Community discussions

MikroTik App
 
emanuele
just joined
Topic Author
Posts: 3
Joined: Thu Jan 05, 2017 11:26 pm

Solved: Bruteforce HTTP CHAP login prevention

Thu Jan 05, 2017 11:47 pm

Hi folks,

I'm struggling with a bruteforce http chap login prevention script for the hotspot.
I checked this out: http://wiki.mikrotik.com/wiki/Bruteforc ... prevention - but with wireshark I can't get any useful detail to build up an address list.
So I was thinking to use the logs. Do you know if I can create and address list (blacklist) by counting failed logins from the log file? I believe it's possible and probably the script needs to be scheduled to run all the time. How this would affect the router resources? - Probably you guys have a better idea :)

Rgds,
Emanuele
Last edited by emanuele on Wed Jan 11, 2017 12:04 pm, edited 1 time in total.
 
emanuele
just joined
Topic Author
Posts: 3
Joined: Thu Jan 05, 2017 11:26 pm

Re: Help: Bruteforce HTTP CHAP login prevention

Wed Jan 11, 2017 12:04 pm

This took me a bit of time but it's solved!

- First create an address list from the failed logins:

/ip firewall filter
add chain=input protocol=tcp src-address-list=hotspot_blacklist action=drop comment="Hotspot bruteforce prevention"
add chain=output action=accept protocol=tcp content="invalid username or password" dst-limit=2/1m,4,dst-address/2m comment="Hotspot bruteforce prevention"
add chain=output action=add-dst-to-address-list protocol=tcp content="invalid username or password" address-list=hotspot_blacklist address-list-timeout=3h

Thanks to https://goo.gl/yJfPYE I didn't know that "invalid username or password" was carried from tcp in this scenario.

- Move those filters above all the hotspot filters.

Ok, after 6 failed logins (in 2 minutes) all the tcp connections for those ip addresses are dropped. The list will expire after 3hours.

My dhcp server lease time is quite short (and I need to keep it short) so I wrote down another script. It does an ip to mac conversion by using arp, but i believe that can be done by the dhcp server (indeed it also collects mac addresses). If you don't wanna play around: just -> Add arp for leases.

#Hotspot IP to MAC binding#
:local ipaddr value="";
:local mac value="";

:foreach a in=[/ip firewall address-list find where dynamic=yes and list=hotspot_blacklist] do={
:set $ipaddr [/ip firewall address-list get $a value-name=address];
:local m [/ip arp find where address=$ipaddr dynamic=yes];
:set $mac [/ip arp get $m mac-address];

/ip hotspot ip-binding add type=blocked mac-address=$mac comment="blocked from script";
/ip firewall address-list remove $a;

:log warning ("Blocked from Hotspot " . " MAC: " . $mac);
}


Set this one on the scheduler and just remember to run it before the hotspot_blacklist expires.

Ciao
 
User avatar
qatar2022
Member Candidate
Member Candidate
Posts: 141
Joined: Mon Aug 24, 2020 11:12 am

Re: Solved: Bruteforce HTTP CHAP login prevention

Mon Nov 08, 2021 6:34 am

i will try it
 
User avatar
qatar2022
Member Candidate
Member Candidate
Posts: 141
Joined: Mon Aug 24, 2020 11:12 am

Re: Help: Bruteforce HTTP CHAP login prevention

Thu Nov 11, 2021 9:55 am

This took me a bit of time but it's solved!

- First create an address list from the failed logins:

/ip firewall filter
add chain=input protocol=tcp src-address-list=hotspot_blacklist action=drop comment="Hotspot bruteforce prevention"
add chain=output action=accept protocol=tcp content="invalid username or password" dst-limit=2/1m,4,dst-address/2m comment="Hotspot bruteforce prevention"
add chain=output action=add-dst-to-address-list protocol=tcp content="invalid username or password" address-list=hotspot_blacklist address-list-timeout=3h

Thanks to https://goo.gl/yJfPYE I didn't know that "invalid username or password" was carried from tcp in this scenario.

- Move those filters above all the hotspot filters.

Ok, after 6 failed logins (in 2 minutes) all the tcp connections for those ip addresses are dropped. The list will expire after 3hours.

My dhcp server lease time is quite short (and I need to keep it short) so I wrote down another script. It does an ip to mac conversion by using arp, but i believe that can be done by the dhcp server (indeed it also collects mac addresses). If you don't wanna play around: just -> Add arp for leases.

#Hotspot IP to MAC binding#
:local ipaddr value="";
:local mac value="";

:foreach a in=[/ip firewall address-list find where dynamic=yes and list=hotspot_blacklist] do={
:set $ipaddr [/ip firewall address-list get $a value-name=address];
:local m [/ip arp find where address=$ipaddr dynamic=yes];
:set $mac [/ip arp get $m mac-address];

/ip hotspot ip-binding add type=blocked mac-address=$mac comment="blocked from script";
/ip firewall address-list remove $a;

:log warning ("Blocked from Hotspot " . " MAC: " . $mac);
}


Set this one on the scheduler and just remember to run it before the hotspot_blacklist expires.

Ciao
thank you emanuele
this is what exactly i need but i noticed it’s working on RB4011iGS+RM and i try it with RB5009UG+S+IN but it doesn’t work i don’t know why i did seam thing on bot devices
any help or comments
best regards

Who is online

Users browsing this forum: alexantao, rextended and 31 guests