Hi,
Have some issue with someone trying to access our MK via winbox from different IP.
Currently we are blocking it via filter rules and just keep adding the IP.
Is there a better way to blocked it or we only can simply just keep adding the IP?
Thanks a lot in advance.
Not really a problem to keep adding to the list but obviously this takes some time (administration) and is always reactive!
You should review your management strategy.
Yup, will try to only allow from the inside and limit the public IP access.
If still same…maybe will change the default port as you mention.
Thanks a lot for your advise. Appreciate it.
If you want config advice wrt security
post config
/export hide-sensitive file=anynameyouwish
hi there, in my opinion, theres many ways to skin this cat . I found this solution some years ago, this should help with your task of manually adding ips.
Add a bunch of filter rules using this as example, just change lte1 to your interface name. Take note the order of these rules are important, the most bottom allows the input, each rule up in the chain will add source ip address to a list that will expire in time, if too many attempts for winbox port from the same ip, the address will be added to a list that doesnt expire, the most top rule will drop incoming requests for that source ip. The lists will be cleared upon reboot, you can modify to make it permanent should you wish. Add these and whatch your Address List grow over a course of a day or 2
#drag these rules right to the top or make sure theres no rule that will take preference over these
/ip firewall filter
add action=drop chain=input comment=“drop winbox brute forcers”
connection-state=new dst-port=8291 in-interface=lte1 protocol=tcp
src-address-list=winbox_blacklist
add action=add-src-to-address-list address-list=winbox_blacklist
address-list-timeout=none-dynamic chain=input connection-state=new
dst-port=8291 in-interface-list=WAN protocol=tcp src-address-list=
winbox_stage3
add action=add-src-to-address-list address-list=winbox_stage3
address-list-timeout=10s chain=input comment=“winbox last attempt”
connection-state=new dst-port=8291 in-interface=lte1 protocol=tcp
src-address-list=winbox_stage2
add action=add-src-to-address-list address-list=winbox_stage2
address-list-timeout=20s chain=input comment=“winbox 2nd attempt”
connection-state=new dst-port=8291 in-interface=lte1 protocol=tcp
src-address-list=winbox_stage1
add action=add-src-to-address-list address-list=winbox_stage1
address-list-timeout=30s chain=input comment=“winbox initial 1st attempt”
connection-state=new dst-port=8291 in-interface=lte1 protocol=tcp
add action=accept chain=input dst-port=8291 in-interface=lte1 protocol=tcp
This kind of solution is a bit risky.
Lately I have been seeing several incoming port scans where the source address was spoofed to be e.g. 8.8.8.8 or 1.1.1.1 or 1.0.0.1 etc.
These scans apparently assume that you would have some mechanism like that and then those addresses will get added to your blacklist, which in some cases may affect your devices capability to use DNS or whatever source address was spoofed.
When you do something like that, always make sure that your “drop” rules are below the “accept established/related” rule that is normally at the top of the firewall table.
Also, never put those drop rules in the “raw” table.
Then you at least can still do outbound connects to those addresses even when they are in the blacklist for incoming connects.
And of course, in this particular example, do not use interface names in firewall rules. Use the predefined “LAN” and “WAN” interface lists, and put the relevant internet interface in the proper list. (e.g. put lte1 in the WAN list).
ALL of my MikroTik Router clients use MOAB to prevent External Attacks just like the one you describe.
If your MikroTik Router model qualifies for the MOAB service — I provide a 10 day Free Trial of MOAB so that you can see for yourself.
If you are interested see my sig below:
Of course the solutions that @jvanhambelgium presented are much better than such a generic blacklist, that will only help against mass portscanning and not cater for some targeted attack on his router.
for what its worth the rules were incomplete that i posted previously, have added what was missing
@jvanhambelgium suggestion is def the best, it should be standard practice when initially configuring
Do you need to administrate the router from the outside?
If yes, VPN is the way to go for Router admin from the outside.
If VPN is not possible to use, then to access the route: