Community discussions

MikroTik App
 
rotten777
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 98
Joined: Thu Dec 17, 2009 5:21 am

Blocking countries IP blocks for security

Thu Jun 19, 2014 9:47 pm

So I'm an American who administers many networks which I place routerboards in front of 99% of the time (I despise Cisco) and spend a lot of time reviewing logs and seeing brute force attempts constantly coming from places like China/Ukraine/Colombia/etc.... I am debating adding a filter to drop all traffic from known Chinese IP blocks (none of my customers connect to anything Chinese anyway) and was wondering what you guys/gals think. Has anyone done this already?
 
jaykay2342
Member
Member
Posts: 335
Joined: Tue Dec 04, 2012 2:49 pm
Location: /Vigor/LocalGroup/Milky Way/Earth/Europe/Germany

Re: Blocking countries IP blocks for security

Thu Jun 19, 2014 10:14 pm

Personal think blocking country wise is not a prevention against these common bruteforce attacks. They coming from all over the world, yes also from the USA. Most of the time it's done by other host where an attack was successful. It's spread like a worm. Access to mgmt interfaces like ssh or a web-interface should always be very limited. You allow designated ip addresses to access such interfaces instead of blocking bad ones. If you have done that you got rid of such usual bruteforce attacks you always face when you put ssh unlimited on the internet.

Once you got rid of the noise at the logs you can increase the security even more by monitoring the logs automatically and trigger an alert if you have more than 3 failed logins. Such alert would mean that the attack is coming from the inside of your network. That would be a serious threat as it is a good evidence that you got hacked.
9-5 Job: Securityanalyst at a major MSSP.
Free time volunteer: Networkadmin and founder at a small non-profit WISP.
Certifications: ITILv3, GCIA
 
rotten777
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 98
Joined: Thu Dec 17, 2009 5:21 am

Re: Blocking countries IP blocks for security

Thu Jun 19, 2014 10:50 pm

Personal think blocking country wise is not a prevention against these common bruteforce attacks. They coming from all over the world, yes also from the USA. Most of the time it's done by other host where an attack was successful. It's spread like a worm. Access to mgmt interfaces like ssh or a web-interface should always be very limited. You allow designated ip addresses to access such interfaces instead of blocking bad ones. If you have done that you got rid of such usual bruteforce attacks you always face when you put ssh unlimited on the internet.

Once you got rid of the noise at the logs you can increase the security even more by monitoring the logs automatically and trigger an alert if you have more than 3 failed logins. Such alert would mean that the attack is coming from the inside of your network. That would be a serious threat as it is a good evidence that you got hacked.

I have a fail2ban setup already in place but I can't guarantee when I remote in that I'm not off on vacation in some tropical paradise from an unknown IP. I know I won't be in China lol

I just want to drop the amount of traffic used by being a blackhole as far as the Chinese are concerned. If they see port 22 open and hit it once they'll just hit it from another IP on the same subnet later in the day (I see this QUITE often).
 
jaykay2342
Member
Member
Posts: 335
Joined: Tue Dec 04, 2012 2:49 pm
Location: /Vigor/LocalGroup/Milky Way/Earth/Europe/Germany

Re: Blocking countries IP blocks for security

Thu Jun 19, 2014 11:35 pm

I have a fail2ban setup already in place but I can't guarantee when I remote in that I'm not off on vacation in some tropical paradise from an unknown IP. I know I won't be in China lol

I just want to drop the amount of traffic used by being a blackhole as far as the Chinese are concerned. If they see port 22 open and hit it once they'll just hit it from another IP on the same subnet later in the day (I see this QUITE often).
When i'm "on the road" i can either VPN in my network or use one of my jump boxes. Sure these jump boxes have a open ssh to the world. On these i also use fail2ban.
9-5 Job: Securityanalyst at a major MSSP.
Free time volunteer: Networkadmin and founder at a small non-profit WISP.
Certifications: ITILv3, GCIA
 
rotten777
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 98
Joined: Thu Dec 17, 2009 5:21 am

Re: Blocking countries IP blocks for security

Fri Jun 20, 2014 12:40 am

I have a fail2ban setup already in place but I can't guarantee when I remote in that I'm not off on vacation in some tropical paradise from an unknown IP. I know I won't be in China lol

I just want to drop the amount of traffic used by being a blackhole as far as the Chinese are concerned. If they see port 22 open and hit it once they'll just hit it from another IP on the same subnet later in the day (I see this QUITE often).
When i'm "on the road" i can either VPN in my network or use one of my jump boxes. Sure these jump boxes have a open ssh to the world. On these i also use fail2ban.
You're not also getting tons of hits on your VPN? 1723 and 500 are usually hit for me...
 
Thalid
newbie
Posts: 38
Joined: Sun Mar 31, 2013 11:33 pm

Re: Blocking countries IP blocks for security

Fri Jun 20, 2014 4:32 pm

blocking whole countrys are not a good solution. If you havening problem whit bruteforce attemts use the firewall and drop them automatic afte xx attempts and for xx of time

http://wiki.mikrotik.com/wiki/Bruteforc ... prevention
 
mpreissner
Member
Member
Posts: 356
Joined: Tue Mar 11, 2014 11:16 pm
Location: Columbia, MD

Re: Blocking countries IP blocks for security

Fri Jun 20, 2014 7:18 pm

This is actually a very common feature that many top security gateway vendors offer as a simple point & click option. What can make it ineffective is anonymity networks such as Tor, which can route traffic from an undesirable country to a country you wouldn't think twice about blocking. Additionally, while MikroTik devices do have integrated firewalls, their firewalling capabilities seriously pale in comparison to other vendors' offerings.

My personal set up at home involves a Tik router behind a transparent (layer 2 bridge) Snort IPS. I use the Snort box to kill any attempted communications from undesirable sources outside my network, and allow the Tik to handle inter-vlan routing within my home networks. This reduces the strain on the Tik, as their throughput begins to suffer under a modest number of firewall rules (except the 36 core units). My Snort IPS only has a dual core Atom processor w/ 8GB DDR3 RAM, but it's enough to handle wire speed filtering and bridging at the bandwidth my ISP provides.

More important than blocking incoming connections FROM undesirable locations is blocking outgoing connections TO undesirable locations. In the event your network is exposed to malware, you don't want that malware to be able to communicate outside your network. Some malware is known to use specific ports, so it's easy enough to simply block those outbound ports (but I'd rather do it at my Snort box than the Tik), but other malware will tunnel its traffic over commonly allowed ports, such as 80, 443, 21, 8080, 8443, etc. Blocking these is a lot harder, because a blanket "deny" rule on these ports will break most of the Internet for anyone on your network. One of the best ways to manage this is to run your own DNS server internally, log every DNS request, but have your server configured only to forward requests to external DNS servers (such as your provider's). By logging the DNS requests, you can find the most commonly requested Internet blocks and whitelist them. Optionally, you can also implement URL filtering at your internal DNS server so that users cannot even resolve undesirable sites.

There are many other ways to do this same thing...it all depends on how much time and effort you want to invest. It's usually a big investment of time up front, but once you're set up, administrative overhead goes down significantly.
Michael Preissner
CISSP, CCSP, CEH, PMP
 
jaykay2342
Member
Member
Posts: 335
Joined: Tue Dec 04, 2012 2:49 pm
Location: /Vigor/LocalGroup/Milky Way/Earth/Europe/Germany

Re: Blocking countries IP blocks for security

Sat Jun 21, 2014 10:28 am

This is actually a very common feature that many top security gateway vendors offer as a simple point & click option. What can make it ineffective is anonymity networks such as Tor, which can route traffic from an undesirable country to a country you wouldn't think twice about blocking. Additionally, while MikroTik devices do have integrated firewalls, their firewalling capabilities seriously pale in comparison to other vendors' offerings.
"Real" firewalls have a bunch more features as the build in firewall from RouterOS. But firewalling is not the core business of RouterOS. It's RouterOS and not FirewallOS. So i'm fine with that. If i want more features i use a firewall appliance or something like pfsence ... Even if it is a common feature to block by country it's not an efficient way. Most secure way is always white-listing instead of black-listing.
My personal set up at home involves a Tik router behind a transparent (layer 2 bridge) Snort IPS. I use the Snort box to kill any attempted communications from undesirable sources outside my network, and allow the Tik to handle inter-vlan routing within my home networks. This reduces the strain on the Tik, as their throughput begins to suffer under a modest number of firewall rules (except the 36 core units). My Snort IPS only has a dual core Atom processor w/ 8GB DDR3 RAM, but it's enough to handle wire speed filtering and bridging at the bandwidth my ISP provides.
An IPS/IDS system is a different type of security and should always be consider as additional not instead firewalling.
More important than blocking incoming connections FROM undesirable locations is blocking outgoing connections TO undesirable locations. In the event your network is exposed to malware, you don't want that malware to be able to communicate outside your network. Some malware is known to use specific ports, so it's easy enough to simply block those outbound ports (but I'd rather do it at my Snort box than the Tik), but other malware will tunnel its traffic over commonly allowed ports, such as 80, 443, 21, 8080, 8443, etc. Blocking these is a lot harder, because a blanket "deny" rule on these ports will break most of the Internet for anyone on your network. One of the best ways to manage this is to run your own DNS server internally, log every DNS request, but have your server configured only to forward requests to external DNS servers (such as your provider's). By logging the DNS requests, you can find the most commonly requested Internet blocks and whitelist them. Optionally, you can also implement URL filtering at your internal DNS server so that users cannot even resolve undesirable sites.

There are many other ways to do this same thing...it all depends on how much time and effort you want to invest. It's usually a big investment of time up front, but once you're set up, administrative overhead goes down significantly.
Malware is something complete different as the Bruteforce-attacks rotten777 is facing. Therefore it need to be fought differently. As you already pointed out blocking malware from calling home is difficult. One good way is to use lists ( e.g. stuff from abuse.ch ) of known C&C servers to block/detected such traffic. Most important is that you want to alert on hits on these lists and not just block. If you have a malware calling home you need to remove it from your system although it's blocked on your firewall/proxy/dns ...
9-5 Job: Securityanalyst at a major MSSP.
Free time volunteer: Networkadmin and founder at a small non-profit WISP.
Certifications: ITILv3, GCIA
 
mpreissner
Member
Member
Posts: 356
Joined: Tue Mar 11, 2014 11:16 pm
Location: Columbia, MD

Re: Blocking countries IP blocks for security

Mon Jun 23, 2014 2:38 pm


"Real" firewalls have a bunch more features as the build in firewall from RouterOS. But firewalling is not the core business of RouterOS. It's RouterOS and not FirewallOS. So i'm fine with that. If i want more features i use a firewall appliance or something like pfsence ... Even if it is a common feature to block by country it's not an efficient way. Most secure way is always white-listing instead of black-listing.
Agreed. I'm just making the point that it's actually a pretty basic feature, and would be relatively easy to implement in ROS if the developers chose to do so.

An IPS/IDS system is a different type of security and should always be consider as additional not instead firewalling.
Again, agreed. However, my Snort IPS is both an inline IPS and firewall. The beauty of modern firewalling products is that many of them can be implemented anywhere from layer 2 on up. My description of my home system is simplified. In reality, I have a pretty comprehensive ruleset governing the FORWARD chain which handles all my inbound/outbound filtering, and the IPS is secondary to that. Packets coming in the interfaces hit my firewall rules first, then get passed to the IPS engine. Only packets that get by both are allowed to go in or come out of my networks.

Malware is something complete different as the Bruteforce-attacks rotten777 is facing. Therefore it need to be fought differently. As you already pointed out blocking malware from calling home is difficult. One good way is to use lists ( e.g. stuff from abuse.ch ) of known C&C servers to block/detected such traffic. Most important is that you want to alert on hits on these lists and not just block. If you have a malware calling home you need to remove it from your system although it's blocked on your firewall/proxy/dns ...
And agreed, once more. Alerting is every bit as important as blocking, especially since nobody has the time to review all the logs in their entirety. I'm not sure why I posted regarding malware instead of brute-force - last week must have been longer than I thought! Some options/best practices rotten777 can look at are not exposing the management interface to the Internet, or using a firewall rule to only accept management connections from a known source. The preferable method is the former, relying on a VPN connection to provide access to the management interface. If the management interface isn't available externally, it eliminates brute-force attempts from external sources. Alternatively, if leaving the management interface available externally, a properly written rule would drop any connection attempt that wasn't coming from him. This would require a static public IP for the location from which he manages everything, but he probably already has that. If not, it shouldn't be too hard to arrange.
Michael Preissner
CISSP, CCSP, CEH, PMP

Who is online

Users browsing this forum: akakua, kg4peq, Lebzul, svmk and 100 guests