I cann't use ftp server on router from outside after change default ftp port

I use ftp function on router. But there are attempts to log in with brute force every day. I changed port 21 to 24 in IP>Services on ftp. I changed the port in firewall settings (all firewall settings are below). When I connect from router network (192.168.3.) it works. But when I connect from outside it doesn’t work. In log from filezilla I see that it is Logged in, but there is error when listing directory. Where is possible to be the problem?

FileZilla log:

Status:	Connecting to _MyIP_:24...
Status:	Connection established, waiting for welcome message...
Status:	Insecure server, it does not support FTP over TLS.
Status:	Server does not support non-ASCII characters.
Status:	Logged in
Status:	Retrieving directory listing...
Command:	PWD
Response:	257 "/" is current directory
Command:	TYPE I
Response:	200 Type set to I
Command:	PASV
Response:	227 Entering Passive Mode (_MyIP_,182,167).
Command:	LIST
Response:	425 Can't build data connection
Error:	Failed to retrieve directory listing

Firewall settings:

# feb/16/2016 21:16:23 by RouterOS 6.33
# software id = 5W1N-SSGX
#
/ip firewall filter
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=\
    invalid
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add chain=input comment="Enable FTP access" dst-port=24 protocol=tcp
add action=drop chain=input in-interface=ether1-gateway
add action=drop chain=input comment="drop ftp brute forcers" disabled=yes \
    dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add chain=output content="530 Login incorrect" disabled=yes dst-limit=\
    1/1m,4,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=5m chain=output content="530 Login incorrect" \
    disabled=yes protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat dst-port=8933 protocol=tcp to-addresses=\
    192.168.3.3 to-ports=8933
add action=dst-nat chain=dstnat dst-port=8934 protocol=tcp to-addresses=\
    192.168.3.11 to-ports=8934

You should rethink your approach. Changing port will not stop bruteforcing. Someone will rescan your external IP and start bruteforcing that new port. You need to set up a firewall rule that blocks traffic from that ip if such bruteforce attempt is made.

Sent from my LG-H960 using Tapatalk

The attempt are from different IP every time. The another way is the last 3 rules in my firewall settings (they are disable, because they are not work properly). But more easy way is change default port. I hope the “hackers” scanned only default port. Ok if somebody try to find ftp on my IP he will succeed, but in this time I want to prevent from random scanning for open 21 port.

That’s just it, they are not simply scanning for port 21…

Really? So… plan “B”!
In the firewall there are rules for brute force attack - if some ip send n wrong passwords block this ip for 1 day. I added these rules year ago, but there was some problem. I don’t remember. I disabled them, I didn’t use ftp from this time. I will test again and I will write what is the problem

It is working http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention
It was problem with rules order.
But why created address list is deleted after reboot the router

Well that is just the way MT works. I have a bunch of such rules for every open port or portscan attempt. One solution would be to change default ftp port and create port scan detection rules. So the scriptkiddies cant enumerate your ports so they would fly blind.

Set them up like this
http://blog.codexploit.si/2015/01/mikrotik-port-scanning-firewall-rules.html?m=1

And put them above all other rules. That should stop the bad guys from enumerating your ports. You can test them out with nmap or some other port scan software. Just remember to disable the drop rule while testing.

Sent from my LG-H960 using Tapatalk

Thanks CodeXploit!
I added the rules. I tested with Nmap - Zenmap and they block the IP.
But if I check if port 21 (or other) is open from web site (for example http://www.yougetsignal.com/tools/open-ports/) it says “Port 21 is open” and the router didn’t catch the IP.

You could set up a port knocking system to protect the FTP service.

It works similarly to the port scan detection.

/ip firewall filter
chain=input connection-state=established,related action=accept
chain=input protocol=udp dst-port=21 action=add-src-to-address-list address-list=knock1 timeout=1s
chain=input protocol=udp dst-port=2121 src-address-list=knock1 action=add-src-to-address-list address-list=knock2 timeout=1s
chain=input protocol=udp dst-port=2020 src-address-list=knock2 action=add-src-to-address-list address-list=knock_authorized timeout=5m
chain=input protocol=tcp dst-port=21 src-address-list=knock_authorized action=accept

The established,related rule is important because the data channel is a “related” connection to any established ftp sessions. Furthermore, it will allow established ftp sessions to continue even after the knock_authentication times out.

The way this works is the client sends a series of packets that opens the FTP service for a short period for the IP address that originated the correct combination. It doesn’t all have to be UDP like in my example. There are free applications that can send a series of port knock packets.

So once the knock is successful, the client has a 5 minute window where they may connect to the FTP service on the router. Once connected, the established,related rule will let the session continue even after the knock window closes.

Port knocking is a measure to increase security by adding “security in depth” - it’s not the same as “security by obscurity” - and it has the benefit of preventing robots from connecting to the FTP port and attempting to brute force login. You could protect all of your services on the Mikrotik with this method. In fact, I should do this on my home router since it won’t let me in from my hotel IP address right now…

Thanks for your replay
There is problem with the code:

add chain=input protocol=udp dst-port=21 action=add-src-to-address-list address-list="knock1" timeout=1s comment="002.add-src-to-add
ress-list 21"
expected end of command (line 1 column 95)

Is timeout address-list-timeout?

Yep. That’s what I meant.

I added the rules, but scanning from the web site doesn’t block.

And another note: I am looking for android audio player which can plays files from ftp server. I am testing Neutron (Eval) and when I start playing the router blocks the android device IP

Well that is OK. The port is open, so… that is why i said to use port above 50000 there are rearly some scriptkiddies that scan ports that high. The favorite range is 1 - 1024, most commonly used ports, and some other specific ports like 3389 etc… . And all of them use tools like nmap. But if they want to manualy enumerate 65k ports via website… then let them have their fun. These rules are not buletproof, but it will stop 98%of the people who scan IP ranges and common ports so you will not popup for detailed scanning.

Does it put the Android IP on a port scanning list ? What rule blocks it ?

This one:

 chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=ftp_blacklist address-list-timeout=0s log=no log-prefix=""

I have wrote a python program to scan all audio files in ftp server. The rule blocks it also.

But I have a problem when I change the port. I started this topic about the problem with port.


And notes from the last days: there is no brute force attack, there are only one attempt from IP

I usualy when i dont know whats blocking specific traffic reset all counters to 0 and start the program/service and look at the block rules if one of them is incrementing.