Community discussions

MikroTik App
 
hci
Long time Member
Long time Member
Topic Author
Posts: 610
Joined: Fri May 28, 2004 5:10 pm

Blocking Hackers

Wed Sep 20, 2006 7:12 pm

I noticed many brute force password attempts on my routers and servers. Also a number of port scans. After adding this to my firewall I noticed they were sweeping my whole network as well.

add chain=forward in-interface=internet protocol=tcp dst-port=21-23 tcp-flags=syn action=log log-prefix="ssh_ftp_sync" \
comment="" disabled=no

Wandered if there was a way to stop it to an extent so I created this experimental configuration. Use it at your own risk.

First create a list of trusted IP's. Add IP's you trust here and your own IP pools.

/ ip firewall address-list
add list=trusted-ips address=12.0.1.0/23 comment="" disabled=no
add list=trusted-ips address=12.0.0.0/24 comment="" disabled=no
add list=trusted-ips address=20.0.127.0/24 comment="" disabled=no

Now create a list of trap IP's. These are IP's that no one has any business connecting too but are in your IP pool. Preferably in the lower end of your IP pool. Perhaps assign one or two as an addition to your router.

/ ip firewall address-list
add list=trap-ips address=12.0.0.2 comment="" disabled=no

Now we need to creat the firewall rules to catch the hack attempts.

/ ip firewall filter
add chain=probe protocol=tcp dst-port=20-23 src-address-list=!trusted-ips dst-address-list=trap-ips \
action=add-src-to-address-list address-list=banned-ips address-list-timeout=2w comment="" disabled=no
add chain=probe protocol=tcp dst-port=25 src-address-list=!trusted-ips dst-address-list=trap-ips \
action=add-src-to-address-list address-list=banned-ips address-list-timeout=2w comment="" disabled=no
add chain=probe protocol=tcp dst-port=135-139 src-address-list=!trusted-ips dst-address-list=trap-ips \
action=add-src-to-address-list address-list=banned-ips address-list-timeout=2w comment="" disabled=no
add chain=probe protocol=udp dst-port=135-139 src-address-list=!trusted-ips dst-address-list=trap-ips \
action=add-src-to-address-list address-list=banned-ips address-list-timeout=2w comment="" disabled=no
add chain=probe protocol=tcp dst-port=445 src-address-list=!trusted-ips dst-address-list=trap-ips \
action=add-src-to-address-list address-list=banned-ips address-list-timeout=2w comment="" disabled=no
add chain=probe protocol=tcp dst-port=1080 src-address-list=!trusted-ips dst-address-list=trap-ips \
action=add-src-to-address-list address-list=banned-ips address-list-timeout=2w comment="" disabled=no
add chain=probe protocol=tcp dst-port=3128 src-address-list=!trusted-ips dst-address-list=trap-ips \
action=add-src-to-address-list address-list=banned-ips address-list-timeout=2w comment="" disabled=no
add chain=probe protocol=tcp dst-port=8080 src-address-list=!trusted-ips dst-address-list=trap-ips \
action=add-src-to-address-list address-list=banned-ips address-list-timeout=2w comment="" disabled=no
add chain=probe src-address-list=banned-ips action=log log-prefix="banned_ip" comment="" disabled=no
add chain=probe src-address-list=banned-ips action=drop comment="" disabled=no

Now create rules to jump to this new chain.

/ ip firewall filter
add chain=forward action=jump jump-target=probe comment="Probe Check" disabled=no
add chain=input action=jump jump-target=probe comment="Probe Check" disabled=no

Think thats it. Please don't try this unless your familiar with firewall rules. What it does is any IP that tries to connect to say SSH on one of your trap IP's will be added to banned-ips list for 2 weeks and all traffic will be dropped from that IP to your entire network. Usually these are open proxies being used by hackers to hack other systems or find more open proxies. Perhaps this is a bad idea but I am going to try it for a while. Anyone else that tries it might tell how it works for them.

Matt
 
GotNet
Member
Member
Posts: 436
Joined: Fri May 28, 2004 7:52 pm
Location: Florida

Wed Sep 20, 2006 11:16 pm

Cool and thanks for sharing.

Was just playing with something not so elegant, but instead of drop, I did a tarpit in the test. The infected machine hung after a while.

Mike
 
jo2jo
Forum Veteran
Forum Veteran
Posts: 971
Joined: Fri May 26, 2006 1:25 am

Thu Sep 21, 2006 1:43 am

what do you mean the infected machine hung? do yo mean the machine doing the port scaning or brute forcing?


the best solution i found to dealing with the near continoius brute forcing we were experiencing was to simply change the port of ssh and web. no brute forces in 3 weeks !
 
User avatar
kapulan
Member Candidate
Member Candidate
Posts: 110
Joined: Tue Feb 07, 2006 7:48 pm
Location: Hungary

Thu Sep 21, 2006 2:47 am

Thx!
I test this settings!
 
GotNet
Member
Member
Posts: 436
Joined: Fri May 28, 2004 7:52 pm
Location: Florida

Thu Sep 21, 2006 3:45 am

what do you mean the infected machine hung? do yo mean the machine doing the port scaning or brute forcing?


the best solution i found to dealing with the near continoius brute forcing we were experiencing was to simply change the port of ssh and web. no brute forces in 3 weeks !
These were not "attacks" against the router but a test worm infection scanning in the forward chain. The infected PC locked up after several hours. We've since had a PC downstream under NAT somewhere with an SMTP mailer bot of some type. Tarpitting killed that one too.
 
hci
Long time Member
Long time Member
Topic Author
Posts: 610
Joined: Fri May 28, 2004 5:10 pm

Thu Sep 21, 2006 4:51 am

I thought of tarpiting but I thought it might be better if the attacker was given no indication that the IP was even is use. Not sure which way is better. I use this to protect my users from the hackers as well as my routers and servers.
 
Stryker777
Frequent Visitor
Frequent Visitor
Posts: 71
Joined: Fri Jul 07, 2006 11:40 pm
Contact:

Thu Sep 21, 2006 5:57 am

I also drop them HCI. What I do is count new connections within a certain amount of time and then drop them for 5 minutes if they try more than 4 times in 2 minutes. That way I can log in from anywhere and still keep a brute force attack from being effective.
 
jarosoup
Long time Member
Long time Member
Posts: 600
Joined: Sun Aug 22, 2004 9:02 am

Thu Sep 21, 2006 6:43 am

Note that the dictionary attacks on SSH and FTP ports are bots running on comprimised machines. The combinations used are dictionary words and names (both usernames and passwords). If you have strong passwords, which you should anyway, it's very unlikely that these attacks will ever get through. If you change the port that SSH listens on, you won't see them in your log if you need global access to the router.
 
User avatar
balimore
Forum Veteran
Forum Veteran
Posts: 892
Joined: Mon Apr 10, 2006 3:38 am

Thu Sep 21, 2006 7:06 am

----
yup.....

simple secure as manage your router by: '/ip service' you have to set as you need to login way....!

regards
Hasbullah.com
----

Who is online

Users browsing this forum: Google [Bot], Sob and 159 guests