Hello mate, I'm new here..
I'd like to ask if it's possible to change firewall rules using script.
I'm on testing my security of my router, so just get to the point.
I made firewall rules to detect some basic attacks such as ssh brute force, ftp brute force, ICMP flood, etc.
what I'd like to ask is to change time interval to block the ip address of the attacker.
my default interval for blocking attacker's ip address is 1 minute, but after my script for sending email from router is running, I'd like to add a feature to change the interval to 7 days in my script. so, I don't need to bother myself to change the interval time manually.
or maybe there's a way to block the attacker's ip address manually that I need to know.

thanks for any help and I'm sorry for my bad english..

Yes, you can,but I'm not enough of a scripting expert to give much advise beyond doing a lot of reading on the Wiki. I will point you at a page that I started with:
http://wiki.mikrotik.com/wiki/Securing_ ... rOs_Router

Yes, you can,but I'm not enough of a scripting expert to give much advise beyond doing a lot of reading on the Wiki. I will point you at a page that I started with:
http://wiki.mikrotik.com/wiki/Securing_ ... rOs_Router

thanks mate for the reply, I really appreciate it.
Well, I'll take a look on it.
I just want to make my router can do the banning automatically for the attacker's IP address.
oh one more thing, could you tell me what's the meaning of firewall action tarpit?
and the use of it?
I'm interested to use it on my router.

You may use address lists technique for automatic blacklisting bruteforcers:
http://wiki.mikrotik.com/wiki/Bruteforc ... prevention
http://linux-sys-adm.com/how-to-configu ... -mikrotik/
But if your router under massive attack and it is not CCR - just blocking ports without using address lists may be better solution.


Action tarpit
Instead of simply dropping attacker's packets (with 'action=drop') router can capture and hold connections and with a powerful enough router it can slow the attacker down.
http://wiki.mikrotik.com/wiki/DoS_attack_protection

For anyone unfamiliar with the technique, it replies with SYN/ACK to incoming SYN packets. It also sets the MSS to a very small size. The end result is that incoming connections are held open with virtually no data able to flow.
Main use is to slow down automated scanning (CodeRed, Nimda et al).
http://forum.mikrotik.com/viewtopic.php?t=4848

You may use address lists technique for automatic blacklisting bruteforcers:
http://wiki.mikrotik.com/wiki/Bruteforc ... prevention
http://linux-sys-adm.com/how-to-configu ... -mikrotik/
But if your router under massive attack and it is not CCR - just blocking ports without using address lists may be better solution.


Action tarpit
Instead of simply dropping attacker's packets (with 'action=drop') router can capture and hold connections and with a powerful enough router it can slow the attacker down.
http://wiki.mikrotik.com/wiki/DoS_attack_protection

For anyone unfamiliar with the technique, it replies with SYN/ACK to incoming SYN packets. It also sets the MSS to a very small size. The end result is that incoming connections are held open with virtually no data able to flow.
Main use is to slow down automated scanning (CodeRed, Nimda et al).
http://forum.mikrotik.com/viewtopic.php?t=4848

thanks for the reply mate, but I've configured my router with firewall action tarpit enabled, I'd like to know how to test it.
could you please tell me?
I'm sorry that I'm such a noob for this.

The easiest way to do this is to use the "comment" on the rules you want to change. So ... for example ... add something like "+timeChange" to the end of each comment.... then you can use a command like

set [find comment~"<REGEX>"] blah blah....

or you can loop...

:foreach i in=[find comment~"<REGEX>"] do={
set $i blah blah
}

Regex would be something like ^([^+]*)\\+timeChange\$ .... basically that would match <anything but +>+timeChange....

I actually use comments with keys in them in a bunch of scripts.... dynamic address list (prior to when Mikrotik added it), dynamic ipsec tunnels, etc...

-Eric

thanks for the reply mate, but I've configured my router with firewall action tarpit enabled, I'd like to know how to test it.
could you please tell me?
I'm sorry that I'm such a noob for this.

Sorry, may be I didn't catch...
What to test? If tarpit rules run? Just check bytes/packets for this rules. If they non-zero - then rules work...
But if they are zero it may be 2 variants - they don't work (something wrong was setup) or nobody attack your router ^)
Also check corresponding address list (like blacklist or blocked-addr) - it should grow ^) if somebody attacks you.
Also your can check LOG for this rule (but it is bad idea due to during attacks console will be overloaded by messeges. One time I rebooted CCR1036 due to very intensive logging %)
For 100% checking of rules you can attack your router yourself for example using KALI but in many countries KALI is non-legal even if just installed on notebook without real usage...
Or wait attack from external world (it happens very often) and try switch on/off rules and check their influnce on routers resources and attack intencity.

There are mostly dns amplification attacks that are done over udp so tarpitting would be useless in those cases. Just to note...

thanks for the reply mate, but I've configured my router with firewall action tarpit enabled, I'd like to know how to test it.
could you please tell me?
I'm sorry that I'm such a noob for this.

Sorry, may be I didn't catch...
What to test? If tarpit rules run? Just check bytes/packets for this rules. If they non-zero - then rules work...
But if they are zero it may be 2 variants - they don't work (something wrong was setup) or nobody attack your router ^)
Also check corresponding address list (like blacklist or blocked-addr) - it should grow ^) if somebody attacks you.
Also your can check LOG for this rule (but it is bad idea due to during attacks console will be overloaded by messeges. One time I rebooted CCR1036 due to very intensive logging %)
For 100% checking of rules you can attack your router yourself for example using KALI but in many countries KALI is non-legal even if just installed on notebook without real usage...
Or wait attack from external world (it happens very often) and try switch on/off rules and check their influnce on routers resources and attack intencity.

I mean, the kind of attack to test if the tarpit runs.
I've attacked my router but there's no address-list comes up.
I use kali rolling but I have no idea to attack the router to find out if the tarpit runs.

There are mostly dns amplification attacks that are done over udp so tarpitting would be useless in those cases. Just to note...

I knew mate, but it's not too dangerous here.
I mean, most attackers just attack the SSH, FTP or even just flooding the ICMP packets.
as far as I knew, there's no attacker who attacked my router over the udp.

Hello mate, I'm new here..
I'd like to ask if it's possible to change firewall rules using script.
I'm on testing my security of my router, so just get to the point.
I made firewall rules to detect some basic attacks such as ssh brute force, ftp brute force, ICMP flood, etc.
what I'd like to ask is to change time interval to block the ip address of the attacker.
my default interval for blocking attacker's ip address is 1 minute, but after my script for sending email from router is running, I'd like to add a feature to change the interval to 7 days in my script. so, I don't need to bother myself to change the interval time manually.
or maybe there's a way to block the attacker's ip address manually that I need to know.

thanks for any help and I'm sorry for my bad english..

HI Faiz

Can you share me the configuration related to securing the networking . Even I am getting lot of brute attack. Every time I face the unusual traffic in my Netwrok , I do the tourch on my interface and I see lot of flooding happening.
Kindly share me your configuration with respect to security . Alsois it possible to block the ping request to my router board from any other IP address apart from mine . We are using mikrotik board for PPPoE customer

Thanks in Advance