Hi all. I’m looking for a way to simlulate ‘fail2ban’ on my mikrotik routers.
I see a lot of SSH login attempts made on my border routers.
I’m looking for a way to do the following
if connection count from IP is less than 5 in the last 30 seconds on port 22, allow, else deny.
I have looked at adding addresses to an address list as they connect and then deny the address list but I dont have a way to handle the <5 part.
Any ideas?
Hello,
for this is better to DENY and then ALLOW all. DENY all the people with many tryes and allow the good users..
from: http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention (you need to change the timeouts and perhaps make more stages (5))
This will prevent a SSH brute forcer to be banned for 10 days after repetitive attempts. Change the timeouts as necessary.
in /ip firewall filter
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
Thanks Ibersystems, I just had a brain dead moment. I already have a similar config of stacking address lists up for port knocking.
You know.. it’s Friday! For me too! : D!
TGIF right.
I am testing stacking the port knocking on top of this. Looks pretty good.
Can you tell me what is wrong here? I have been testing and ssh is not allowed at all unless I add the input/accept chain.
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=input action=accept protocol=icmp
1 chain=input action=accept protocol=tcp dst-port=22
2 ;;; default configuration
chain=input action=accept connection-state=established
3 ;;; default configuration
chain=input action=accept connection-state=related
4 chain=input action=accept protocol=udp src-address=64.58.x.x in-interface=ether1-gateway dst-port=161
5 ;;; drop ftp brute forcers
chain=input action=drop protocol=tcp src-address-list=ftp_blacklist dst-port=21
6 chain=output action=accept protocol=tcp content=530 Login incorrect dst-limit=1/1m,9,dst-address/1m
7 chain=output action=add-dst-to-address-list protocol=tcp address-list=ftp_blacklist address-list-timeout=3h
content=530 Login incorrect
8 ;;; drop ssh brute forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22
9 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3
address-list=ssh_blacklist address-list-timeout=1w3d dst-port=22
10 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2
address-list=ssh_stage3 address-list-timeout=1m dst-port=22
11 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1
address-list=ssh_stage2 address-list-timeout=1m dst-port=22
12 chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m
dst-port=22
13 ;;; Drop Everything Else
chain=input action=drop in-interface=ether1-gateway