Community discussions

MikroTik App
 
jordan8080
just joined
Topic Author
Posts: 7
Joined: Tue May 07, 2019 5:31 am

Best way to prevent attack from external

Thu May 21, 2020 7:22 am

Hi,

Have some issue with someone trying to access our MK via winbox from different IP.

Currently we are blocking it via filter rules and just keep adding the IP.

Is there a better way to blocked it or we only can simply just keep adding the IP?

Thanks a lot in advance.
 
User avatar
jvanhambelgium
Member Candidate
Member Candidate
Posts: 197
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Best way to prevent attack from external

Thu May 21, 2020 8:30 am

Not really a problem to keep adding to the list but obviously this takes some time (administration) and is always reactive!
You should review your management strategy.

- Allow Winbox only from inside ?
- If over Internet, your remote location/office does not have a STATIC IP so you can build your filter around that ? (and drop every other Winbox attempt)
- Changing the default Winbox port probably also reduced "attempts" ALOT
- Configure some type op VPN-setup for performing (remote) administration
- Configure some "port-knocking" approach so your Winbox port only "opens" after some specific sequenced packets arrived earlier.
 
jordan8080
just joined
Topic Author
Posts: 7
Joined: Tue May 07, 2019 5:31 am

Re: Best way to prevent attack from external

Thu May 21, 2020 10:18 am

Yup, will try to only allow from the inside and limit the public IP access.

If still same...maybe will change the default port as you mention.

Thanks a lot for your advise. Appreciate it.
 
anav
Forum Guru
Forum Guru
Posts: 4159
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Best way to prevent attack from external

Thu May 21, 2020 1:51 pm

If you want config advice wrt security
post config
/export hide-sensitive file=anynameyouwish
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
rdebeer
just joined
Posts: 7
Joined: Tue Mar 15, 2011 10:58 pm

Re: Best way to prevent attack from external

Thu May 21, 2020 3:21 pm

hi there, in my opinion, theres many ways to skin this cat . I found this solution some years ago, this should help with your task of manually adding ips.
Add a bunch of filter rules using this as example, just change lte1 to your interface name. Take note the order of these rules are important, the most bottom allows the input, each rule up in the chain will add source ip address to a list that will expire in time, if too many attempts for winbox port from the same ip, the address will be added to a list that doesnt expire, the most top rule will drop incoming requests for that source ip. The lists will be cleared upon reboot, you can modify to make it permanent should you wish. Add these and whatch your Address List grow over a course of a day or 2

#drag these rules right to the top or make sure theres no rule that will take preference over these

/ip firewall filter
add action=drop chain=input comment="drop winbox brute forcers" \
connection-state=new dst-port=8291 in-interface=lte1 protocol=tcp \
src-address-list=winbox_blacklist
add action=add-src-to-address-list address-list=winbox_blacklist \
address-list-timeout=none-dynamic chain=input connection-state=new \
dst-port=8291 in-interface-list=WAN protocol=tcp src-address-list=\
winbox_stage3
add action=add-src-to-address-list address-list=winbox_stage3 \
address-list-timeout=10s chain=input comment="winbox last attempt" \
connection-state=new dst-port=8291 in-interface=lte1 protocol=tcp \
src-address-list=winbox_stage2
add action=add-src-to-address-list address-list=winbox_stage2 \
address-list-timeout=20s chain=input comment="winbox 2nd attempt" \
connection-state=new dst-port=8291 in-interface=lte1 protocol=tcp \
src-address-list=winbox_stage1
add action=add-src-to-address-list address-list=winbox_stage1 \
address-list-timeout=30s chain=input comment="winbox initial 1st attempt" \
connection-state=new dst-port=8291 in-interface=lte1 protocol=tcp
add action=accept chain=input dst-port=8291 in-interface=lte1 protocol=tcp
Last edited by rdebeer on Sat May 23, 2020 1:26 am, edited 1 time in total.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6494
Joined: Mon Jun 08, 2015 12:09 pm

Re: Best way to prevent attack from external

Fri May 22, 2020 2:24 pm

This kind of solution is a bit risky.
Lately I have been seeing several incoming port scans where the source address was spoofed to be e.g. 8.8.8.8 or 1.1.1.1 or 1.0.0.1 etc.
These scans apparently assume that you would have some mechanism like that and then those addresses will get added to your blacklist, which in some cases may affect your devices capability to use DNS or whatever source address was spoofed.

When you do something like that, always make sure that your "drop" rules are below the "accept established/related" rule that is normally at the top of the firewall table.
Also, never put those drop rules in the "raw" table.
Then you at least can still do outbound connects to those addresses even when they are in the blacklist for incoming connects.

And of course, in this particular example, do not use interface names in firewall rules. Use the predefined "LAN" and "WAN" interface lists, and put the relevant internet interface in the proper list. (e.g. put lte1 in the WAN list).
 
User avatar
mozerd
Member
Member
Posts: 367
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Best way to prevent attack from external

Fri May 22, 2020 3:01 pm

ALL of my MikroTik Router clients use MOAB to prevent External Attacks just like the one you describe.

If your MikroTik Router model qualifies for the MOAB service --- I provide a 10 day Free Trial of MOAB so that you can see for yourself.
If you are interested see my sig below:
 
pe1chl
Forum Guru
Forum Guru
Posts: 6494
Joined: Mon Jun 08, 2015 12:09 pm

Re: Best way to prevent attack from external

Fri May 22, 2020 3:10 pm

Of course the solutions that @jvanhambelgium presented are much better than such a generic blacklist, that will only help against mass portscanning and not cater for some targeted attack on his router.
 
rdebeer
just joined
Posts: 7
Joined: Tue Mar 15, 2011 10:58 pm

Re: Best way to prevent attack from external

Sat May 23, 2020 1:37 am

for what its worth the rules were incomplete that i posted previously, have added what was missing
@jvanhambelgium suggestion is def the best, it should be standard practice when initially configuring
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1557
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Best way to prevent attack from external

Sat May 23, 2020 8:07 am

Do you need to administrate the router from the outside?

If yes, VPN is the way to go for Router admin from the outside.

If VPN is not possible to use, then to access the route:

1. Use another port than default.
2. Use port knocking. This prevents someone from seeing open ports.
3. Use a long and good password.
4. Use access list to prevent any random internet from accessing your router.
5. Log everything. (See my signature for example.)
6. If possible setup the remote router to connect using VPN to an admin site.
7.++++
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 

Who is online

Users browsing this forum: Bing [Bot], eworm, gergelylevente, kswong, Maggiore81 and 69 guests