Bruteforce protection script

Maggiore81 · October 12, 2023, 6:50am

Hello!
I have used for years the brute force protection that was indicated on MT website, it seem to work.
There are the “old” rules:
https://wiki.mikrotik.com/wiki/Bruteforce_login_prevention

Now I have found this new set of rules:
https://help.mikrotik.com/docs/display/ROS/Bruteforce+prevention

I tried them on my router, but It doesn’t work, since I can do lot of failed attempts in a row, then I got disconnected, but I connect back again and I do more…

Is there a final script that really works?
I have replaced the “old” rules on the input IPv6 because I got blocked almost immediately even if I do a successful login.
I want to apply also in the ipv6 input chain.
I am using Ros 7.11.2

rextended · October 12, 2023, 7:47am

The best protection is not to leave the service ports open to the world…
Have you ever heard of (not outdated) VPNs?

Rox169 · October 12, 2023, 8:39am

No, Im using wireguard

Maggiore81 · October 12, 2023, 11:33am

Hello,
sorry man, but your answer seem a bit aggressive...
Of course I know about VPNs, I own an ISP, I know, thanks. We use outdated VPNs to access our network (L2TP+IPsec).

Since I have put a specific question, can you please stick to the question?
I have left the whole morning with the ssh opened to the world and the "new" scripts, the result is 0 users in blacklist but a lot of failed login attempts.
I will set again the old one and will try again and will post the results.

Thank you

rextended · October 12, 2023, 12:39pm

Ok… the title is
Bruteforce protection script
so…
This is the best RouterOS services (only) protection script.
There can’t be a better one. It is immune to any attack on such services, and does not requre any firewall rule.
Remove the ***** on the script… [For other users: the script punishes meaningless copying and pasting… Be careful what you do…]

/ip ser*vice disable [find]

Maggiore81 · October 12, 2023, 12:58pm

Sometimes is better not to answer a question if you know since start that you aren’t going to help.
Suggesting me to shut down a service, is not the answer. For sure it is a way to secure the router, without doubt!

I need to have the SSH opened, for a handful of reasons, so, since the “old” script works flawlessy in IPv4 world, the very same “old” script dont work in IPv6 since I got blacklisted immediately, even if I cannot complete the login/password process!
Did anyone made some tests too?
thank you

PS: till I found out a solution, I have used this easy solution:

/ipv6 firewall raw
add action=passthrough chain=prerouting
add action=drop chain=prerouting comment=“Protezione servizi su router IPv6” dst-address-type=local dst-port=22,53,80,8291
protocol=tcp
add action=drop chain=prerouting comment=“Protezione servizi su router IPv6” dst-address-type=local dst-port=53 protocol=tcp

I cannot disable SSH completely because we use for our IPv4 management.