To prevent password bruteforcing your FTP server

RouterOS Scripting
1

Here is a few firewall rules to stop/slow down brute forcers from cracking passwords to your FTP server. In this example, the FTP server is the MikroTik router. To protect a FTP server behind MikroTik, you have to use the forward chain instead of the input & output chains.

The initial stage (stage 1) adds the IP address to the temporary address list ftp_stage1 (timeouts after 1 minute). And thereafter every login attempt within one minute trigger the next stages (stage2 - stage4) until it reaches the last stage (stage 5) that adds the IP address to the ftp_blacklist (timeouts after 1 week).

You have to change in-interface to something else if ether1 is not the network interface card (NIC) connected to the Internet.


This rule drops all listed brute forcers

/ ip firewall filter 
add chain=input in-interface=ether1 protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \
    comment="drop ftp brute forcers" disabled=no

This rule adds brute forcers to the blacklist (fourth login attempt within a minute)

/ ip firewall filter 
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage4 action=add-dst-to-address-list \
    address-list=ftp_blacklist address-list-timeout=1w comment="auto-firewall ftp - stage 5" disabled=no

Third login attempt (within a minute)

/ ip firewall filter 
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage3 action=add-dst-to-address-list \
    address-list=ftp_stage4 address-list-timeout=1m comment="auto-firewall ftp - stage 4" disabled=no

Second login attempt (within a minute)

/ ip firewall filter 
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage2 action=add-dst-to-address-list \
    address-list=ftp_stage3 address-list-timeout=1m comment="auto-firewall ftp - stage 3" disabled=no

First login attempt (within a minute)

/ ip firewall filter 
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage1 action=add-dst-to-address-list \
    address-list=ftp_stage2 address-list-timeout=1m comment="auto-firewall ftp - stage 2" disabled=no

Initial stage

/ ip firewall filter 
add chain=input in-interface=ether1 protocol=tcp dst-port=21 action=add-src-to-address-list \
    address-list=ftp_stage1 address-list-timeout=1m comment="auto-firewall ftp - stage 1" disabled=no
2

You should put it in the wiki.

3

Maybe, if a native English speaker can correct all my grammar and spelling errors. I also would like some input if it is wise to create two new chains and jump target the traffic (I did that on my own router). I also have a similar solution to protect the SSH server in MikroTik RouterOS from bruteforcing attempts.

4

good :slight_smile: BUT there is much simple way to do this ( only two rules will be used):

/ ip firewall filter
add chain=input in-interface=ether1 protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop

/ ip firewall filter
add chain=output action=add-src-to-address-list protocol=tcp content=530 Login incorrect dst-limit=10/1m,0,dst-address/1m40s address-list=blacklist

Rule above allows only 10 login incorrect answers per minute

5

I tried, but the traffic gets blocked after the first login attempt. :frowning:

6

nice script..

7

sorry my mistake:

/ ip firewall filter
add chain=input in-interface=ether1 protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop

# accept 10 incorrect logins per minute
/ ip firewall filter
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m

#add to blacklist
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" address-list=blacklist address-list-timeout=3h

This is working correctly. Tested :slight_smile:

8

Tested and working.

Another way to protect you:
Make an account with ONLY ftp permission.
This should not compromise too much your server.
also, leave admin account with no rights at all, and make another with a name of your choice.
This should make it even harder for the attacker to get a valid pair username/password for access to your network.

9

Yes, you may use this script in your tutorial :slight_smile:

10

mrz,

I can’t seem to get your script working at all, I’ve very carefully entered it, and verified it in winbox. I can still ssh into the box even after as many as 12 failed attempts. Any insight would be appreciated.

Mac

11

Nevermind, got it working thanks!

12

I have just tried to implement this script and it is not working.

I used the script from the wiki which omitted the interface reference.

http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention_(FTP

Below is the script as I am running it.

add action=drop chain=forward comment="Drop FTP Brute Force" disabled=no \
    dst-port=21 protocol=tcp src-address-list=ftp_blacklist

add action=accept chain=forward comment="" content="530 1326" disabled=no \
    dst-limit=1/1m,9,dst-address/1m protocol=tcp

add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=forward comment="" content="530 1326" \
    disabled=no protocol=tcp

The Mikrotik is not the FTP server so I have changed the chains from input/output to forward and updated the 530 Incorrect Login to match the response my server gives but it still doesn’t work. I have tried adding the interface as well as using input/output instead of forward but it doesn’t show as seeing any traffic.

Regards,
Joie

13

Does anyone know how to make this rule result, sending by email? some kind of mail report from it. Thanks a lot for anyone who can help me.