hello guys
i need your opinion and comments regarding this problem i have a script http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention in my mikbox, i notice that some of smartphone, ipad, iphone always ban in address-list so i remove manually in address-list, is there somebody experience this kind of problems?
thanks
That doesn’t make any sense. Normal smartphones don’t initiate FTP and SSH connections. Show your firewall rule set.
Also, unless you have to be allowing the world access via FTP/SSH it is far more secure to just limit the networks that can hit the router for administrative purposes - especially when you consider VPNs. That then makes protection against brute force exploits more or less pointless.
hello fewi thanks for your reply heres my simple router config
[myron@Kamote] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
1 ;;; not allowed
chain=forward action=drop in-interface=hotspot vlan out-interface=office vlan
2 chain=forward action=drop in-interface=hotspot vlan out-interface=opera vlan
3 ;;; worms
chain=forward action=drop protocol=tcp dst-port=135-139,445,539,5554,1068,9996,4444,43,17300,6969
4 chain=forward action=drop protocol=tcp dst-port=1030,1080,1214,1363,1368,1373,1377,1433-1434,2745
5 chain=forward action=drop protocol=udp
dst-port=135-139,445,69,53,2283,2535,3127-3128,3410,5554,8866,9898,1900
6 ;;; Port scanners to list
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=port scanners
address-list-timeout=2w
7 ;;; NMAP FIN Stealth scan
chain=input action=add-src-to-address-list tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w
8 ;;; SYN/FIN scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp address-list=port scanners
address-list-timeout=2w
9 ;;; SYN/RST scan
chain=input action=add-src-to-address-list tcp-flags=syn,rst protocol=tcp address-list=port scanners
address-list-timeout=2w
10 ;;; FIN/PSH/URG scan
chain=input action=add-src-to-address-list tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp
address-list=port scanners address-list-timeout=2w
11 ;;; ALL/ALL scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp
address-list=port scanners address-list-timeout=2w
12 ;;; NMAP NULL scan
chain=input action=add-src-to-address-list tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w
13 ;;; dropping port scanners
chain=input action=drop src-address-list=port scanners
14 ;;; drop ftp brute forcers
chain=input action=drop protocol=tcp src-address-list=ftp_blacklist dst-port=21
15 chain=output action=accept protocol=tcp content=530 Login incorrect dst-limit=1/1m,9,dst-address/1m
16 chain=output action=add-dst-to-address-list protocol=tcp address-list=ftp_blacklist address-list-timeout=3h
content=530 Login incorrect
17 ;;; drop ssh brute forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22
18 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3
address-list=ssh_blacklist address-list-timeout=52w2d dst-port=22
19 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2
address-list=ssh_stage3 address-list-timeout=1m dst-port=22
20 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1
address-list=ssh_stage2 address-list-timeout=1m dst-port=22
21 chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1
address-list-timeout=1m dst-port=22
22 ;;; hotspot no rules
chain=forward action=accept in-interface=hotspot vlan
23 chain=forward action=accept in-interface=hotspot vlan
24 chain=forward action=accept out-interface=hotspot vlan
25 chain=forward action=accept out-interface=hotspot vlan
26 X ;;; rdp
chain=forward action=accept protocol=tcp dst-port=3389
27 ;;; brother printer port
chain=forward action=accept protocol=tcp dst-port=54921
28 ;;; ICMP
chain=forward action=accept protocol=icmp
29 ;;; mail, pop3
chain=forward action=accept protocol=tcp dst-port=25,26,143,110,465,995,2525,587,993
30 ;;; HTTP
chain=forward action=accept protocol=tcp dst-port=80,81
31 ;;; HTTPS
chain=forward action=accept protocol=tcp dst-port=443
32 ;;; MSN
chain=forward action=accept protocol=tcp dst-port=1863,6891-6900,7001
33 chain=forward action=accept protocol=udp dst-port=6901
34 ;;; ventrillo and mumble
chain=forward action=accept protocol=tcp dst-port=4346,64738
35 ;;; vonage
chain=forward action=accept protocol=udp dst-port=10000-20000
36 chain=forward action=accept protocol=udp dst-port=5050,5060-5063
37 chain=forward action=accept protocol=udp dst-port=123
38 chain=forward action=accept protocol=udp dst-port=80
39 X ;;; SSH
chain=forward action=accept protocol=tcp dst-port=22,23
40 ;;; eve-online
chain=forward action=accept protocol=tcp dst-port=26000,6112
41 ;;; winbox
chain=forward action=accept protocol=tcp dst-port=8291
42 ;;; cctv port
chain=forward action=accept protocol=tcp src-port=8000-8001
43 ;;; mirc
chain=forward action=accept protocol=tcp dst-port=6665-7000
44 ;;; streaming server
chain=forward action=accept protocol=tcp dst-port=8000
45 ;;; instant messenger
chain=forward action=accept protocol=tcp dst-port=5050,5100
46 ;;; INCOMING Manila VPN
chain=forward action=accept protocol=tcp src-port=1723
47 ;;; nano allow
chain=forward action=accept protocol=tcp src-port=1234,12345
48 ;;; ubi to outside
chain=forward action=accept protocol=tcp dst-port=12345
49 ;;; teamspeak
chain=forward action=accept protocol=udp dst-port=9987
50 ;;; google talk
chain=forward action=accept protocol=tcp dst-port=5222,5223
51 ;;; pptp
chain=forward action=accept protocol=gre
52 ;;; zynga poker
chain=forward action=accept protocol=tcp dst-port=9339
53 ;;; china stock exchange
chain=forward action=accept protocol=tcp dst-port=7708-7709
54 ;;; FTP
chain=forward action=accept protocol=tcp dst-port=20,21
55 X chain=forward action=accept connection-state=established
56 X chain=forward action=accept connection-state=related
57 ;;; fuego smtp/webmail
chain=forward action=accept protocol=tcp dst-port=2095
58 ;;; mikrotik remote support
chain=forward action=accept protocol=tcp dst-port=1122
59 ;;; cctv port dst
chain=forward action=accept protocol=tcp dst-port=63600-63400
60 ;;; dns
chain=forward action=accept protocol=tcp dst-port=53
61 chain=forward action=accept protocol=udp dst-port=53
62 ;;; taiwan webmail
chain=forward action=accept protocol=tcp dst-port=3000
63 ;;; torrent
chain=forward action=drop protocol=tcp src-port=50000-65500 dst-port=10000-65500
time=8h-17h59m,sun,mon,tue,wed,thu,fri,sat
64 chain=forward action=drop protocol=udp src-port=50000-65500 dst-port=10000-65500
time=7h-17h59m,sun,mon,tue,wed,thu,fri,sat
65 chain=forward action=drop protocol=tcp src-port=10000-65500 dst-port=10000-65500
time=7h-17h59m,sun,mon,tue,wed,thu,fri,sat
66 chain=forward action=drop protocol=udp src-port=10000-65500 dst-port=10000-65500
time=7h-17h59m,sun,mon,tue,wed,thu,fri,sat
67 ;;; snmp
chain=forward action=drop protocol=udp dst-port=161
68 ;;; 8080 exploit
chain=input action=drop protocol=tcp in-interface=WAN dst-port=8080
69 ;;; P2P block
chain=forward action=drop p2p=all-p2p
70 ;;; default drop
chain=forward action=drop out-interface=WAN
[myron@Kamote] /ip firewall address-list> print
Flags: X - disabled, D - dynamic
0 D port scanners 41.132.189.251
1 D port scanners 168.167.155.11
2 D port scanners 192.168.3.63
[myron@Kamote] /ip dhcp-server lease> print
Flags: X - disabled, R - radius, D - dynamic, B - blocked
36 D 192.168.3.63 A4:D1:D2:25:B0:BB iPad
in dhcp lease at line 36 that ip is belong to ipad now take a look in address-list ip is .63 actually last 4 days i remove also 3 ipad IP,s and 2 Iphone IP,s in address list
So according to that the address list the phones are put on have nothing to do with brute forcing whatsoever. Those address lists have different names. They are put on your list because of the extremely low limits you’re setting when looking for port scanners.
On a Hotspot, where all traffic is redirected to the router itself, your limits are WAY too low for psd (port scan detection) in the input chain. Bump those limits up and the issue goes away.
the default psd=21,3s,3,1 which one do i increase fewi?
weeewww thanks fewi