Hello from all.
I am having an attack from some ip address that try to log in via ssh to my routerboard.
It is pretty intense.
How can I make a rule , if somebody fails to login to ban this ip for 1 day?
Thank you!
You can’t really make a rule that will only ban if there is a bad login… but you can ban baised on number of attempts for a new connection within X minutes…
See: http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention
Thank you!
Yep. The other option (personally I think is better).. is to actually secure the 22 from the internet and use either VPN or port knocking to protect it.
-Eric
you could also set a rule to only allow connections from specific IPs, assuming you don’t need access from everywhere.
Well, this allows blocking TCP connections. However, during each TCP session, tens of login attempts are done. Is there a way to set up ssh deamon to close TCP connection after 3 failed login attempts?
You mean the SSH server built into RouterOS? No. If you mean sshd on a linux box then yes.
You can setup port knock routine which would open ssh port only if port knock is correct.