Hi all,
does anyone have a script to block (DROP) a certain IP after 3 (or any number) of invalid SSH/FTP attempts? I added some IP’s manually to the firewall (IP → FIREWALL → Filter rules → … → Action DROP) but sometimes I don’t have time to check out the log manually.
I am asking because lately my RB532’s are under attack from quite a few IP’s trying out combinations of user names/passwords and I don’t have time to block every IP manually.
Can someone help?
Thank you in advance
john
Isnt easier to use address list contains only valid-admins ip whos have rights to access to your routerboard?
Or just use strong passwords and allow them to keep getting dropped on their own. Or just change the SSH port if you are tired of seeing them.
Sam
u can of course by adding some rules to ur input chain
with action trapit and action addto address list (let’s say kind of IDS)
4 ;;; detect and drop port scan connections
chain=input protocol=tcp psd=21,3s,3,1 action=drop
5 ;;; suppress DoS attack
chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list action=tarpit
6 ;;; detect DoS attack
chain=input protocol=tcp connection-limit=10,32 action=add-src-to-address-list address-list=black_list address-list-timeout=1d
Hello All,
Just manage to submenu [/ip service] this’s simple solution for protect your Router.
Peace all
Balimore DOT com