Brute-Force Rules have mac

jerryroy1 · February 24, 2021, 10:05pm

We have a bridged network (I know, I know) I just started managing with dozens of routers. I have applied the standard ssh/winbox “Brute-Force” rules to the systems and they are showing me ton’s of mac addresses in the logs. My assumption is the WAN interface of many of these routers have the ip dhcp-client enabled

Would you recommend just dropping or stopping the dhcp client on the routers? If dropping, what would the rule look like?

Here are the brute-force rules.

#Create SSH Black List
/ip firewall address-list
add list="Black List (SSH)" comment="Black List (SSH)"

#SSH Brute Force Protection Rules
/ip firewall filter
add action=drop chain=input in-interface=ether1 comment="Drop anyone in Black List (SSH)." log=yes log-prefix="BL_Black List (SSH)" src-address-list="Black List (SSH)"
add action=jump chain=input in-interface=ether1 comment="Jump to Black List (SSH) chain." dst-port=22 jump-target="Black List (SSH) Chain" protocol=tcp
add in-interface=ether1 action=add-src-to-address-list address-list="Black List (SSH)" address-list-timeout=4w2d chain="Black List (SSH) Chain" comment="Transfer repeated attempts from Black List (SSH) Stage 3 to Black List (SSH)." connection-state=new log=yes log-prefix="Add_Black List (SSH)" src-address-list="Black List (SSH) Stage 3"
add in-interface=ether1 action=add-src-to-address-list address-list="Black List (SSH) Stage 3" address-list-timeout=1m chain="Black List (SSH) Chain" comment="Add successive attempts to Black List (SSH) Stage 3." connection-state=new log=yes log-prefix="Add_Black List (SSH) S3" src-address-list="Black List (SSH) Stage 2"
add in-interface=ether1 action=add-src-to-address-list address-list="Black List (SSH) Stage 2" address-list-timeout=1m chain="Black List (SSH) Chain" comment="Add successive attempts to Black List (SSH) Stage 2." connection-state=new log=yes log-prefix="Add_Black List (SSH) S2" src-address-list="Black List (SSH) Stage 1"
add in-interface=ether1 action=add-src-to-address-list address-list="Black List (SSH) Stage 1" address-list-timeout=1m chain="Black List (SSH) Chain" comment="Add initial attempt to Black List (SSH) Stage 1." connection-state=new log=yes log-prefix="Add_Black List (SSH) S1"
add action=return chain="Black List (SSH) Chain" comment="Return From Black List (SSH) chain."

/ip firewall address-list
add list="Black List (Winbox)" comment="Black List (Winbox)"

/ip firewall filter
add action=drop chain=input in-interface=ether1 comment="Drop anyone in Black List (Winbox)." log=yes log-prefix="BL_Black List (Winbox)" src-address-list="Black List (Winbox)"
add action=jump chain=input in-interface=ether1 comment="Jump to Black List (Winbox) chain." dst-port=8291 jump-target="Black List (Winbox) Chain" protocol=tcp
add in-interface=ether1 action=add-src-to-address-list address-list="Black List (Winbox)" address-list-timeout=4w2d chain="Black List (Winbox) Chain" comment="Transfer repeated attempts from Black List (Winbox) Stage 3 to Black List (Winbox)." connection-state=new log=yes log-prefix="Add_Black List (Winbox)" src-address-list="Black List (Winbox) Stage 3"
add in-interface=ether1 action=add-src-to-address-list address-list="Black List (Winbox) Stage 3" address-list-timeout=1m chain="Black List (Winbox) Chain" comment="Add succesive attempts to Black List (Winbox) Stage 3." connection-state=new log=yes log-prefix="Add_Black List (Winbox) S3" src-address-list="Black List (Winbox) Stage 2"
add in-interface=ether1 action=add-src-to-address-list address-list="Black List (Winbox) Stage 2" address-list-timeout=1m chain="Black List (Winbox) Chain" comment="Add succesive attempts to Black List (Winbox) Stage 2." connection-state=new log=yes log-prefix="Add_Black List (Winbox) S2" src-address-list="Black List (Winbox) Stage 1"
add in-interface=ether1 action=add-src-to-address-list address-list="Black List (Winbox) Stage 1" address-list-timeout=1m chain="Black List (Winbox) Chain" comment="Add initial attempt to Black List (Winbox) Stage 1." connection-state=new log=yes log-prefix="Add_Black List (Winbox) S1"
add action=return chain="Black List (Winbox) Chain" comment="Return From Black List (Winbox) chain."

sindy · February 25, 2021, 9:33am

The whole thing is that unlike with the /interface list, where you have to add a named item under /interface list first to be able to refer to the list from firewall rules and to add /interface list member items, an address-list name need not be “declared” in advance - the firewall rule adding the first row to the address list is enough.

But if you don’t specify any address item when adding an /ip firewall address-list row, a default value of 0.0.0.0 is used because the data structure doesn’t expect an empty address field. And the DHCP requests come with a source address of 0.0.0.0, whilst your drop rules only match on src-address-list and nothing else. So just remove your “comment-holding” /ip firewall address-list rows and the log lines will disappear.

If you are concerned about the amount of broadcast traffic, then do disable the DHCP clients.