ftp regex question with a little NAT, counting and return

esannerud · May 29, 2009, 11:56am

Hello folks

I have several servers and just one public IP address. So I’m NATing everything.

On the log at the ftp server there are a ton of “authenication failure”. I want to block the IP’s to those who are trying to brute force my ftp. And since routeros is reading NAT before Filter Rules I have to somehow find all packets that returns the error message from the ftp server, log the IP address to an address list and then block it for some time.

I’m not the best at explaining things so I hope some of you are following this.

I will try to sum up:

find all outgoing packets that has the message “530 Login incorrect.” (this is what the ftp server returns to the client)
If it has returned this 5 times within short time then
add the address to an Address list that blocks the IP for about 10 days or so

This is what I have in my Regexp now “.Login incorrect.” and it is not working, or I’m not setting the NAT rule correct - or something

Any suggestions?

Regards
Erlend
(Who is banging his head against the keyboard now)

hilton · May 29, 2009, 8:12pm

Have you read this?

http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention_(FTP_%26_SSH)

esannerud · June 2, 2009, 10:23am

Yes, and tried it. It did not work. It was not able to find the outgoing packets with the “530 Login incorrect” content.

I find the packet when I do a packet sniffing. Actually I find three packets. One packet from the interface that the ftp server is on (ether2). Second packet is from the bridge since I have some of the ehter interfaces set in bridge mode. The third packet is from the WAN interface to the offending ip.

It looks like the router does not check the established connections.

Erlend

esannerud · June 2, 2009, 11:57am

And here is the solution:

/ip firewall mangle
add action=add-dst-to-address-list address-list=ftp_Brute address-list-timeout=3h chain=postrouting comment="" \
    content="530 Login incorrect" disabled=no out-interface=ether10 protocol=tcp src-port=21

/ip firewall nat
add action=return chain=dstnat comment="return of ftp brute bot" disabled=no port=21 protocol=tcp \
    src-address-list=ftp_Brute

Erlend