Community discussions

 
49er
Member
Member
Topic Author
Posts: 401
Joined: Tue Sep 27, 2011 7:55 am

Brute Forse SSH blacklist

Fri Dec 21, 2018 8:24 am

Hi.
I have a bruteforce blacklist in my device but I want to exclude 1 IP address, is that possible?
I Like to exclude 1 (or more IP address to be put on the blacklist address-list)

/ip firewall filtter
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
 
mkx
Forum Guru
Forum Guru
Posts: 3179
Joined: Thu Mar 03, 2016 10:23 pm

Re: Brute Forse SSH blacklist

Fri Dec 21, 2018 8:36 am

It would be easier if you constructed a whitelist and accept connections from whitelisted src addresses before you deal with brute forcers.
BR,
Metod
 
49er
Member
Member
Topic Author
Posts: 401
Joined: Tue Sep 27, 2011 7:55 am

Re: Brute Forse SSH blacklist

Fri Dec 21, 2018 12:06 pm

I know but I want to be able to access from anywhere and that is not possible if you use whitelist.
 
mkx
Forum Guru
Forum Guru
Posts: 3179
Joined: Thu Mar 03, 2016 10:23 pm

Re: Brute Forse SSH blacklist

Fri Dec 21, 2018 1:20 pm

I know but I want to be able to access from anywhere and that is not possible if you use whitelist.
You wrote in OP that you wanted to "exclude 1 IP address" from the black list. Can you make up your mind?

Actually you can connect from anywhere ... as long as used IP address is not blacklisted already.
BR,
Metod
 
2frogs
Long time Member
Long time Member
Posts: 540
Joined: Fri Dec 03, 2010 1:38 am

Re: Brute Forse SSH blacklist

Fri Dec 21, 2018 1:29 pm

I know but I want to be able to access from anywhere and that is not possible if you use whitelist.
Actually, Port Knocking allows for this.
https://wiki.mikrotik.com/wiki/Port_Knocking

But, the short answer is to add an accept for an Source IP before your brute force. Or edit brute force to include !Source IP.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1309
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Brute Forse SSH blacklist

Fri Dec 21, 2018 3:01 pm

For SSH I do the following.

1. Port Knocking
2. Use another port than 22
3. If some one tries a none open port on my system, the get blocked on all port for 24 hour..

PS I do not have SSH to my Router, but to a server. From that I can SSH to the Router.
The server is logged in many ways so I sees whats going on.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 

Who is online

Users browsing this forum: No registered users and 32 guests