Playing defense, need help

Tdaddysimi · January 18, 2018, 9:14pm

In reference to my forum post on here http://forum.mikrotik.com/t/help-securing-router/115718/1
When an IP tries to hit my router’s pptp server and doesn’t authenticate or do anything, is there a script to automatically add it to a block list??
Not familiar with scripts or block lists, but I’m sick of seeing log entries like: 14:46:38 pptp,info TCP connection established from 71.6.146.186
That IP comes back to some hacker something or other on google… how do I add these to a block list automagically??

Thanks guys.

sebastia · January 18, 2018, 9:37pm

Another option: implement port knocking on your pptp.
For an good example: http://forum.mikrotik.com/t/portknock-scripting/114812/1

bbs2web · January 31, 2018, 5:44pm

There are various ways of handling this, herewith our method:

Drop traffic from blacklisted sources without consuming conntrack table entries:

/ip firewall raw
  add action=accept chain=prerouting comment="Failsafe - allow CDP:" dst-address=255.255.255.255 dst-port=5678 protocol=udp
  add action=accept chain=prerouting comment="Failsafe - allow mactelnet:" dst-address=255.255.255.255 dst-port=20561 protocol=udp src-address=0.0.0.0
  add action=drop chain=prerouting comment="Drop - from 'black_list' address list:" src-address-list=black_list

IPs and subnets to exempt from blacklisting:

/ip firewall address-list
  add address=54.19.34.24/29 comment="Office:" list=management
  add address=192.168.10.0/24 comment="Home:" list=management

Ultimately accept the connection, but add source IP to stage1, if it doesn’t exist in ‘management’ address list. Add to stage2 if it exists in stage1, stage3 if it’s in stage2 or add to ‘black_list’ if it’s in stage3. Four connections within 1 minute will result in the source IP being blacklisted for 24 hours:

/ip firewall filter
  add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=brutecheck comment="Brute Force Protection:" src-address-list=brute_stage3
  add action=add-src-to-address-list address-list=brute_stage3 address-list-timeout=1m chain=brutecheck src-address-list=brute_stage2
  add action=add-src-to-address-list address-list=brute_stage2 address-list-timeout=1m chain=brutecheck src-address-list=brute_stage1
  add action=add-src-to-address-list address-list=brute_stage1 address-list-timeout=1m chain=brutecheck src-address-list=!management
  add action=accept chain=brutecheck

Then simply set the action on any input filter rules to be a jump to ‘brutecheck’, instead of ‘accept’. We do this for tcp/21 (ftp), tcp/22 (ssh), tcp/23 (telnet), tcp/80 (http), tcp/443 (https), tcp/1723 (pptp) and tcp/8291 (winbox). This will black list anyone repeatedly attempting connections to any of these ports and port scanners get listed immediately…:

/ip firewall filter
  add action=jump chain=input comment=FTP: connection-state=new dst-port=21 jump-target=brutecheck protocol=tcp
  add action=jump chain=input comment=SSH: connection-state=new dst-port=22 jump-target=brutecheck protocol=tcp
  add action=jump chain=input comment=Telnet: connection-state=new dst-port=23 jump-target=brutecheck protocol=tcp
  add action=jump chain=input comment=HTTP: connection-state=new dst-port=80 jump-target=brutecheck protocol=tcp
  add action=jump chain=input comment=HTTPS: connection-state=new dst-port=443 jump-target=brutecheck protocol=tcp
  add action=jump chain=input comment="PPTP VPN:" connection-state=new dst-port=1723 jump-target=brutecheck protocol=tcp
  add action=jump chain=input comment=Winbox: connection-state=new dst-port=8291 jump-target=brutecheck protocol=tcp

We leave the above honeypot rules active to blacklist connection attempts to lucrative ports even after disabling most of these:

/ip service
  set telnet disabled=yes
  set ftp disabled=yes
  set www disabled=yes
  set ssh port=2222
  set api disabled=yes
  set api-ssl disabled=yes