Blocking Hackers

RouterOS General
1

I noticed many brute force password attempts on my routers and servers. Also a number of port scans. After adding this to my firewall I noticed they were sweeping my whole network as well.

add chain=forward in-interface=internet protocol=tcp dst-port=21-23 tcp-flags=syn action=log log-prefix=“ssh_ftp_sync”
comment=“” disabled=no

Wandered if there was a way to stop it to an extent so I created this experimental configuration. Use it at your own risk.

First create a list of trusted IP’s. Add IP’s you trust here and your own IP pools.

/ ip firewall address-list
add list=trusted-ips address=12.0.1.0/23 comment=“” disabled=no
add list=trusted-ips address=12.0.0.0/24 comment=“” disabled=no
add list=trusted-ips address=20.0.127.0/24 comment=“” disabled=no

Now create a list of trap IP’s. These are IP’s that no one has any business connecting too but are in your IP pool. Preferably in the lower end of your IP pool. Perhaps assign one or two as an addition to your router.

/ ip firewall address-list
add list=trap-ips address=12.0.0.2 comment=“” disabled=no

Now we need to creat the firewall rules to catch the hack attempts.

/ ip firewall filter
add chain=probe protocol=tcp dst-port=20-23 src-address-list=!trusted-ips dst-address-list=trap-ips
action=add-src-to-address-list address-list=banned-ips address-list-timeout=2w comment=“” disabled=no
add chain=probe protocol=tcp dst-port=25 src-address-list=!trusted-ips dst-address-list=trap-ips
action=add-src-to-address-list address-list=banned-ips address-list-timeout=2w comment=“” disabled=no
add chain=probe protocol=tcp dst-port=135-139 src-address-list=!trusted-ips dst-address-list=trap-ips
action=add-src-to-address-list address-list=banned-ips address-list-timeout=2w comment=“” disabled=no
add chain=probe protocol=udp dst-port=135-139 src-address-list=!trusted-ips dst-address-list=trap-ips
action=add-src-to-address-list address-list=banned-ips address-list-timeout=2w comment=“” disabled=no
add chain=probe protocol=tcp dst-port=445 src-address-list=!trusted-ips dst-address-list=trap-ips
action=add-src-to-address-list address-list=banned-ips address-list-timeout=2w comment=“” disabled=no
add chain=probe protocol=tcp dst-port=1080 src-address-list=!trusted-ips dst-address-list=trap-ips
action=add-src-to-address-list address-list=banned-ips address-list-timeout=2w comment=“” disabled=no
add chain=probe protocol=tcp dst-port=3128 src-address-list=!trusted-ips dst-address-list=trap-ips
action=add-src-to-address-list address-list=banned-ips address-list-timeout=2w comment=“” disabled=no
add chain=probe protocol=tcp dst-port=8080 src-address-list=!trusted-ips dst-address-list=trap-ips
action=add-src-to-address-list address-list=banned-ips address-list-timeout=2w comment=“” disabled=no
add chain=probe src-address-list=banned-ips action=log log-prefix=“banned_ip” comment=“” disabled=no
add chain=probe src-address-list=banned-ips action=drop comment=“” disabled=no

Now create rules to jump to this new chain.

/ ip firewall filter
add chain=forward action=jump jump-target=probe comment=“Probe Check” disabled=no
add chain=input action=jump jump-target=probe comment=“Probe Check” disabled=no

Think thats it. Please don’t try this unless your familiar with firewall rules. What it does is any IP that tries to connect to say SSH on one of your trap IP’s will be added to banned-ips list for 2 weeks and all traffic will be dropped from that IP to your entire network. Usually these are open proxies being used by hackers to hack other systems or find more open proxies. Perhaps this is a bad idea but I am going to try it for a while. Anyone else that tries it might tell how it works for them.

Matt

2

Cool and thanks for sharing.

Was just playing with something not so elegant, but instead of drop, I did a tarpit in the test. The infected machine hung after a while.

Mike

3

what do you mean the infected machine hung? do yo mean the machine doing the port scaning or brute forcing?


the best solution i found to dealing with the near continoius brute forcing we were experiencing was to simply change the port of ssh and web. no brute forces in 3 weeks !

4

Thx!
I test this settings!

5

These were not “attacks” against the router but a test worm infection scanning in the forward chain. The infected PC locked up after several hours. We’ve since had a PC downstream under NAT somewhere with an SMTP mailer bot of some type. Tarpitting killed that one too.

6

I thought of tarpiting but I thought it might be better if the attacker was given no indication that the IP was even is use. Not sure which way is better. I use this to protect my users from the hackers as well as my routers and servers.

7

I also drop them HCI. What I do is count new connections within a certain amount of time and then drop them for 5 minutes if they try more than 4 times in 2 minutes. That way I can log in from anywhere and still keep a brute force attack from being effective.

8

Note that the dictionary attacks on SSH and FTP ports are bots running on comprimised machines. The combinations used are dictionary words and names (both usernames and passwords). If you have strong passwords, which you should anyway, it’s very unlikely that these attacks will ever get through. If you change the port that SSH listens on, you won’t see them in your log if you need global access to the router.

9

yup…

simple secure as manage your router by: ‘/ip service’ you have to set as you need to login way…!

regards
Hasbullah.com