Community discussions

MUM Europe 2020
 
nordex
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 91
Joined: Fri Mar 23, 2007 7:46 pm
Location: Croatia

POP Bruteforce prevention, dst-limit

Wed Jun 11, 2014 7:59 pm

Hi,

I would like to prevent bruteforce attacks on mail server which is behind mikrotik router/firewall.
I used FTP bruteforce example http://wiki.mikrotik.com/wiki/Bruteforc ... ntion_(FTP
and I changed chains, ports, content (-ERR [AUTH] Invalid login ).

My question is regarding dst-limit. It allways triggers that rule, and rule below that is never triggered (the one which will add address to address list)

my setup:
/ip firewall filter
add action=tarpit chain=forward comment="drop pop brute force - block all from list" dst-port=110 \
    protocol=tcp src-address-list=pop_blacklist src-port=""

add chain=forward comment="drop pop brute force - accept 5 failed logins per minute" content=\
    "ERR [AUTH] Invalid login" dst-limit=1/1m,5,src-address/1m protocol=tcp src-port=110

add action=add-dst-to-address-list address-list=pop_blacklist address-list-timeout=10m chain=forward comment=\
    "drop pop brute force - add everything else to address list" content="ERR [AUTH] Invalid login" \
    protocol=tcp src-port=110


what should I change to stop POP bruteforce ?
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 929
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: POP Bruteforce prevention, dst-limit

Fri Jun 13, 2014 9:06 am

remove the src-port and retry.

-Chris
Christopher Diedrich
MTCNA, MTCUME, MTCWE
Basel, Switzerland
Bremen, Germany

There are 10 types of people: Those who understand binary and those who don't.
There are two types of people: Those who can extrapolate from incomplete data
 
licht77
just joined
Posts: 9
Joined: Tue Aug 26, 2014 10:46 am

Re: POP Bruteforce prevention, dst-limit

Tue Aug 26, 2014 10:49 am

Hi!

It seems that I got a similar problem when trying to block ftp bruteforce. I had to alter the rules as the ftp server is not on the mikrotik itself but in the network behind and there is a nat rule existing. So i changed the chain to forward instead of input/ouput:
add action=drop chain=forward comment="drop ftp brute forcers" disabled=no dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=forward content="530 Login authentication failed" disabled=no dst-limit=1/1m,5,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=2h chain=forward content="530 Login authentication failed" disabled=no \
    protocol=tcp
The problem is the 2nd rule... it is triggered during a bruteforce attempt but it does not "expire" after 5 trials in order to let the 3rd rule add the adress list.
Any clever hints are highly appreciated :)
 
licht77
just joined
Posts: 9
Joined: Tue Aug 26, 2014 10:46 am

Re: POP Bruteforce prevention, dst-limit

Thu Aug 28, 2014 6:08 pm

OK I got it solved after upgrading from old 5.26 to 6.19! In the forum there were several hints that version below 5.5 had several bugs regarding that functionality!
 
Zwodka
Frequent Visitor
Frequent Visitor
Posts: 74
Joined: Fri Sep 19, 2014 9:41 pm
Location: Hungary

Re: POP Bruteforce prevention, dst-limit

Fri Sep 19, 2014 9:55 pm

Hi All!

A trie to use the Brute Force prevention for Ftp
http://wiki.mikrotik.com/wiki/Bruteforc ... prevention_(FTP

/ip firewall filter
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \
comment="drop ftp brute forcers"
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \
address-list=ftp_blacklist address-list-timeout=3h

but any success. I use the MikroTik RouterBoard's FTP service.
It takse my IP address into the BlackList at the first incorrent login. FYI: I use the TotalCommander for the FTP. I never store the name/pswd in the TCM, only x/x (because they are not encrypted). So the first connection always false/incorrect. As a result my IP address added to the list. But the first time?
I misunderstand something?

Who is online

Users browsing this forum: Google [Bot] and 39 guests