Firewall Rule for Remote Connection (ts)

gabbahey · February 21, 2019, 8:37pm

Good afternoon guys, how are you?

I am having problems attempting to intrude on my client servers by remote connection (ts).

I would like to create some rule in the firewall so that when someone tries to enter through the remote connection ip is banned for a certain time after the person type 3 times the password? I work with rb750gr3.

Thanks in advance

Boa tarde pessoal, tudo bem?

Estou tendo problemas de tentativa de invasão nos servidores de meus clientes pela conexão remota (ts).

teria como criar alguma regra no firewall para que quando alguém tentar entrar pela conexão remota o ip seja banido por determinado tempo após a pessoa digitar 3 vezes a senha? trabalho com rb750gr3.

Agradeço desde ja

anav · February 21, 2019, 9:05pm

Are you able to know what wanips are going to require access to your servers?
other than that I am not sure how the router will know anything about password attempts?
Perhaps if there is no established connection after x amount of time, then something can be done.
its an interesting question.

nostromog · February 21, 2019, 10:11pm

For ssh connections I’m doing this once per hour:

do {
    :foreach mess in=[/log find where message~"failure.*via ssh" ] do={
      :local tim [/log get $mess time];
      :local line [/log get $mess message];
      :local fr [:find $line "from "];
      :local addr [:pick $line  ($fr+5) [:find $line " via"]];
      :local usr [:pick $line ([:find $line "for "]+9) ($fr-1)];
      # not already blacklisted
      :if (([:len [/ip firewall address-list find where list=blacklist and address~"$addr"]])=0) do={
          # if number of attempts > NNN blacklist
          :if ([:len [/log find where message~"$addr"]]>3) do={
            /ip firewall address-list add list=blacklist address=$addr timeout=1w comment="fail2ban"
            /log info "$addr added to blacklist because of repeated ssh login attempts as $usr";
            }
          }
      }
} on-error={ /log info "fail2ban failed"}

It can be run more frequently. Not sure if for other services it would work, as I don’t use winbox, etc.

mkx · February 22, 2019, 7:29am

While the code looks nice, it only works for detecting attempts to connect to services, run on router itself. OP wants to protect against intrusions through terminal services (TS) … which are run by LAN (DMZ) hosts. And for that even @anav’s suggestion won’t work as from router’s point of view, connections are established before TS server requests identification of the client. And when authentication fails, client will likely properly close the TCP connection. The only indication that something went wrong would (i.e. incorrect credentials) be short lived (and low traffic) TCP connection targeting port 3389.

gabbahey · February 27, 2019, 6:59pm

First of all thank you.

let’s change the question, maybe it’s easier to understand,

let’s imagine that if any external ip that tries to connect via TS on certain port, the rule starts counting, if after the third time unable to connect the ip will be added in a blacklist and thus banned for some time. Is there any possibility of creating some rule for this or following the same logic?

Primeiramente obrigado a todos.

vamos mudar a questão, talvez fica mais fácil de entender,

vamos imaginar que se qualquer ip externo que tentar conectar via TS em determinada porta, a regra inicia a contagem, se após a terceira vez não conseguir conexão o ip será adicionado em uma blacklist e assim banido por algum tempo. Existe alguma possibilidade de se criar alguma regra para isso ou que siga a mesma lógica?