POP Bruteforce prevention, dst-limit

nordex · June 11, 2014, 4:59pm

Hi,

I would like to prevent bruteforce attacks on mail server which is behind mikrotik router/firewall.
I used FTP bruteforce example http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention_(FTP
and I changed chains, ports, content (-ERR [AUTH] Invalid login ).

My question is regarding dst-limit. It allways triggers that rule, and rule below that is never triggered (the one which will add address to address list)

my setup:

/ip firewall filter
add action=tarpit chain=forward comment="drop pop brute force - block all from list" dst-port=110 \
    protocol=tcp src-address-list=pop_blacklist src-port=""

add chain=forward comment="drop pop brute force - accept 5 failed logins per minute" content=\
    "ERR [AUTH] Invalid login" dst-limit=1/1m,5,src-address/1m protocol=tcp src-port=110

add action=add-dst-to-address-list address-list=pop_blacklist address-list-timeout=10m chain=forward comment=\
    "drop pop brute force - add everything else to address list" content="ERR [AUTH] Invalid login" \
    protocol=tcp src-port=110

what should I change to stop POP bruteforce ?

cdiedrich · June 13, 2014, 6:06am

remove the src-port and retry.

-Chris

licht77 · August 26, 2014, 7:49am

Hi!

It seems that I got a similar problem when trying to block ftp bruteforce. I had to alter the rules as the ftp server is not on the mikrotik itself but in the network behind and there is a nat rule existing. So i changed the chain to forward instead of input/ouput:

add action=drop chain=forward comment="drop ftp brute forcers" disabled=no dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=forward content="530 Login authentication failed" disabled=no dst-limit=1/1m,5,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=2h chain=forward content="530 Login authentication failed" disabled=no \
    protocol=tcp

The problem is the 2nd rule… it is triggered during a bruteforce attempt but it does not “expire” after 5 trials in order to let the 3rd rule add the adress list.
Any clever hints are highly appreciated

licht77 · August 28, 2014, 3:08pm

OK I got it solved after upgrading from old 5.26 to 6.19! In the forum there were several hints that version below 5.5 had several bugs regarding that functionality!

Zwodka · September 19, 2014, 6:55pm

Hi All!

A trie to use the Brute Force prevention for Ftp
http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention_(FTP

/ip firewall filter
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop
comment=“drop ftp brute forcers”
add chain=output action=accept protocol=tcp content=“530 Login incorrect” dst-limit=1/1m,9,dst-address/1m
add chain=output action=add-dst-to-address-list protocol=tcp content=“530 Login incorrect”
address-list=ftp_blacklist address-list-timeout=3h

but any success. I use the MikroTik RouterBoard’s FTP service.
It takse my IP address into the BlackList at the first incorrent login. FYI: I use the TotalCommander for the FTP. I never store the name/pswd in the TCM, only x/x (because they are not encrypted). So the first connection always false/incorrect. As a result my IP address added to the list. But the first time?
I misunderstand something?