how to block attack from known IP

David1234 · November 10, 2014, 1:04pm

some time I can see someone is trying to enter my router using SSH

13:04:03 system,error,critical login failure for user root from 218.2.0.126 via ssh
13:04:03 system,error,critical login failure for user root from 218.2.0.126 via ssh
13:04:03 system,error,critical login failure for user root from 218.2.0.126 via ssh
13:04:04 system,error,critical login failure for user root from 218.2.0.126 via ssh
13:04:04 system,error,critical login failure for user root from 218.2.0.126 via ssh
13:04:11 system,error,critical login failure for user root from 218.2.0.126 via ssh
13:04:12 system,error,critical login failure for user root from 218.2.0.126 via ssh
13:04:12 system,error,critical login failure for user root from 218.2.0.126 via ssh
13:04:12 system,error,critical login failure for user root from 218.2.0.126 via ssh
13:04:12 system,error,critical login failure for user root from 218.2.0.126 via ssh
13:04:12 system,error,critical login failure for user root from 218.2.0.126 via ssh

I ask here before and someone gave me this set of firewall rules

/ip firewall filter
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp

I want to see I understand it correctly - because something doesn’t add up
if someone trying to connect using TCP on port 22 (SSH) and fail
he add is IP to ssh_stage1 ,and not allow this IP to try again for 1 min
after 1 min , if the IP it trying again he add him to ssh_stage2 for 1 min ,and then to ssh_stage 3
if the IP is still trying after 3 min’ - he add his IP to ssh_blacklist and block him for 10 days
Am I understanding it right?

Caci99 · November 10, 2014, 1:45pm

Only when the IP is on the ssh_blacklist it is blocked. The first three stages are there so that you don’t let yourself out if you accidentally input wrong credentials.
If you want to go a step further, you could even try port knocking http://wiki.mikrotik.com/wiki/Port_Knocking

soyelpulpo · November 10, 2014, 2:46pm

Also you can use rsa keys with you servers. So you have no need to type a password. Also read carefully and try to understand the IP firewall filter rules.

Sent from my Nexus 4 using Tapatalk