Community discussions

MikroTik App
 
JFER
just joined
Topic Author
Posts: 10
Joined: Mon Jul 16, 2007 11:47 pm

Block Brute Force Via Firewall Scripting Unto Various Mikrot

Thu Sep 06, 2007 5:09 pm

Hi

i have recently stumbled upon various ssh, telnet and ftp firewall script rules, and i would like to distribute them into my mikrotiks via scripting

example: i have 192.168.1.2, 192.168.1.100, 10.10.1.2 (there is no clear address range)
1. i would like to export an ip list of my routers unto a sequential connection script
2. telnet into them one by one
3. implement the scripts
4. logout
5. move on to the next one

should i use prizm or some other tool to simplify the solution?


here are the ssh, ftp and telnet scripts (the original post came fromhttp://forum.mikrotik.com//viewtopic.php?f=9&t=17292) the others are simple name and port variations

ssh blocker

/ ip firewall filter
add chain=input protocol=tcp dst-port=22 src-address-list=black_list action=drop \
comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=black_list address-list-timeout=1d \
comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m \
comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m \
comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m comment="" \
disabled=no


ftp blocker

/ ip firewall filter
add chain=input protocol=tcp dst-port=21 src-address-list=black_list action=drop \
comment="drop ftp brute forcers" disabled=no
add chain=input protocol=tcp dst-port=21 connection-state=new \
src-address-list=ftp_stage3 action=add-src-to-address-list address-list=black_list address-list-timeout=1d \
comment="" disabled=no
add chain=input protocol=tcp dst-port=21 connection-state=new \
src-address-list=ftp_stage2 action=add-src-to-address-list address-list=ftp_stage3 address-list-timeout=1m \
comment="" disabled=no
add chain=input protocol=tcp dst-port=21 connection-state=new \
src-address-list=ftp_stage1 action=add-src-to-address-list address-list=ftp_stage2 address-list-timeout=1m \
comment="" disabled=no
add chain=input protocol=tcp dst-port=21 connection-state=new \
action=add-src-to-address-list address-list=ftp_stage1 address-list-timeout=1m comment="" \
disabled=no

telnet blocker

/ ip firewall filter
add chain=input protocol=tcp dst-port=23 src-address-list=black_list action=drop \
comment="drop telnet brute forcers" disabled=no
add chain=input protocol=tcp dst-port=23 connection-state=new \
src-address-list=telnet_stage3 action=add-src-to-address-list address-list=black_list address-list-timeout=1d \
comment="" disabled=no
add chain=input protocol=tcp dst-port=23 connection-state=new \
src-address-list=telnet_stage2 action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=1m \
comment="" disabled=no
add chain=input protocol=tcp dst-port=23 connection-state=new \
src-address-list=telnet_stage1 action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m \
comment="" disabled=no
add chain=input protocol=tcp dst-port=23 connection-state=new \
action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m comment="" \
disabled=no
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7038
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Block Brute Force Via Firewall Scripting Unto Various Mikrot

Thu Sep 06, 2007 9:45 pm

You can write perl or tcl/expect script that will telnet to router and apply firewall rules.
 
JFER
just joined
Topic Author
Posts: 10
Joined: Mon Jul 16, 2007 11:47 pm

Re: Block Brute Force Via Firewall Scripting Unto Various Mikrot

Fri Sep 07, 2007 6:26 pm

Hi,

thank you for answering my question so promptly

i installed ActiveTCL, but i have yet to find the way to create a list of the mikrotiks i wish to manipulate, and later implement the firewall changes

would you happen to have an examlpe tcl except script i could start with

on the other hand

couldn't i do this sequentially with prizm or the dude?

JFER

Who is online

Users browsing this forum: mbezuidenhout, UkRainUa and 21 guests