We are currently running a snort box and a cisco router. We have the snort box setup where if it sees more than 20 smtp or ssh connections from a single IP it will ssh to the Cisco and write an access list entry that blocks that ip. 15 minutes later it sshes back and removes the access list entry. This has cut down on spam and ssh attacks. Can anything like this be accomplished with Mikrotik?
Thanks,
Justin
I belive it can be done from the router as far as detecting the traffic and creating the drop rules…
Any rule that can be created canbe reversed…
I am not sure how to handel the timmeing part..
IE a schedualer job can run at a set interval to remove rules, but I dont know how to look for the “time out” on the rules.. IE creation timestamp…
Butch Evans may be your best bet on this one…
Craig
You can set firewall rule that counts connection and when number is reached it can add that IP to address list. Another roule would block connections from IP’s in address list. When adding address record you can specify timeout.
You do not need script for this.
I forgot about the timeout…
Good Idea..