Community discussions

MikroTik App
 
hytanium
Member Candidate
Member Candidate
Topic Author
Posts: 201
Joined: Thu Jan 18, 2007 9:10 pm

Blocking traffic based on too many attempts

Fri Jan 08, 2010 1:56 pm

I have noticed in my logs continuous connection attempts using pptp to my core network. How would I detect too many failed attempts and then block them??
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6624
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: Blocking traffic based on too many attempts

Fri Jan 08, 2010 4:39 pm

It is not possible to block specific failed attempts (let say block after 10 unsuccessful PPTP logins).
 
hytanium
Member Candidate
Member Candidate
Topic Author
Posts: 201
Joined: Thu Jan 18, 2007 9:10 pm

Re: Blocking traffic based on too many attempts

Fri Jan 08, 2010 4:55 pm

Is there not a way to add their IP to a address list based on the type of information in the log??

This is the message I see in our logs:

09:26:42 pptp,ppp,info <pptp-0>: waiting for call...
09:26:42 pptp,ppp,info <pptp-0>: terminating... - cntrl message too big
09:26:42 pptp,ppp,info <pptp-0>: disconnected
09:27:50 pptp,info TCP connection established from 71.195.57.178
09:27:50 pptp,ppp,info <pptp-0>: waiting for call...
09:27:50 pptp,ppp,info <pptp-0>: terminating... - cntrl message too big
09:27:50 pptp,ppp,info <pptp-0>: disconnected
09:28:53 pptp,info TCP connection established from 71.195.57.178
09:28:53 pptp,ppp,info <pptp-0>: waiting for call...
09:28:53 pptp,ppp,info <pptp-0>: terminating... - cntrl message too big
09:28:53 pptp,ppp,info <pptp-0>: disconnected
09:29:59 pptp,info TCP connection established from 71.195.57.178
09:29:59 pptp,ppp,info <pptp-0>: waiting for call...
 
roadracer96
Forum Veteran
Forum Veteran
Posts: 714
Joined: Tue Aug 25, 2009 12:01 am

Re: Blocking traffic based on too many attempts

Fri Jan 08, 2010 6:01 pm

I set it to allow a certain connection rate from an ip, then move said up to an address list that restricts it further, then to an address list that blocks it for an hour.

Not with pptp, but with SSH connections. Same diff, though. Doesnt know if the attempt failed, but if it was succesful, you arent going to have 10 new connections per minute.
 
hytanium
Member Candidate
Member Candidate
Topic Author
Posts: 201
Joined: Thu Jan 18, 2007 9:10 pm

Re: Blocking traffic based on too many attempts

Fri Jan 08, 2010 6:15 pm

Would you mind posting the rule for that??
 
XTLMeth
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Mon Sep 07, 2009 7:10 am

Re: Blocking traffic based on too many attempts

Fri Jan 08, 2010 6:47 pm

add action=accept chain=input comment="SSH to box from everywhere." connection-state=new disabled=no dst-address=216.161.237.201 dst-port=22 in-interface=e1_Wan limit=2/1m,0 protocol=tcp


---->> limit=2/1m

This limits 2 new connection per 60 seconds. Keep scripties from hammering my ssh.
 
hytanium
Member Candidate
Member Candidate
Topic Author
Posts: 201
Joined: Thu Jan 18, 2007 9:10 pm

Re: Blocking traffic based on too many attempts

Fri Jan 08, 2010 6:57 pm

Sweet! Thanks!
 
roadracer96
Forum Veteran
Forum Veteran
Posts: 714
Joined: Tue Aug 25, 2009 12:01 am

Re: Blocking traffic based on too many attempts

Fri Jan 08, 2010 7:05 pm

I jump based on dest address to different chains for each server, thats what the www-in is. It is really a forward, but could be an input. I "team" the rules together for each service so all of my severs that use SSH are subject to the same blocking/limiting.

add action=jump chain=forward comment="***Drop Allow2block***" disabled=no in-interface=ether1 jump-target=drop src-address-list=allow2block
add action=jump chain=input comment="" disabled=no in-interface=ether1 jump-target=drop src-address-list=allow2block
add action=jump chain=www-in comment="" connection-state=new disabled=no dst-port=22 jump-target=allow2blocklist protocol=tcp
add action=accept chain=allow2blocklist comment=";;;;;;ALLOW 2 BLOCK" disabled=yes
add action=accept chain=allow2blocklist comment="" disabled=no limit=10/1m,20
add action=add-src-to-address-list address-list=allow2block address-list-timeout=1d chain=allow2blocklist comment="" disabled=no
add action=jump chain=allow2blocklist comment="" disabled=no jump-target=drop
add action=log chain=drop comment="" disabled=no log-prefix=""
add action=drop chain=drop comment="" disabled=no

This allows 10 new connections per minute for SSH, then adds them to a 1 day block-list that blocks ALL services. When someone is SSHing in that many times, they are malicious and I dont care if they can access my systems at all.

Who is online

Users browsing this forum: allen, digin4, maungmaungmyatsan, sindy, troffasky, Znevna and 60 guests