouting comment="" disabled=no dst-port=\
137-139 new-packet-mark=SMB passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment="" disabled=no dst-port=\
137-139 new-packet-mark=SMB passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no \
new-packet-mark=SMB passthrough=yes protocol=udp src-port=445
add action=mark-packet chain=prerouting comment="" disabled=no \
new-packet-mark=SMB passthrough=yes protocol=tcp src-port=445
add action=mark-packet chain=prerouting comment="" disabled=no dst-port=445 \
new-packet-mark=SMB passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment="" disabled=no dst-port=445 \
new-packet-mark=SMB passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no \
new-packet-mark=p2p p2p=all-p2p passthrough=no
/ip firewall nat
add action=dst-nat chain=dstnat comment=\
"Redirect mail for example.com to Barracuda." disabled=no \
dst-address=x.x.x.x dst-port=25 protocol=tcp src-address-list=\
!valid-mail-sources to-addresses=x.x.x.x to-ports=25 <----- to address = barracuda device ip
add action=dst-nat chain=dstnat comment=\
"Redirect mail for example1.com to Barracuda." disabled=no dst-address=\
x.x.x.x dst-port=25 protocol=tcp src-address-list=!valid-mail-sources \
to-addresses=x.x.x.x to-ports=25 <----- to address = barracuda device ip
add action=dst-nat chain=dstnat comment=\
"Redirect mail for example2.com to Barracuda." disabled=no \
dst-address=x.x.x.x dst-port=25 protocol=tcp src-address-list=\
!valid-mail-sources to-addresses=x.x.x.x to-ports=25 <----- to address = barracuda device ip
add action=dst-nat chain=dstnat comment=\
"Redirect mail for example3.com to Barracuda." disabled=no \
dst-address=x.x.x.x dst-port=25 protocol=tcp src-address-list=\
!valid-mail-sources to-addresses=x.x.x.x to-ports=25 <----- to address = barracuda device ip
add action=dst-nat chain=dstnat comment=\
"Redirect mail for example4.com to Barracuda." disabled=no \
dst-address=x.x.x.x dst-port=25 protocol=tcp src-address-list=\
!valid-mail-sources to-addresses=x.x.x.x to-ports=25 <----- to address = barracuda device ip
add action=dst-nat chain=dstnat comment=\
"Redirect mail for example5.com to Barracuda." disabled=no \
dst-address=x.x.x.x dst-port=25 protocol=tcp src-address-list=\
!valid-mail-sources to-addresses=x.x.x.x to-ports=25 <----- to address = barracuda device ip
add action=dst-nat chain=dstnat comment=\
"Redirect mail for example6.com to Barracuda." disabled=no \
dst-address=x.x.x.x dst-port=25 protocol=tcp src-address-list=\
!valid-mail-sources to-addresses=x.x.x.x to-ports=25 <----- to address = barracuda device ip
add action=dst-nat chain=dstnat comment=\
"Redirect mail for example7.com to Barracuda." disabled=no \
dst-address=x.x.x.x dst-port=25 protocol=tcp src-address-list=\
!valid-mail-sources to-addresses=x.x.x.x to-ports=25 <----- to address = barracuda device ip
add action=dst-nat chain=dstnat comment=\
"Redirect mail for example8.com to Barracuda." disabled=no \
dst-address=x.x.x.x dst-port=25 protocol=tcp src-address-list=\
!valid-mail-sources to-addresses=x.x.x.x to-ports=25 <----- to address = barracuda device ip
add action=dst-nat chain=dstnat comment=\
"Redirect mail for example9.com to Barracuda." disabled=no dst-address=\
x.x.x.x dst-port=25 protocol=tcp src-address-list=!valid-mail-sources \
to-addresses=x.x.x.x to-ports=25 <----- to address = barracuda device ip
add action=dst-nat chain=dstnat comment=\
"Redirect mail for example10.com to Barracuda." disabled=no \
dst-address=x.x.x.x dst-port=25 protocol=tcp src-address-list=\
!valid-mail-sources to-addresses=x.x.x.x to-ports=25 <----- to address = barracuda device ip
/ip firewall service-port
set ftp disabled=yes ports=21
set tftp disabled=no ports=69
set irc disabled=yes ports=6667
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=no
Re: tiered address list firewall drop outside port21-23 fail
anyone ideas? I'd of thought this particular set of rules would have been widely deployed by the community, I've searched and it seems no one else has had this issue. I don't understand how the brute force attemptees aren't being added to brute force_blacklist and being dropped I can see them in the stage 3 blacklist but they never go any further then that.
Re: tiered address list firewall drop outside port21-23 fail
Just an update I figured out the problem, When I was creating the address list rules I created a blacklist called bruteforce_blacklist and another blacklist called brute_force_blacklist.
The firewall rule that checks to see if your on bruteforce_stage2 and adds ip to bruteforce_blacklist had the action set to brute_force_blacklist instead of bruteforce_blacklist, this was the first problem.
The next problem was the drop rule was also using the wrong blacklist so the drop rule was checking a dead address list and hence not dropping anything.
After finding this and readjusting Our server now shows brute force attempts limited to like 5-6 attempts then no more.
I was a little upset I didn't receive much help from community but then realized the actual cause of this probably wasn't viewable from my config summary I posted.
For all intense purposes any readers probably read my config and thought it should work...
The firewall rule that checks to see if your on bruteforce_stage2 and adds ip to bruteforce_blacklist had the action set to brute_force_blacklist instead of bruteforce_blacklist, this was the first problem.
The next problem was the drop rule was also using the wrong blacklist so the drop rule was checking a dead address list and hence not dropping anything.
After finding this and readjusting Our server now shows brute force attempts limited to like 5-6 attempts then no more.
I was a little upset I didn't receive much help from community but then realized the actual cause of this probably wasn't viewable from my config summary I posted.
For all intense purposes any readers probably read my config and thought it should work...
Who is online
Users browsing this forum: bananaboy1101, Bing [Bot] and 106 guests