Script to 'tarpit' ip on failed login attempts?

theWISP · September 23, 2008, 12:15am

Hello,

Due to many reasons, I can not harden my RouterOS box’s to the point to only allow certain IP’s to access ssh/winbox nor will port knocking work for me. Due to this, I often find boards underperforming due to constant login attempts from unauthorized users.

I simply add a firewall rule dropping all traffic from this IP.

Is there a script available that would do this for me automatically based on, lets say, 10 failed login attemps?

Please Help, this is very hindering!

Letni · September 23, 2008, 3:31am

Here is one way of doing it. Very inefficient, but does the job.
Tested on V3.13

:global ListName SSHAttack
:global NumFailures 10
:global bad ""

:foreach i in=[/log find topics=system,error,critical] do={
  :local message [/log get $i message]
  :local pos1 ([:find $message "from"]+5)
  :local pos2 ([:find $message "via"]-2)
  :local IP [:toip [:pick $message $pos1 $pos2]]
  :if ($bad="") do={
    :set bad $IP
  }  else={
    :set bad "$bad,$IP"
  }
}
:set bad [:toarray $bad]

:foreach i in=$bad do={
:global Count 0
  :foreach j in=$bad do={
    :if ($i = $j) do={
      :set Count ($Count+1)
      :if ($Count >= $NumFailures) do={
        :if ([:len [/ip firewall address-list find address=$i list=$ListName]]=0) do={
          /ip firewall address-list add address=$i list=$ListName
        }
      }
    }
  }
}

You will of course have to add a firewall rule to drop traffic for SSHAttack in the appropriate spot as well as schedule this script to run how ever often you want it to.

-Louis

hilton · September 26, 2008, 2:01pm

You could of course just adapt the wiki example for your specific needs;

http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention_(FTP_%26_SSH)

(watch the wrap)

changeip · September 26, 2008, 5:09pm

Another simple way thats more efficient is to just use the NTH rule with SYN packets on port 22. Set it very low so that anyone probing that port more than 1-2 times is going to get tarpitted for a while. Your valid ssh connections will get thru because your a human : )

Also - if you really want to make it better then just change your ssh port from 22 to something else.

theWISP · September 26, 2008, 10:08pm

That did the trick. Unfortunately I have one board that has attempts via FTP. I’ve changed the ftp port as well and the attempts still occur. Any suggestions?

hilton · September 26, 2008, 10:28pm

Just go into /ip services and change the port there.