Hi,
i used the firewall scripts on Wiki to deter brute force
i would like to implement them in the v3 MT, but they do not work
any pointers?
JFER
Hello,
the specific version is v3 beta 10
my script is flagged invalid
/ ip firewall filter
add chain=input protocol=tcp dst-port=21 src-address-list=black_list action=drop
comment=“drop ftp brute forcers” disabled=no
add chain=input protocol=tcp dst-port=21 connection-state=new
src-address-list=ftp_stage3 action=add-src-to-address-list address-list=black_list address-list-timeout=1d
comment=“” disabled=no
add chain=input protocol=tcp dst-port=21 connection-state=new
src-address-list=ftp_stage2 action=add-src-to-address-list address-list=ftp_stage3 address-list-timeout=1m
comment=“” disabled=no
add chain=input protocol=tcp dst-port=21 connection-state=new
src-address-list=ftp_stage1 action=add-src-to-address-list address-list=ftp_stage2 address-list-timeout=1m
comment=“” disabled=no
add chain=input protocol=tcp dst-port=21 connection-state=new
action=add-src-to-address-list address-list=ftp_stage1 address-list-timeout=1m comment=“”
disabled=no
/ ip firewall filter
add chain=input protocol=tcp dst-port=23 src-address-list=black_list action=drop
comment=“drop telnet brute forcers” disabled=no
add chain=input protocol=tcp dst-port=23 connection-state=new
src-address-list=telnet_stage3 action=add-src-to-address-list address-list=black_list address-list-timeout=1d
comment=“” disabled=no
add chain=input protocol=tcp dst-port=23 connection-state=new
src-address-list=telnet_stage2 action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=1m
comment=“” disabled=no
add chain=input protocol=tcp dst-port=23 connection-state=new
src-address-list=telnet_stage1 action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m
comment=“” disabled=no
add chain=input protocol=tcp dst-port=23 connection-state=new
action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m comment=“”
disabled=no
/ ip firewall filter
add chain=input protocol=tcp dst-port=22 src-address-list=black_list action=drop
comment=“drop ssh brute forcers” disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=black_list address-list-timeout=1d
comment=“” disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m
comment=“” disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new
src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m
comment=“” disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new
action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m comment=“”
disabled=no
Which rule is not working four you ?
What kind of error do you get ?
You may add options one by one and see which causes the issue, proably some option configuration is changed.
Hello,
thank you for replying
i do not receive an error, the script is flagged invalid, and does not run
i will play with it to see what exactly fails
Thank You
JFER
You may try to add rule one by one to see, which rule is invalid.
from console:
/system script print from=
this will print all your script with marked position of scripts error.
As an alternative to using a script, you could change the ports that ftp, telnet, and ssh use under /ip service.
I always find this as being much easier … I usually change each default port number one up or one down.
Hello,
excellent, more than one way to skin a cat
a appreciate all your posts
JFER