prevention of SSH bruteforcing..

epproach_lyle · July 23, 2007, 2:15pm

/ ip firewall filter
add chain=input protocol=tcp dst-port=22 src-address-list=black_list action=drop
comment=“drop ssh brute forcers” disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=black_list address-list-timeout=1d
comment=“” disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m
comment=“” disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new
src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m
comment=“” disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new
action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m comment=“”
disabled=no

this is what I found in the WiKi…do you have to do it this way? It seems pretty long for a simple rule.

I can not seem to find the error message that ssh sends back on authentication failure. Is it not “530 login incorrect” ?

I think i remember reading something about the above ruleset, but I can not seem to find it. I"m just trying to put together a sweet script to share

cmit · July 23, 2007, 2:50pm

You won’t return any SSH error message like “login incorrect” by that - you will just plainly drop the connection attempts using the firewall. I think there’a recent forum thread about the same issue that’s titled something like “how to stop brute force attacks on your FTP server” or the like…

Best regards,
Christian Meis

Borage · July 23, 2007, 10:56pm

This looks exactly like what I wrote about in the “General Networking” forum a while ago (same wording). As cmit wrote, you won’t return any SSH error messages because the session is encrypted. The only way is to rely on the number of connection attempts in a certain time period. Since you can have 3 failed login attempts before the SSH session is closed, you will get 9 login attempts within a minute before your IP address gets banned. Of my own experience, SSH brute forcers disconnect after every login attempts (their IP address will therefore be banned after the third login attempt).

epproach_lyle · July 24, 2007, 12:26am

oh ok.. awesome. Thanks for the replies… that is exactly what I needed. I knew i read something along those lines.

sever · July 29, 2007, 3:39pm

Greetings!

A couple of questions if I might…

If one places this script on the EDGE router only, will it offer protection to downstream nodes?

Or do you have to add this script to every Mikrotik node?

Also could this be edited for FTP?

Thanks,

j.

mrz · July 29, 2007, 5:29pm

search:
http://forum.mikrotik.com//viewtopic.php?f=9&t=16915

sever · July 30, 2007, 12:53pm

Thanks,

Very much appreciated!

j.