Community discussions

 
Crow2k
just joined
Topic Author
Posts: 1
Joined: Thu May 23, 2019 9:46 am

Ban IP's / Drop connections of RDP Brute forcers

Thu May 23, 2019 10:01 am

Hi There,
I am fairly new to MikroTik routers & am currently only using the WEB Gui. The last day or so I noted that a hostile party it tring to brute force my 3 servers with RPD attempts (TCP connection) each is on a different port 33891 33892 & 33893 respectively. I was hoping someone might help me create some firewall filter rules to blacklist an IP that forces more than 5 failed connections/login attempts per minute & then enforces rules to ban that IP from connecting for 30 days once on the list.

I cannot run with an allowed IP address configuration because I have users connecting in from dynamic IP's.
 
User avatar
karlisi
Member Candidate
Member Candidate
Posts: 247
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: Ban IP's / Drop connections of RDP Brute forcers

Thu May 23, 2019 4:42 pm

---
Karlis
 
anav
Forum Guru
Forum Guru
Posts: 2936
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Ban IP's / Drop connections of RDP Brute forcers

Thu May 23, 2019 5:41 pm

Hmmmm, there is no reason why the action drop rule should be in the RAW firewall filter and NOT the input chain.
As the rhyme goes. I would like to slap the peepee of the person that wrote the wikee. Slow day. ;-)

Highly recommend you read through this thread for some sage advice!
viewtopic.php?f=2&t=139793&p=689467&hil ... ts#p689467
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
karlisi
Member Candidate
Member Candidate
Posts: 247
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: Ban IP's / Drop connections of RDP Brute forcers

Fri May 24, 2019 10:04 am

Hmmmm, there is no reason why the action drop rule should be in the RAW firewall filter and NOT the input chain.
In simple english, why drop is in input chain, not in raw? Perhaps linked wiki is intended to show the principle, not working configuration. You never know what other firewall rules are there and testing blacklisting in raw can break something.
---
Karlis
 
User avatar
ingdaka
Member Candidate
Member Candidate
Posts: 146
Joined: Thu Aug 30, 2012 3:06 pm
Location: Albania
Contact:

Re: Ban IP's / Drop connections of RDP Brute forcers

Sun May 26, 2019 10:23 pm

add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

Just change port 22 with port you want to drop!
Ilir Daka
Electronic & Network Engineer
E-mail: ilirdaka@live.com
Mob: +355692982151
WhatsApp: +355692982151
Mikrotik Official Consultant
CCNA | Fortinet NSE3 | MTCRE | MTCSE
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1091
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Ban IP's / Drop connections of RDP Brute forcers

Sat Jun 01, 2019 8:38 am

Exposing anything to that vast outside world will always incur hackers trying to be.......hackers. Usually but as you've already cut off, allowing only a set IP list is the answer. How about a VPN server? Then you don't have to expose any of your local devices directly to the internet?
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1361
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: Ban IP's / Drop connections of RDP Brute forcers

Sun Jun 02, 2019 12:51 am

Hmmmm, there is no reason why the action drop rule should be in the RAW firewall filter and NOT the input chain.
As the rhyme goes. I would like to slap the peepee of the person that wrote the wikee. Slow day. ;-)

Highly recommend you read through this thread for some sage advice!
viewtopic.php?f=2&t=139793&p=689467&hil ... ts#p689467

That wiki article is from 2013, many many moons before RAW was available in ROS.
MTCNA, MTCTCE, MTCRE & MTCINE

Who is online

Users browsing this forum: Bing [Bot] and 24 guests