Community discussions

MikroTik App
 
wispnewbie
just joined
Topic Author
Posts: 14
Joined: Fri Aug 11, 2006 5:31 pm

block tons of login attempts

Wed Sep 13, 2006 10:42 pm

My routers are getting hammered with a ton of login requests every day. The IP addresses the attempts are coming from change regularly. Is there a way to add an IP address to a blocked IP list after X number of bad login attempts?
 
GotNet
Member
Member
Posts: 436
Joined: Fri May 28, 2004 7:52 pm
Location: Florida

Thu Sep 14, 2006 2:24 am

Think the other way around - who do you want to have access?

Mike
 
wispnewbie
just joined
Topic Author
Posts: 14
Joined: Fri Aug 11, 2006 5:31 pm

obvious

Thu Sep 14, 2006 6:22 am

You know, that seems really obvious now that you mention it. Explicitly accept traffic on the input chain from IP blocks we use when we administrate the routers and drop everything else. This wasn't a scripting application at all. Trust me to complicate things. :-)

Thanks
 
User avatar
dancuofzhills
newbie
Posts: 49
Joined: Sun Apr 02, 2006 5:13 am

I would like the solution too

Wed Sep 20, 2006 11:30 pm

lately i also have been thinking about figuring out a way to block an ip address after repeated failed login attempts.
I do not want to use an exclusive accesslist because i never know where i'm gonna be when i need to login and get access.
I havent been able to figure out a way.
 
pedja
Long time Member
Long time Member
Posts: 684
Joined: Sat Feb 26, 2005 5:37 am

Thu Sep 21, 2006 12:58 am

I use pptp for that. Whenever I can I can connect to MT using pptp and then I have access to everything.
 
ArtIvanov
just joined
Posts: 6
Joined: Sat Jun 03, 2006 11:30 am

Fri Sep 22, 2006 8:16 pm

Change ports for ssh and web. All will be ok.
 
User avatar
dancuofzhills
newbie
Posts: 49
Joined: Sun Apr 02, 2006 5:13 am

Good idea

Fri Sep 22, 2006 8:48 pm

That is definately a good preventative measure, thanks!

I would still like a rule to add the offending addresses to a list that i can drop with the firewall, but some ideas take time to become reality.
 
User avatar
savagedavid
Trainer
Trainer
Posts: 310
Joined: Thu Aug 25, 2005 12:58 pm
Location: Cape Town, South Africa
Contact:

Mon Sep 25, 2006 8:56 pm

An easy way would be to add the offending address to a dynamic address list and set a timeout value
 
User avatar
dancuofzhills
newbie
Posts: 49
Joined: Sun Apr 02, 2006 5:13 am

but how...

Tue Sep 26, 2006 12:38 am

That is a good idea, but the problem with setting this up is figuring out how to make a rule somewhere that counts failed logins, if i could figure that out i would just need to have it set to add src address to list.
That is the part i'm not sure how to do..
 
Freman
Frequent Visitor
Frequent Visitor
Posts: 76
Joined: Thu Jul 01, 2004 8:49 am

Tue Sep 26, 2006 2:16 am

There are two ways to do this.

One is have firewall chains that progressively change list that an ip address is in - it works reasonably well, but I believe this results in a CF disk write for every change (works out 3-4 writes per ip) - Unfortunatly this one only counts rapid succession of reconnects on port 22, not specificly login failures

If you're interested, I'll post this solution.

The other way (and for those who use CF cards, this is probably the better way) is to set up a remote syslog, use syslog-ng on the box and a little perl script. syslog-ng can pipe entry's that match a pattern to a program/script.

Example syslog configuration
source s_remote { udp(); tcp(); };
filter f_sshworm { facility(user) and level(notice) and match("login failure for user"); };
destination d_sshworm {
        program("/sshworm.pl"
        template("$SOURCEIP $MESSAGE\n") );
};
log {
        source(remote);
        filter(f_sshworm);
        destination(d_sshworm);
};
now for me /sshworm.pl puts an entry into my scheduler database (I already have a script on another machine that routinely does things on the mikrotiks - like kicking users off, changing their speeds, checking the ip accounting and ip accounting web-access settings (they sometimes disable...)

My scheduler logs in with ssh and adds the ip address to the 'SSHWorms' address list, which has input and forward port 22 reject with tcp-reset (better to reset then just drop, it's the proper way to do it)
#!/usr/bin/perl

use Net::IP::Match::Regexp qw( create_iprange_regexp match_ip );
use strict;

# These addresses have been changed...
my $whitelist = create_iprange_regexp(
        "192.168.47.0/24",
        "172.16.0.0/16",
        "10.254.2.242/32"
);

$SIG{CHLD} = sub { wait };

# It's a constant pipe open from syslog-ng so we just read indefinitely
while (<>) {
        if (/^((?:\d+.){3}\d+).*?((?:\d+.){3}\d+)/) {
                # Match against our whitelist
                next if (match_ip($2,$whitelist));
                # Because many requests might come in at once, we want to get back to reading stdin as soon as possible or we'll miss something, so we fork here
                if (fork() == 0) {
                        # Sumbit to the scheduler
                        exec('/usr/bin/wget',"--post-data=ac=$1&ip=$2",'-q','-o/dev/null','-O/dev/null','http://scheduler.host/sshworm.php');
                        exit;
                }

        }
}
You don't need a scheduler, but you might have concurrency issues if you don't use one (You could use lockfiles to get around this)

If anyone wants a full solution, feel free to pm me, I can knock something up - having said that, there's a great detail of information already on this forum
 
GotNet
Member
Member
Posts: 436
Joined: Fri May 28, 2004 7:52 pm
Location: Florida

Re: I would like the solution too

Tue Sep 26, 2006 3:36 am

lately i also have been thinking about figuring out a way to block an ip address after repeated failed login attempts.
I do not want to use an exclusive accesslist because i never know where i'm gonna be when i need to login and get access.
I havent been able to figure out a way.
My log is "clean". I always vpn or vnc or whatever to a machine on the trusted network. Even use PTvnc on my phone (Moto Q) to manage MTs.

Two cents... Mike

Who is online

Users browsing this forum: Google [Bot] and 44 guests