[ask] still confusing

sone · October 1, 2007, 11:06am

i’m using this methode to block unwanted ip trying to brute force my mikrotik via FTP

/ ip firewall filter
add chain=input in-interface=ether1 protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop

accept 10 incorrect logins per minute

/ ip firewall filter
add chain=output action=accept protocol=tcp content=“530 Login incorrect” dst-limit=1/1m,9,dst-address/1m

#add to blacklist
add chain=output action=add-dst-to-address-list protocol=tcp content=“530 Login incorrect” address-list=ftp_blacklist address-list-timeout=3h

but when i try it to block unwanted ip that login via ssh (port 22) and via telnet (port23) it doesn’t work

anyone can help?

Viroslash · October 1, 2007, 12:05pm

Try leaving "interface" value in blank. The list must be first and the rule that blocks this list at next.

(1º Rule)
/ ip firewall filter add chain=input protocol=tcp dst-port=20-23 connection-limit=1,32 action=add-src-to-address-list address-list=blacklist_ssh address-list-timeout=1w comment="ssh_telnet_ftp_limit" disabled=no

(2º Rule)
/ ip firewall filter add chain=input src-address-list=blacklist_ssh action=drop disabled=no

Result:
[admin@MikroLAN_Base] > ip firewall address-list print
Flags: X - disabled, D - dynamic

LIST ADDRESS

0 D blacklist_ssh 205.237.197.197
1 D blacklist_ssh 203.99.57.238
2 D blacklist_ssh 201.20.202.70
3 D blacklist_ssh 200.49.201.26
4 D blacklist_ssh 66.143.175.134
5 D blacklist_ssh 218.22.16.86
6 D blacklist_ssh 190.24.131.35
7 D blacklist_ssh 87.22.67.187
8 D blacklist_ssh 210.210.81.250
9 D blacklist_ssh 200.36.107.165
10 D blacklist_ssh 216.230.147.164
11 D blacklist_ssh 202.143.182.162
12 D blacklist_ssh 83.94.142.40
[admin@MikroLAN_Base] >

sone · October 1, 2007, 4:38pm

Viroslash:

Try leaving “interface” value en blank. The list must be first and the rule that blocks this list at next.

(1º Rule)
/ ip firewall filter add chain=input protocol=tcp dst-port=20-23 connection-limit=1,32 action=add-src-to-address-list address-list=blacklist_ssh address-list-timeout=1w comment=“ssh_telnet_ftp_limit” disabled=no

(2º Rule)
/ ip firewall filter add chain=input src-address-list=blacklist_ssh action=drop disabled=no

Result:
[admin@MikroLAN_Base] > ip firewall address-list print
Flags: X - disabled, D - dynamic

LIST ADDRESS

0 D blacklist_ssh 205.237.197.197
1 D blacklist_ssh 203.99.57.238
2 D blacklist_ssh 201.20.202.70
3 D blacklist_ssh 200.49.201.26
4 D blacklist_ssh 66.143.175.134
5 D blacklist_ssh 218.22.16.86
6 D blacklist_ssh 190.24.131.35
7 D blacklist_ssh 87.22.67.187
8 D blacklist_ssh 210.210.81.250
9 D blacklist_ssh 200.36.107.165
10 D blacklist_ssh 216.230.147.164
11 D blacklist_ssh 202.143.182.162
12 D blacklist_ssh 83.94.142.40
[admin@MikroLAN_Base] >

How about giving him 5 chance trying before blacklist his IP, what should i fill in the value

prof · August 18, 2009, 3:50pm

i got a question with your answer. after that when we the person be able to reconnect with that same ip address

skillful · August 18, 2009, 9:27pm

One week. The duration can be set in address-list-timeout

fosben · August 25, 2009, 10:59am

easiest fix is to change the serviceports to something else, then the scripts the hacker use dont trigger.. Ive changed default serviceport on all my rb’s and never have a problem with bruteforce.. I had alot of bruteforces before I did that..