how to keep people from trying to log in mikrotik via ftp

mps01k · May 4, 2007, 3:48pm

i get sevaral people a day trying to log into our mikrtiks via ftp and they dont stop for hours at a time. What can be done?

ay/04/2007 09:44:07 system,error,critical login failure for user Administrator
from 66.230.195.16 via ftp
may/04/2007 09:44:10 system,error,critical login failure for user Administrator
from 66.230.195.16 via ftp
may/04/2007 09:44:13 system,error,critical login failure for user Administrator
from 66.230.195.16 via ftp
may/04/2007 09:44:16 system,error,critical login failure for user Administrator
from 66.230.195.16 via ftp
may/04/2007 09:44:19 system,error,critical login failure for user Administrator
from 66.230.195.16 via ftp
may/04/2007 09:44:22 system,error,critical login failure for user Administrator
from 66.230.195.16 via ftp
may/04/2007 09:44:25 system,error,critical login failure for user Administrator
from 66.230.195.16 via ftp
may/04/2007 09:44:27 system,error,critical login failure for user Administrator
from 66.230.195.16 via ftp
Terminal vt102 detected, using multiline input mode
[admin@MikroTik] >
echo: system,error,critical login failure for user Administrator from 66.230.195
.16 via ftp
[admin@MikroTik] >
echo: system,error,critical login failure for user Administrator from 66.230.195
.16 via ftp
[admin@MikroTik] >
echo: system,error,critical login failure for user Administrator from 66.230.195
.16 via ftp
[admin@MikroTik] >
echo: system,error,critical login failure for user Administrator from 66.230.195
.16 via ftp
[admin@MikroTik] >
echo: system,error,critical login failure for user Administrator from 66.230.195
.16 via ftp
[admin@MikroTik] >
echo: system,error,critical login failure for user Administrator from 66.230.195
.16 via ftp

odie · May 4, 2007, 3:54pm

ever heared about firewall rules ?

x.x.x.x/x stands for the adresses from where you want to config your router

/ ip firewall filter
add chain=input src-address=x.x.x.x/x action=accept
add chain=input action=drop
comment=“Drop anything else”

GotNet · May 4, 2007, 4:54pm

This works too…

/ ip service set ftp port=21 address=xx.xx.xx.xx/xx disabled=no

Or set disabled=yes for no ftp access - my preference.

mps01k · May 4, 2007, 8:06pm

hello thanks guys , but the problem that i have is that i am using dual wan and when i put that rule into with my other filter rules it makes my gateways thinjk that they are down and disables them

here is how i have the gateways configured. This load balances and is failover at the same time.

/ ip route
add dst-address=0.0.0.0/0 gateway=67.47.42.49 check-gateway=ping scope=255
target-scope=10 routing-mark=odd comment=“” disabled=no
add dst-address=0.0.0.0/0 gateway=72.171.250.49 check-gateway=ping scope=255
target-scope=10 routing-mark=even comment=“” disabled=no
add dst-address=0.0.0.0/0 gateway=72.171.250.49 scope=255 target-scope=10
comment=“” disabled=no
add dst-address=0.0.0.0/0 gateway=67.47.42.49 distance=1 scope=255
target-scope=10 routing-mark=even comment=“” disabled=no
add dst-address=0.0.0.0/0 gateway=72.171.250.49 distance=1 scope=255
target-scope=10 routing-mark=odd comment=“” disabled=no
add dst-address=0.0.0.0/0 gateway=67.47.42.49 distance=2 scope=255
target-scope=10 comment=“” disabled=no

mrz · May 4, 2007, 8:14pm

Accept ICMP before drop rule.

cahook · May 16, 2007, 2:36pm

In order for a rule to take affect, it must be the first match in the rules list. If you have a rule to accept all TCP traffic listed above the FTP rule to drop traffic, then the drop will have no affect.

Order your rules to exclude specific items first and accept general items at the bottom.

GWISA · May 16, 2007, 3:34pm

Don’t over-complicate a simple problem with details - merely apply one or both of what has been suggested:

/ip service set ftp address=<your address here> disabled=no

OR

/ip service set ftp disabled=yes

If you don’t require ftp access

OR

 / ip firewall filter
add chain=input src-address=!<your address here> dst-port=21 action=drop

Will drop all ftp access to your router except (!) addreses

Ghassan · May 17, 2007, 8:02am

Accept Established , RElated , UDP , ICMP , SOURCE ADDRESSES or LOCAL NETWORK then DROP everything ..

or if you want to stop all FTP CONNECTION that comes from Outside your Router just drop it at INPUT CHAIN …

/ip firewall filter add chain=input protocol=tcp dst-port=21 action=drop

Ghassan

balimore · May 17, 2007, 8:52am

They will stop working when you have stronge router login ID

regards
Hasbullah.com

Ghassan · May 17, 2007, 8:56am

yes but for mine .. I only drop tcp 21 which comes from outside and allow only my trusted ips to connect ..

balimore · May 17, 2007, 9:06am

normally we will control our noc [e.g: update version by ftp], from any ips and anywhre... and until now is fine..
and next time maybe around the world, and how....

how to keep people from trying to log in mikrotik via ftp

regards Hasbullah.com

regards Hasbullah.com

regards
Hasbullah.com

regards
Hasbullah.com