i want to add some preroute drop rule for src address list which contains all public ip collected from my honeypot ssh server.
Is this a good idea or is there a better way to block it?
honeypot ssh is on public ip (where are also the most of servers, same subnet)
Dont waste your time.
An MT router is not designed to stop sophisticated and prolonged attacks. That is the responsibility of your ISP and farther up the food chain.
In most cases, 99% of the traffic out there, it suffices simply to put a drop all rule at the end of the INPUT CHAIN and the FORWARD CHAIN.
If you are a business, a medical related site etc… one would have an edge router and probably paid services for further protection and a business account with an ISP that should provide better 24/7 monitoring/protections etc…
Like so…
NOVICE and RECREATIONAL USER RECOMMENDED CONFIGS.
( Intended for the new user and for the lightly experienced user who has gained enough knowledge and who now require changes to the default config. )
( Use Safe Mode when configuring the MT Device - https://help.mikrotik.com/docs/display/ … t-SafeMode. )
( Do NOT use quickset, and if you do for some reason at start-up, do NOT return to quickset to make changes later. )
( Finding the default configuration - Go to terminal and on the command line enter:
/system default-configuration print file=anynamewilldo - next download the file and you have it!)
(1) NOVICE DEFAULT SETUP
/ip firewall filter
{Input Chain}
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment=“drop all else” *****
{forward chain}
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” out-interface-list=WAN
*********** Caution, only add the drop rule in the input chain, AFTER you have the allow LAN access or you will lock yourself out of the router.