block the attempt to access the winbox via ACL
in ip service, where only the registered ip can access the winbox
ok it works very well, however I get a lot of attempts but all unsuccessful
have these attempts by looking in the “log”
the record appears in blue, in “topics” of the “warning” type
I think of it this way:
those who are interested in trying to access the router, may also be interested in Ddos attacks.
To avoid this possible interest, I would like to send this attacking ip to blackhole.
I know that to see this log of attempted access via terminal, it is by the command: /log print where topics = warning
in the example below I will demonstrate how the script dynamics would be:
the script run the command: / log print where topics = warning
this is a real result:
may / 28 12:39:14 warning denied winbox / dude connect from 181.46.136.147
may / 28 12:39:16 warning denied winbox / dude connect from 181.46.136.147
may / 28 12:39:18 warning denied winbox / dude connect from 181.46.136.147
may / 28 12:39:20 warning denied winbox / dude connect from 181.46.136.147
may / 28 12:39:23 warning denied winbox / dude connect from 181.46.136.147
may / 28 12:39:25 warning denied winbox / dude connect from 181.46.136.147
may / 28 12:39:27 warning denied winbox / dude connect from 181.46.136.147
may / 28 12:39:30 warning denied winbox / dude connect from 181.46.136.147
may / 28 12:40:26 warning denied winbox / dude connect from 181.46.136.147
may / 28 12:40:29 warning denied winbox / dude connect from 181.46.136.147
may / 28 12:40:31 warning denied winbox / dude connect from 181.46.136.147
the script then captures the source ip, in this case: 181.46.136.147 and sends it to blackhole with this command:
/ ip route dst-address = 181.46.136.147 type = blackhole
only that! but I never did a script before !!
does anyone have a script or help me build a script for this.
today in my bgp i do good ddos practices, i have fastnetmon with exabgp installed parallel, closing a bgp session
I also have two bgp sessions with cymru, I get 1400 routes
and put my public ips that I don’t use in the blackhole avoiding a static loop
You don’t even need a script for that, just make use of the firewall rules. You can configure a rule that a certain public IP, that “tries” to connect to an IP on your router, is automagically added to an ACL and then you can do with it what you want.
Apart from that, you should not/never make your Mikrotik accessible from “Internet” !!
I read in your post you probably are small ISP running BGP ?
Filter source-IP’s so only selected IP’s will be able to interface on Winbox/API/Webfig port
Is not better to change winbox port at random like 56897, and use “port knocking” to temporary allow that single IP “knock”
and simply dropping all the other connections?
Its a layered approach.
Use IKEv2 VPN to access the router to manage it.
Port knocking works but is a temp solution.
Wireguard will be easy and best once it moved from beta to stable release (works fantastically).
Never use default ports or passwords (including winbox port).
Use input chain access rule for the router itself (use firewall address list to delineate IPs allowed).
Use IP services for the same. ( I tend to use subnets in IP services and actual IPs in firewall address list - just personal preference).
MAKE use of MAC WINBOX MAC SERVER - where you state which interface is permitted access.
I usually create a MNGT interface and then only put the vlans or subnets with access in there as well.
Usually mirrors the ip services entries… (but is another layer of control)
@jotne, would be nice to see your ‘set’ of rule(s) that do this blocking for 24 hours etc
Here you go. (it may not bee perfect, but works for me)
Upper blocking part (not at top, but high in the filter list)
/ip firewall filter
add action=jump chain=input comment="Drop user that has tried ports that are not open and has bin added to block list- Send to TARPIT to prewent DDOS CPU problems" in-interface=ether1 jump-target=TARPIT log-prefix=FI_J_TCP-port-test protocol=tcp src-address-list=FW_Block_unkown_port
add action=tarpit chain=TARPIT limit=10,5:packet log-prefix=FX_T_TCP-port-test protocol=tcp
add action=drop chain=TARPIT log-prefix=FX_D_TCP-port-test protocol=tcp
add action=drop chain=input in-interface=ether1 log-prefix=FI_D_UDP-port-test protocol=udp src-address-list=FW_Block_unkown_port
Bottom (at the end of filter list)part that adds an IP to access list if no rule above has been used.
/ip firewall filter
add action=add-src-to-address-list address-list=FW_Block_unkown_port address-list-timeout=1d chain=input comment= "Add IP of user to access list if they have tried port that is not open." in-interface=ether1 log-prefix=FI_AS_port-test
add action=drop chain=input comment="Drop packets that has not been allowed or droped before." in-interface=ether1 log=yes log-prefix=FI_D_port-test
Thanks for the answers
i’m from brazil my english is not good!
I think I was not very clear, I will try to explain it better
I’m not having any problems with attacks!
I did an ACL where only certain IPs can access the winbox, and it works great! These access attempts are unsuccessful, the attacker is unable to achieve anything because of the ACL
I don’t want to use fierwall rules because of Fast Path
this box is only for BGP, I do not do NAT
I want to make this script just for the sake of attention, because whoever tries to access the winbox, can try to attack Ddos
OK, now I understand the use-case better.
In that scenario, its indeed better to “scan” the logs and try to extract the IP’s on login-attemps.
Many scripts exist that are almost what you need, for example this one from Jotne
Basically you need to adapt slightly so it the action here is no to add it to access-list, but blackhole this /32 host.
You can change the “message” variable to for example “warning denied winbox”
I think this is a very good start to accomplish your goal.
This in it self is not enough, you should implement more of the list in my first post.
Do no use default port for the first. Many scans for this port since it has been flawed before.
Port knock will prevent any from seeing the open port before right combination is knocked.
I do use Splunk to log this rule and can see who tries to attack me.
_time type dir act rule chain in_if out_if src_mac protocol src_ip src_port dest_ip dest_port City Country
2021-05-30 08:49:56 F I D FI_D_port-test input ether1 (unknown 0) 00:05:00:01:00:01 TCP 192.35.168.70 38286 92.2xx.2xx.9x 502 United States
2021-05-30 08:48:56 F I D FI_D_port-test input ether1 (unknown 0) 00:05:00:01:00:01 TCP 172.217.20.34 443 92.2xx.2xx.9x 38402 United States
2021-05-30 08:48:39 F I D FI_D_port-test input ether1 (unknown 0) 00:05:00:01:00:01 TCP 190.190.219.160 49222 92.2xx.2xx.9x 30884 Benavidez Argentina
2021-05-30 08:48:05 F I D FI_D_port-test input ether1 (unknown 0) 00:05:00:01:00:01 TCP 176.65.3.36 1957 92.2xx.2xx.9x 8088 Gaza Palestine
2021-05-30 08:47:59 F I D FI_D_port-test input ether1 (unknown 0) 00:05:00:01:00:01 TCP 185.219.52.160 59968 92.2xx.2xx.9x 27017 Warsaw Poland
2021-05-30 08:47:21 F I D FI_D_port-test input ether1 (unknown 0) 00:05:00:01:00:01 TCP 195.230.103.242 58191 92.2xx.2xx.9x 179 Kharkiv Ukraine
2021-05-30 08:46:33 F I D FI_D_port-test input ether1 (unknown 0) 00:05:00:01:00:01 TCP 190.220.115.11 43575 92.2xx.2xx.9x 445 Argentina
2021-05-30 08:45:57 F I D FI_D_port-test input ether1 (unknown 0) 00:05:00:01:00:01 TCP 165.227.36.93 61953 92.2xx.2xx.9x 4080 Toronto Canada
2021-05-30 08:45:40 F I D FI_D_port-test input ether1 (unknown 0) 00:05:00:01:00:01 UDP 51.15.144.168 5447 92.2xx.2xx.9x 5060 Paris France
2021-05-30 08:44:53 F I D FI_D_port-test input ether1 (unknown 0) 00:05:00:01:00:01 UDP 182.186.255.200 33898 92.2xx.2xx.9x 32480 Faisalabad Pakistan
2021-05-30 08:44:27 F I D FI_D_port-test input ether1 (unknown 0) 00:05:00:01:00:01 UDP 51.195.166.22 1900 92.2xx.2xx.9x 5353 France
2021-05-30 08:44:21 F I D FI_D_port-test input ether1 (unknown 0) 00:05:00:01:00:01 UDP 89.64.18.233 20700 92.2xx.2xx.9x 12347 Warsaw Poland
2021-05-30 08:43:25 F I D FI_D_port-test input ether1 (unknown 0) 00:05:00:01:00:01 UDP 103.79.254.65 61127 92.2xx.2xx.9x 12347 Panjim India
2021-05-30 08:43:02 F I D FI_D_port-test input ether1 (unknown 0) 00:05:00:01:00:01 TCP 193.163.125.28 51318 92.2xx.2xx.9x 3389 Denmark
2021-05-30 08:42:27 F I D FI_D_port-test input ether1 (unknown 0) 00:05:00:01:00:01 UDP 122.3.103.0 1038 92.2xx.2xx.9x 12347 Carcar Philippines
2021-05-30 08:42:20 F I D FI_D_port-test input ether1 (unknown 0) 00:05:00:01:00:01 TCP 157.245.5.223 443 92.2xx.2xx.9x 27017 New York United States
2021-05-30 08:42:19 F I D FI_D_port-test input ether1 (unknown 0) 00:05:00:01:00:01 TCP 185.107.71.138 56654 92.2xx.2xx.9x 30965 Netherlands
2021-05-30 08:42:13 F I D FI_D_port-test input ether1 (unknown 0) 00:05:00:01:00:01 TCP 121.5.160.181 56596 92.2xx.2xx.9x 2375 China
2021-05-30 08:42:00 F I D FI_D_port-test input ether1 (unknown 0) 00:05:00:01:00:01 TCP 185.200.118.37 42605 92.2xx.2xx.9x 1080 London United Kingdom
Country count
United States 31957
China 12909
India 12486
United Kingdom 7286
Netherlands 6569
Brazil 6083
Canada 5967
Philippines 5119
Russia 4177
South Africa 3833
Australia 3711
Germany 2994
Israel 2871
tanks @jvanhambelgium
I see the topic, it helped me a lot, and the coolest @Jotne is participating here too, so I believe it works! I’ll show you what I did, it was practically what you said!!!
# Script DENIED-WINBOX
# Find all "negotiation failed" error last 5 min
:local loglist [:toarray [/log find time>([/system clock get time] - 5m) message~"denied winbox"]]
# for all error do
:foreach i in=$loglist do={
# find message
:local logMessage [/log get $i message]
# find ip
:local ip [:pick $logMessage 0 [:find $logMessage " "]]
# Add ip to blackhole
/ip route add dst-address=$ip type=blackhole comment="ips-malicioso"
# Send a message to the log
:log info message="script=DENIED-WINBOX_failed src_ip=$ip"
}
but it didn’t go to blackhole!
Any idea?
about Splunk, I found it very interesting, I’ll understand better, I install it in a linux parallel to mikrotik?
I suggest using blacklist and drop without any kind of response on /firewall raw
instead of adding the IP to the route table.
The list can grow so large and the LIMITED routes table can fill up very quickly.
and use this script for the blacklist:
# Revised from Rextended v1.2.rex
#
# Created Jotne 2019 v1.2
#
# This script add ip with "denied winbox" to a block list for 7 days
# Schedule the script to run every 5 min
# It should run on all routerOS version - Rex test it on 6.47.9
# may / 28 12:39:14 warning denied winbox / dude connect from 181.46.136.147
:local logMessage ""
:local logIp 10.6.6.6
/log
:foreach i in=[find where message~"denied winbox"] do={
:set logMessage [get $i message]
:if ($logMessage~"denied winbox") do={
:set logIp [:toip [:pick $logMessage ([:find $logMessage "from " -1]+5) [:len $logMessage]]]
:if ([:len [/ip fire addr find where address=$logIp]] < 1) do={
/ip fire addr add address=$logIp list=blacklist timeout=7d
:log info message="add $logIp to list blacklist"
}
}
}
If you want stil to add routes instead of drop traffic:
# Revised from Rextended v1.2.rex
#
# Created Jotne 2019 v1.2
#
# This script add blackhole route for each "denied winbox"
# Schedule the script to run every 5 min
# It should run on all routerOS version - Rex test it on 6.47.9
# may / 28 12:39:14 warning denied winbox / dude connect from 181.46.136.147
:local logMessage ""
:local logIp 10.6.6.6
/log
:foreach i in=[find where message~"denied winbox"] do={
:set logMessage [get $i message]
:if ($logMessage~"denied winbox") do={
:set logIp [:toip [:pick $logMessage ([:find $logMessage "from " -1]+5) [:len $logMessage]]]
:if ([:len [/ip route find where dst-address=($logIp."/32") and type=blackhole]] < 1) do={
/ip route add dst-address=$logIp type=blackhole comment="ips-malicioso"
:log info message="add $logIp to blackhole route"
}
}
}