Remote access

Andrius830 · August 5, 2015, 9:09am

Hello all,

I got quite a silly and newbie question, how could i disable remote access from public ip, since i’m having problems as shown:
ssssa.png
is there any way to avoid this?

Thanks in advance

JB172 · August 5, 2015, 10:51am

You can block bruteforce attacts for ssh, telnet and ftp. The following rules makes 3 different black lists. For ssh, ftp and telnet.

/ip firewall filter
add action=drop chain=input comment=“drop ssh brute forcers” dst-port=22 protocol=tcp src-address-list=
ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist chain=input connection-state=new dst-port=
22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input
connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input
connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input
connection-state=new dst-port=22 protocol=tcp
add action=drop chain=forward comment=“Blocks SSH” dst-port=22 protocol=tcp
add chain=output content=“530 Login incorrect” dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=drop chain=input comment=“drop ftp brute forcers” dst-port=21 protocol=tcp src-address-list=
ftp_blacklist
add action=add-src-to-address-list address-list=ftp_blacklist chain=input connection-state=new dst-port=
21 protocol=tcp src-address-list=ftp_stage3
add action=add-src-to-address-list address-list=ftp_stage3 address-list-timeout=1m chain=input
connection-state=new dst-port=21 protocol=tcp src-address-list=ftp_stage2
add action=add-src-to-address-list address-list=ftp_stage2 address-list-timeout=1m chain=input
connection-state=new dst-port=21 protocol=tcp src-address-list=ftp_stage1
add action=add-src-to-address-list address-list=ftp_stage1 address-list-timeout=1m chain=input
connection-state=new dst-port=21 protocol=tcp
add action=drop chain=input comment=“drop Telnet brute forcers” dst-port=23 protocol=tcp
src-address-list=Telnet_blacklist
add action=add-src-to-address-list address-list=Telnet_blacklist chain=input connection-state=new
dst-port=23 protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=1m chain=input
connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m chain=input
connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m chain=input
connection-state=new dst-port=23 protocol=tcp