Community discussions

MikroTik App
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 92
Joined: Fri Mar 23, 2007 7:46 pm
Location: Croatia

POP Bruteforce prevention, dst-limit

Wed Jun 11, 2014 7:59 pm


I would like to prevent bruteforce attacks on mail server which is behind mikrotik router/firewall.
I used FTP bruteforce example ... ntion_(FTP
and I changed chains, ports, content (-ERR [AUTH] Invalid login ).

My question is regarding dst-limit. It allways triggers that rule, and rule below that is never triggered (the one which will add address to address list)

my setup:
/ip firewall filter
add action=tarpit chain=forward comment="drop pop brute force - block all from list" dst-port=110 \
    protocol=tcp src-address-list=pop_blacklist src-port=""

add chain=forward comment="drop pop brute force - accept 5 failed logins per minute" content=\
    "ERR [AUTH] Invalid login" dst-limit=1/1m,5,src-address/1m protocol=tcp src-port=110

add action=add-dst-to-address-list address-list=pop_blacklist address-list-timeout=10m chain=forward comment=\
    "drop pop brute force - add everything else to address list" content="ERR [AUTH] Invalid login" \
    protocol=tcp src-port=110

what should I change to stop POP bruteforce ?
User avatar
Forum Veteran
Forum Veteran
Posts: 976
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany

Re: POP Bruteforce prevention, dst-limit

Fri Jun 13, 2014 9:06 am

remove the src-port and retry.

Christopher Diedrich
Basel, Switzerland
Bremen, Germany

There are 10 types of people: Those who understand binary and those who don't.
There are two types of people: Those who can extrapolate from incomplete data
just joined
Posts: 9
Joined: Tue Aug 26, 2014 10:46 am

Re: POP Bruteforce prevention, dst-limit

Tue Aug 26, 2014 10:49 am


It seems that I got a similar problem when trying to block ftp bruteforce. I had to alter the rules as the ftp server is not on the mikrotik itself but in the network behind and there is a nat rule existing. So i changed the chain to forward instead of input/ouput:
add action=drop chain=forward comment="drop ftp brute forcers" disabled=no dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=forward content="530 Login authentication failed" disabled=no dst-limit=1/1m,5,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=2h chain=forward content="530 Login authentication failed" disabled=no \
The problem is the 2nd rule... it is triggered during a bruteforce attempt but it does not "expire" after 5 trials in order to let the 3rd rule add the adress list.
Any clever hints are highly appreciated :)
just joined
Posts: 9
Joined: Tue Aug 26, 2014 10:46 am

Re: POP Bruteforce prevention, dst-limit

Thu Aug 28, 2014 6:08 pm

OK I got it solved after upgrading from old 5.26 to 6.19! In the forum there were several hints that version below 5.5 had several bugs regarding that functionality!
Frequent Visitor
Frequent Visitor
Posts: 76
Joined: Fri Sep 19, 2014 9:41 pm
Location: Hungary

Re: POP Bruteforce prevention, dst-limit

Fri Sep 19, 2014 9:55 pm

Hi All!

A trie to use the Brute Force prevention for Ftp ... prevention_(FTP

/ip firewall filter
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \
comment="drop ftp brute forcers"
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \
address-list=ftp_blacklist address-list-timeout=3h

but any success. I use the MikroTik RouterBoard's FTP service.
It takse my IP address into the BlackList at the first incorrent login. FYI: I use the TotalCommander for the FTP. I never store the name/pswd in the TCM, only x/x (because they are not encrypted). So the first connection always false/incorrect. As a result my IP address added to the list. But the first time?
I misunderstand something?

Who is online

Users browsing this forum: Bing [Bot] and 43 guests