Community discussions

 
User avatar
dunga
Member Candidate
Member Candidate
Topic Author
Posts: 254
Joined: Fri Jan 23, 2009 9:51 am
Location: Nigeria

How to block ip address in MT

Tue May 19, 2009 1:11 pm

Hello friends,
I know this topic must have been answered several times, but i could not get the area it was answered. I have a problem with my MT router, if I log in thru winbox, i will see some login attempts from a particular ip address trying to login to my router with diffrent names. I want to block this ip address from making any attempt thru ssh, ftp and others.

How do i go about it by blocking this ip address and others that may try the login attempt on my MT. I want to know how t block it thru winbox and thru terminal.

Thanks your help will be appreciated.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24268
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: How to block ip address in MT

Tue May 19, 2009 1:13 pm

to block an IP address from accessing your Router:
/ip firewall filter add chain=input src-address=1.1.1.1 action=drop
but you could change the SSH port in "/ip services" and that guy will no longer know where to connect
No answer to your question? How to write posts
 
dawam
Trainer
Trainer
Posts: 136
Joined: Wed May 31, 2006 1:40 pm
Location: Malaysia

Re: How to block ip address in MT

Fri May 22, 2009 10:43 pm

I want to block this ip address from making any attempt thru ssh, ftp and others.

How do i go about it by blocking this ip address and others that may try the login attempt on my MT. I want to know how t block it thru winbox and thru terminal.
if you don't know the ip address try this
http://wiki.mikrotik.com/wiki/Bruteforc ... P_%26_SSH)

or like Normis said
you could change the SSH port in "/ip services" and that guy will no longer know where to connect
----------------------------------------------------------------
Everything looks complicated to begin with, but it's surprisingly simple when you understand it.
 
sabet
just joined
Posts: 2
Joined: Tue Jun 02, 2015 2:59 pm

Re: How to block ip address in MT

Tue Jun 02, 2015 3:12 pm

how to block a set of aperiodic different IP address ???

this soloution is complex:

/ip firewall filter add chain=input src-address=1.1.1.1 action=drop
/ip firewall filter add chain=input src-address=2.2.2.2 action=drop
/ip firewall filter add chain=input src-address=192.168.1.1 action=drop
/ip firewall filter add chain=input src-address=10.10.10.1 action=drop
/ip firewall filter add chain=input src-address=172.16.1.1 action=drop


How do I blocking this set of ip addresses???
Can I make a list of ip addresses and block those list???
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: How to block ip address in MT

Wed Jun 03, 2015 4:47 pm

How do I blocking this set of ip addresses???
Can I make a list of ip addresses and block those list???
Use IP address list.
Create a list, e.g. 'blacklist' and put as few or as many IP addresses and CIDR blocks in the list as you need to block.
e.g.
/ip firewall address-list
add list=blacklist address=1.1.1.1
add list=blacklist address=2.2.2.2
add list=blacklist address=3.3.0.0/16
...
Then you can use this list in any rule in any chain of any table of the firewall.
It's especially helpful because without the address list, if you have nat rules and filter rules and masquerade rules all having to do with the same set of addresses, if you add or remove any addresses from the set, then you'd have to go update all of your chains. If all of the chains refer to the same address list, changing the address list immediately affects all of the rules which refer to it.

You match an address list in your rules by using the criteria: src-address-list=blacklist or dst-address-list=blacklist
In Winbox / Webfig, the address list matchers are in the 'advanced' tab.

So for instance, to accomplish what the original poster asked, you would add the offending IP address to the blacklist and have a rule in the input chain:
/ip firewall filter add chain=input src-address-list=blacklist action=drop

I rarely use the output chain in Mikrotiks, but this is one place I will do it:
/ip firewall filter add chain=output dst-address-list=blacklist action=drop

However, this firewall 'mode' is not the best for a secure filter. It allows everything except specific exceptions. (blocked hosts) which you must manually detect and react to. (You can make firewall rules that automatically detect port scans and brute force attempts on telnet / ssh and add the sources to blacklists but that's beyond the scope of this post)

It's better to make your Mikrotik drop all input traffic on the WAN interface that it didn't request (e.g. ping replies, dns replies, http replies, etc). Suppose ether1 is the WAN interface:
/ip firewall filter add chain=input in-interface=ether1 connection-state=!established,related action=drop
One rule blocks the Internet from being able to initiate any interaction with your mikrotik at all. No blacklist is required.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
sabet
just joined
Posts: 2
Joined: Tue Jun 02, 2015 2:59 pm

Re: How to block ip address in MT

Sat Jun 06, 2015 3:25 pm

Thank you so much ZeroByte.

The answer was accurate and complete.

:) :) :)
 
FedericoOlivieri
just joined
Posts: 9
Joined: Sat Jan 16, 2016 7:07 pm

Re: How to block ip address in MT

Sun Jan 17, 2016 1:34 am

Hi guys,
I have a problem and maybe you can help me:

I have a MK that is doing PPPoE server. It releases an IP address NAT 10.76.14.0/24.
The same router receives via OSPF 10.77.0.0/29

I created a firewall rule to drop traffic from 10.76.14.0 to 10.76.14.0 and seems not working:

The first rule of the ACL

add action=drop chain=forward dst-address=10.77.0.0/26 src-address=10.76.14.0/24

I tried different options (chain=input) and I tired to specifies the input interface but I can still ping the 10.77.0.1 (i.e).
The only way to drop the traffic is with this rule

add action=drop chain=input disabled=yes dst-address=10.77.0.2 protocol=icmp \
src-address=10.76.14.13

Any suggestion why my first rule doesn't work?
Thanks
 
telnetpr
newbie
Posts: 29
Joined: Fri Dec 18, 2015 9:02 pm

Re: How to block ip address in MT

Fri Jan 29, 2016 5:47 pm

Did you've tried enabling the rule? i mean disabled=no

add action=drop chain=input disabled=yes dst-address=10.77.0.2 protocol=icmp \
src-address=10.76.14.13

Hi guys,
I have a problem and maybe you can help me:

I have a MK that is doing PPPoE server. It releases an IP address NAT 10.76.14.0/24.
The same router receives via OSPF 10.77.0.0/29

I created a firewall rule to drop traffic from 10.76.14.0 to 10.76.14.0 and seems not working:

The first rule of the ACL

add action=drop chain=forward dst-address=10.77.0.0/26 src-address=10.76.14.0/24

I tried different options (chain=input) and I tired to specifies the input interface but I can still ping the 10.77.0.1 (i.e).
The only way to drop the traffic is with this rule

add action=drop chain=input disabled=yes dst-address=10.77.0.2 protocol=icmp \
src-address=10.76.14.13

Any suggestion why my first rule doesn't work?
Thanks
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: How to block ip address in MT

Fri Jan 29, 2016 6:11 pm

I have a MK that is doing PPPoE server. It releases an IP address NAT 10.76.14.0/24.
The same router receives via OSPF 10.77.0.0/29

I created a firewall rule to drop traffic from 10.76.14.0 to 10.76.14.0 and seems not working:
If NAT is involved, then your filter rules need to use the actual IP of the two hosts in question, because forward filter happens after DSTnat (so the "inside" IP will be the destination, not the original destination IP) but it happens before SRCnat so the original source IP should be used.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
hnoor0044
just joined
Posts: 1
Joined: Fri Mar 04, 2016 7:38 am

Re: How to block ip address in MT

Fri Mar 04, 2016 7:50 am

thinks for information
 
zamani
just joined
Posts: 10
Joined: Mon May 27, 2013 3:49 am

Re: How to block ip address in MT

Sat May 28, 2016 5:51 am

Hi guys

It's a newbie question

My ISP provide 2 series of public ip addresses

151.242.x.x

151.241.x.x

I don't have static ip address.

The problem is one series of public IPs have better ping to europe (151.242.x.x) than the other . and ping is crucial for me

I want to know is there any way to reject one series of public ip addresses from my isp ?

or any rule to accept just one series?

I use PPPOE with active add default route option.

Thanks
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: How to block ip address in MT

Sun May 29, 2016 7:36 pm

I want to know is there any way to reject one series of public ip addresses from my isp ?

or any rule to accept just one series?

I use PPPOE with active add default route option.

Thanks
This is totally different. It requires a script to do what you want, and it's quite likely that the ISP will just assign whatever IP they like. You should complain to the ISP about the latency issue with one range (they may have a different BGP policy for each subnet)

Anyway, you need to start a new thread in scripting forum if you want to try it. Before you do, you need to manually attempt getting new addresses to see if it's even possible. If so, then post for scripting help.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
cogeanumarius
just joined
Posts: 6
Joined: Tue Nov 25, 2014 5:16 pm

Re: How to block ip address in MT

Thu Nov 10, 2016 9:26 pm

Hi there dear community,
I have a similar problem to those described above, but I do not want to monitor all the unauthorized users and to block them individually or to create
a list with all the IP addresses, I would like to know if something like this exisits fail2ban (http://www.fail2ban.org/wiki/index.php/Main_Page), should be easy to be built, right?
Looks this guy here is talking about some vulnerability on MK OS: http://krebsonsecurity.com/2015/06/croo ... ore-31364/

Huge thanks in advance
 
joeddymel
just joined
Posts: 4
Joined: Mon Apr 30, 2012 10:59 am

Re: How to block ip address in MT

Fri Apr 28, 2017 7:01 pm

Guys please Help, May Mikrotik router automatically generate an IP: 192.168.1.1 in address list and my internet automatically disconnected. Thank you in advance.
 
joeddymel
just joined
Posts: 4
Joined: Mon Apr 30, 2012 10:59 am

Re: How to block ip address in MT

Sun Apr 30, 2017 6:06 pm

Follow up to my post earlier.
Have you ever encounter a duplicate wan IP address (Sample 192.168.1.100) automatic create to my ether1 to my mikrotik router with out adding it, and my internet automatically disconnected. How to resolve this kind of issue int Mikrotik Router. Thank you so much in advance.
 
Sob
Forum Guru
Forum Guru
Posts: 4806
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to block ip address in MT

Sun Apr 30, 2017 6:32 pm

1) Posting your problem to old thread is usually bad idea.
2) Posting your problem to completely unrelated thread is always very bad idea.
3) RouterOS does not just invent IP address. But you might get one from DHCP if you have client on interface.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
joeddymel
just joined
Posts: 4
Joined: Mon Apr 30, 2012 10:59 am

Re: How to block ip address in MT

Tue May 02, 2017 1:10 pm

Hi Sob, I apologies it will not happen again thank so much you for your prompt reply. By the way here is the image of the ip that automatically adding to my router. i have already check all my Ap and all of them are set to disable the DHCP.
Issue33.jpg
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 4806
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to block ip address in MT

Tue May 02, 2017 3:40 pm

It has "D" flag, which means dynamic. Go to IP->DHCP Client and I'm sure you'll find a client on ether1_Wan_KC... interface, and that's where it comes from.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
joeddymel
just joined
Posts: 4
Joined: Mon Apr 30, 2012 10:59 am

Re: How to block ip address in MT

Wed May 03, 2017 4:53 am

I really appreciate your help Sob,

Cheers.
 
nishadul
Member Candidate
Member Candidate
Posts: 153
Joined: Thu Dec 13, 2012 12:04 pm
Location: Bangladesh

Re: How to block ip address in MT

Wed May 03, 2017 7:52 am

How do I blocking this set of ip addresses???
Can I make a list of ip addresses and block those list???
Use IP address list.
Create a list, e.g. 'blacklist' and put as few or as many IP addresses and CIDR blocks in the list as you need to block.
e.g.
/ip firewall address-list
add list=blacklist address=1.1.1.1
add list=blacklist address=2.2.2.2
add list=blacklist address=3.3.0.0/16
...
Then you can use this list in any rule in any chain of any table of the firewall.
It's especially helpful because without the address list, if you have nat rules and filter rules and masquerade rules all having to do with the same set of addresses, if you add or remove any addresses from the set, then you'd have to go update all of your chains. If all of the chains refer to the same address list, changing the address list immediately affects all of the rules which refer to it.

You match an address list in your rules by using the criteria: src-address-list=blacklist or dst-address-list=blacklist
In Winbox / Webfig, the address list matchers are in the 'advanced' tab.

So for instance, to accomplish what the original poster asked, you would add the offending IP address to the blacklist and have a rule in the input chain:
/ip firewall filter add chain=input src-address-list=blacklist action=drop

I rarely use the output chain in Mikrotiks, but this is one place I will do it:
/ip firewall filter add chain=output dst-address-list=blacklist action=drop

However, this firewall 'mode' is not the best for a secure filter. It allows everything except specific exceptions. (blocked hosts) which you must manually detect and react to. (You can make firewall rules that automatically detect port scans and brute force attempts on telnet / ssh and add the sources to blacklists but that's beyond the scope of this post)

It's better to make your Mikrotik drop all input traffic on the WAN interface that it didn't request (e.g. ping replies, dns replies, http replies, etc). Suppose ether1 is the WAN interface:
/ip firewall filter add chain=input in-interface=ether1 connection-state=!established,related action=drop
One rule blocks the Internet from being able to initiate any interaction with your mikrotik at all. No blacklist is required.
Thank you sir

Who is online

Users browsing this forum: No registered users and 9 guests