Is there a way to automatically block IP-adresses after X times login failures and put them on the block list for XX hours?
So if host 66.344.222.35 is trying to login in my routerboard 5 times and do not succed, routerboard automatically put this IP to drop packets from it on the firewall.
is that possible?
Regards Peter
Re: Block IP after X login failures
No, not natively supported.
You could, however, parse the log for failed login attempts, disabling accounts (or block IP) once a threshold is reached.
This should get you started: Log Parser - Event Trigger Script
You could, however, parse the log for failed login attempts, disabling accounts (or block IP) once a threshold is reached.
This should get you started: Log Parser - Event Trigger Script
Re: Block IP after X login failures
To block ssh and ftp bruteforcers, use this one
http://wiki.mikrotik.com/wiki/Bruteforc ... prevention
http://wiki.mikrotik.com/wiki/Bruteforc ... prevention
-
-
angboontiong
Forum Guru
- Posts: 1136
- Joined:
Re: Block IP after X login failures
I can see the ip in the blacklist, however, the ip in the blacklist still attempting to access according to the log ...To block ssh and ftp bruteforcers, use this one
http://wiki.mikrotik.com/wiki/Bruteforc ... prevention
-
-
IntrusDave
Forum Guru
- Posts: 1286
- Joined:
- Location: Rancho Cucamonga, CA
Re: Block IP after X login failures
You need to put in a filter rule (preferably in the RAW table) to block the blacklisted IP's
-
-
angboontiong
Forum Guru
- Posts: 1136
- Joined:
Re: Block IP after X login failures
You need to put in a filter rule (preferably in the RAW table) to block the blacklisted IP's
end up, i add this in:
add chain=input src-address-list=ssh_blacklist action=drop comment="drop ssh brute forcers IP" disabled=no
-
-
IntrusDave
Forum Guru
- Posts: 1286
- Joined:
- Location: Rancho Cucamonga, CA
Re: Block IP after X login failures
That's find, but make sure that the rule is placed above any accept rule for established connections.