Hi,
Have a few problem with vpn brute force i have added the ips to the firewall "/ip firewall filter add chain=input src-address=141.98.81.0/24
action=drop" and another ips (i also try this command on individual ips but i still get this is the logs)
18:34:47 pptp,info TCP connection established from 141.98.81.42
18:34:51 pptp,ppp,error <60>: user admin authentication failed
18:34:51 pptp,info TCP connection established from 141.98.81.207
18:34:51 pptp,ppp,error <61>: user vpn authentication failed
18:34:51 pptp,info TCP connection established from 141.98.81.208
18:34:52 pptp,ppp,error <62>: user test authentication failed
18:34:52 pptp,info TCP connection established from 141.98.81.209
18:34:52 pptp,ppp,error <63>: user user authentication failed
18:34:53 pptp,info TCP connection established from 141.98.81.210
18:34:54 pptp,ppp,error <64>: user 1 authentication failed
18:34:54 pptp,info TCP connection established from 141.98.81.6
18:34:54 pptp,ppp,error <65>: user test authentication failed
18:34:54 pptp,info TCP connection established from 141.98.81.42
18:34:55 pptp,ppp,error <66>: user 123 authentication failed
18:34:55 pptp,info TCP connection established from 141.98.81.207
18:34:55 pptp,ppp,error <67>: user vpn authentication failed
18:34:55 pptp,info TCP connection established from 141.98.81.208
18:34:57 pptp,ppp,error <68>: user vpn authentication failed
18:34:57 pptp,info TCP connection established from 141.98.81.209
18:34:57 pptp,ppp,error <69>: user 0 authentication failed
18:34:57 pptp,info TCP connection established from 141.98.81.210
18:34:58 pptp,ppp,error <70>: user 11 authentication failed
18:34:58 pptp,info TCP connection established from 141.98.81.6
19:44:21 pptp,info TCP connection established from 92.63.194.35
19:44:21 pptp,ppp,error <72>: user Admin authentication failed
19:44:21 pptp,info TCP connection established from 92.63.194.40
19:44:21 pptp,ppp,error <73>: user test1 authentication failed
19:44:22 pptp,info TCP connection established from 92.63.194.41
19:44:22 pptp,ppp,error <74>: user test authentication failed
Why is not droping the curent ips to timeout... why is still able to try to connect ?
Regards
Re: Help with firewall
If you do use PPTP, you should change to L2TP/IPSec.
If you do not use PPTP, you should disable it.
Post your config here.
Cut and past it in a post and wrap it in code block. Select your code and click the </> button.
If you do not use PPTP, you should disable it.
Post your config here.
Code: Select all
/export hide-sensitive
Re: Help with firewall
Have a few problem with vpn brute force i have added the ips to the firewall "/ip firewall filter add chain=input src-address=141.98.81.0/24
action=drop" and another ips (i also try this command on individual ips but i still get this is the logs)
18:34:47 pptp,info TCP connection established from 141.98.81.42
18:34:51 pptp,ppp,error <60>: user admin authentication failed
18:34:51 pptp,info TCP connection established from 141.98.81.207
18:34:51 pptp,ppp,error <61>: user vpn authentication failed
...
Why is not droping the curent ips to timeout... why is still able to try to connect ?
Which MikroTik device do you have?
Depending on the device, it could have "Hardware Offloading" active. Then most packets will not reach the CPU software firewall, but only the ACL hardware firewall. You would need to do "redirect-to-cpu" in the ACL firewall. FYI: the "/ip firewall filter" is a CPU software firewall.
We can tell more only if you post your device model or your config as suggested by @Jotne.
Re: Help with firewall
Where are your config?
And why two threads?
And why two threads?
Re: Help with firewall
Second is with port knoc and all the info is there also here is the cfg...
Code: Select all
# jun/01/2020 00:04:46 by RouterOS 6.44
# software id = xxxx-xxxx
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 8A77088E7795
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=xx:xx:xx:xx:xx:xx speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] comment="xxxxxx TV BOX" speed=100Mbps
set [ find default-name=ether5 ] comment=xxxxxx speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
use-peer-dns=yes user=xxxxxxx
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=3 band=2ghz-b/g/n channel-width=\
20/40mhz-Ce country=romania disabled=no distance=indoors frequency=auto \
frequency-mode=regulatory-domain mode=ap-bridge ssid=xxxx \
wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] antenna-gain=2 band=5ghz-a/n/ac channel-width=\
20/40/80mhz-Ceee country=romania disabled=no distance=indoors frequency=\
auto frequency-mode=regulatory-domain mode=ap-bridge ssid=xxxx \
wireless-protocol=802.11 wps-mode=disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile \
supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=xx:xx:xx:xx:xx:xx master-interface=wlan2 name=wlan3 \
security-profile=profile ssid="xxxxx"
add disabled=no mac-address=xx:xx:xx:xx:xx:xx master-interface=wlan1 name=wlan4 \
security-profile=profile ssid="xxxx"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge filter
add action=drop chain=forward in-interface=wlan3
add action=drop chain=forward out-interface=wlan3
add action=drop chain=forward in-interface=wlan4
add action=drop chain=forward out-interface=wlan4
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf hw=no interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=wlan3
add bridge=bridge interface=wlan4
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wlan1 list=discover
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=sfp1 list=discover
add interface=wlan2 list=discover
add interface=bridge list=discover
add interface=pppoe-out1 list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=pppoe-out1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2-master network=\
192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.88.241 client-id=1:0:xx:xx:xx:xx:xx comment=\
"DVR 192.168.88.241" mac-address=xx:xx:xx:xx:xx:xx server=defconf
add address=192.168.88.229 client-id=1:xx:xx:xx:xx:xx:xx comment="Rxxx" \
mac-address=xx:xx:xx:xx:xx:xx server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=\
udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input in-interface=pppoe-out1
# in/out-interface matcher not possible when interface (wlan1) is slave - use mast
r instead (bridge)
add action=accept chain=input comment=":FTP WAN IMPUT:" dst-port=21 \
in-interface=wlan1 protocol=tcp
add action=drop chain=forward comment="Block acces to internet DVR" \
src-address=192.168.88.241
add action=drop chain=input src-address=139.162.102.46
add action=drop chain=input src-address=216.218.206.74
add action=drop chain=input src-address=141.98.80.115
add action=drop chain=input src-address=216.218.206.98
add action=drop chain=input src-address=46.161.27.42
add action=drop chain=input src-address=216.218.206.114
add action=drop chain=input src-address=184.154.74.66
add action=drop chain=input src-address=216.218.206.78
add action=drop chain=input src-address=185.232.67.13
add action=drop chain=input src-address=198.108.67.48
add action=drop chain=input src-address=216.218.206.102
add action=drop chain=input src-address=216.218.206.126
add action=drop chain=input src-address=107.170.197.213
add action=drop chain=input src-address=80.82.77.240
add action=drop chain=input src-address=216.218.206.70
add action=drop chain=input src-address=115.236.61.202
add action=drop chain=input src-address=122.224.158.196
add action=drop chain=input src-address=184.154.47.2
add action=drop chain=input src-address=46.161.27.122
add action=drop chain=input src-address=141.98.80.128
add action=drop chain=input src-address=107.179.9.154
add action=drop chain=input src-address=179.43.143.149
add action=drop chain=input src-address=122.224.158.197
add action=drop chain=input src-address=115.236.61.205
add action=drop chain=input src-address=92.63.194.27
add action=drop chain=input src-address=92.63.194.91
add action=drop chain=input src-address=92.63.194.92
add action=drop chain=input src-address=92.63.194.93
add action=drop chain=input src-address=92.63.194.94
add action=drop chain=input src-address=92.63.194.95
add action=drop chain=input src-address=92.63.194.47
add action=drop chain=input src-address=45.83.91.106
add action=drop chain=input src-address=45.79.144.96
add action=drop chain=input src-address=139.162.102.46
add action=drop chain=input src-address=92.63.194.0/24
add action=drop chain=input src-address=212.164.39.143
add action=drop chain=input src-address=60.190.226.187
add action=drop chain=input comment="Drop SSH 22" dst-port=22 in-interface=\
bridge log=yes log-prefix=SSHdrop protocol=tcp
add action=drop chain=input src-address=141.98.81.0/24
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp \
tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=input src-address=162.243.141.140
add action=add-src-to-address-list address-list=port:xxxx address-list-timeout=\
1m chain=input dst-port=xxxx protocol=tcp
add action=add-src-to-address-list address-list=secure address-list-timeout=1m \
chain=input dst-port=yyyy protocol=tcp src-address-list=port:xxxx
add action=accept chain=input src-address-list=secure
add action=drop chain=input
add action=drop chain=input src-address=223.71.167.165
add action=drop chain=input src-address=141.98.81.0/24
add action=drop chain=input src-address=162.243.142.143
add action=drop chain=input src-address=81.196.30.80
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip firewall service-port
set ftp ports=xxxx
/ip service
set telnet address=192.168.88.0/24 disabled=yes
set ftp address=192.168.88.0/24 disabled=yes port=xxxxx
set www address=192.168.88.0/24 disabled=yes port=xxxxx
set ssh address=192.168.88.0/24 port=xxxxx
set www-ssl address=192.168.88.0/24
set api address=192.168.88.0/24 disabled=yes
set winbox address=192.168.88.0/24
set api-ssl address=192.168.88.0/24 disabled=yes
/ip smb
set allow-guests=no
/ip smb shares
add directory=/disk1 name=disk1
/ip smb users
add name=xxxxx read-only=no
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-out1 type=external
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Bucharest
/system watchdog
set watchdog-timer=no
/tool e-mail
set address=74.125.141.108 from=xxxxxxxxx@gmail.com port=587 start-tls=yes user=\
xxxxxxxx@gmail.com
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
Re: Help with firewall
Seems that you are running some old software 6.44 and the older system with master port and IP bind to that port (ether2).
If you do have many VPN services up and running. PPTP LT2P SSTP. Turn off all you do not need. One should do for for all types (not PPTP since no security)
I see various rules dropping port 22, but not NAT. Do you have SSH open to the Mikrotik from the outside?
If not, no need for firewall rules regarding port 22.
If you do have many VPN services up and running. PPTP LT2P SSTP. Turn off all you do not need. One should do for for all types (not PPTP since no security)
I see various rules dropping port 22, but not NAT. Do you have SSH open to the Mikrotik from the outside?
If not, no need for firewall rules regarding port 22.
Re: Help with firewall
No I think the OP wants to be hacked, he should find older firmware and just use winbox open to the internet.
Seriously, concur with Jotne, PPTP is no easier than more secure protocols to implement.
Also, the extra load and config mess caused by all these blocking trapping type rules is simply not worth the trouble.
One cant put value on peace of mind.
Seriously, concur with Jotne, PPTP is no easier than more secure protocols to implement.
Also, the extra load and config mess caused by all these blocking trapping type rules is simply not worth the trouble.
One cant put value on peace of mind.
Re: Help with firewall
Sry to disturb you with my problems. If you want to help you are welcome but don`t come here to be rude. Not every person is a"god" on routeros software learm some maners. Don't make fun of people who come to ask for help on an official forumNo I think the OP wants to be hacked, he should find older firmware and just use winbox open to the internet.
Seriously, concur with Jotne, PPTP is no easier than more secure protocols to implement.
Also, the extra load and config mess caused by all these blocking trapping type rules is simply not worth the trouble.
One cant put value on peace of mind.
Since im not a god like you on mikrotik os and this is a help forum (all this i got from different forum) i came here for help since is a mikrotik forum Dont need your insolence
And thx for the help Jotne my ssh,ftp... ports are changed also accept conection only from lan the only problem that i have is with pptp/vpn and i really need it but i see daily bf even if i put the ip to drop I did not know that i dont need to add rule if i changed the ftp,ssh port Thanks again
Re: Help with firewall
Don't worry about @anav, he's the unofficial rude element of this forum. 
Not even that much rude, just more direct, and not exactly a fan of the modern "correctness" wave, I guess. I'm not the one to complain about that. He sometimes focuses on wrong details and then misses important ones. Also likes to hijack threads. But otherwise he's ok and helpful when he wants.
By wrong details I mean e.g. insisting on upgrading to latest version. Sure, it's good idea, but it's not like every slightly older version is automatically full of security holes.
About missing important details, the obvious problem here: Order or rules is important, they are processed from top to bottom, the first matching one is used and that's where it stops. So if you first allow access to pptp port and then try to block some sources after that, it's useless.
Other things he was hinting at, attempts to block stuff. You're detecting ports scanners, add them to list, only to not use it at all. And why even care about port scanners, they don't hurt you. Similar with bruteforcers. There's practically zero chance that you need ftp open to internet, so why bother with that? There may be some reason for ssh, except in your case, if pppoe-out1 is your WAN interface, then everything after:
is pretty much useless, because no connection from internet will ever get to that.
Other thing, instead of blocking different addresses using individual rules, it's more efficient to use only one rule and address list.
And regarding your main problem, you could adapt ssh blocking rules for pptp, just change the port. But you need to undestand that they only count connections, both successful and unsuccessful. So if legitimate users reconnect too quickly, they can be blocked too. Other method would be parsing logs and looking for failed attempts there, but it would be ugly and much more difficult.
Not even that much rude, just more direct, and not exactly a fan of the modern "correctness" wave, I guess. I'm not the one to complain about that. He sometimes focuses on wrong details and then misses important ones. Also likes to hijack threads. But otherwise he's ok and helpful when he wants.By wrong details I mean e.g. insisting on upgrading to latest version. Sure, it's good idea, but it's not like every slightly older version is automatically full of security holes.
About missing important details, the obvious problem here: Order or rules is important, they are processed from top to bottom, the first matching one is used and that's where it stops. So if you first allow access to pptp port and then try to block some sources after that, it's useless.
Other things he was hinting at, attempts to block stuff. You're detecting ports scanners, add them to list, only to not use it at all. And why even care about port scanners, they don't hurt you. Similar with bruteforcers. There's practically zero chance that you need ftp open to internet, so why bother with that? There may be some reason for ssh, except in your case, if pppoe-out1 is your WAN interface, then everything after:
Code: Select all
add action=drop chain=input in-interface=pppoe-out1Other thing, instead of blocking different addresses using individual rules, it's more efficient to use only one rule and address list.
And regarding your main problem, you could adapt ssh blocking rules for pptp, just change the port. But you need to undestand that they only count connections, both successful and unsuccessful. So if legitimate users reconnect too quickly, they can be blocked too. Other method would be parsing logs and looking for failed attempts there, but it would be ugly and much more difficult.
Re: Help with firewall
my attempt was not intentionally rude, and was in fact aimed at the long run of making life using the MT a lot easier.
The more I use MT products, the more I am attracted to less is more and efficient use of available config setups.
When I see many rules that are not for practical purposes (mangle rules, queing rules, etc) way beyond my usage I
dont say boo. When I see many 'extra' protection rules, I just dont see the point for a home router and especially when they interfere with proper functioning of an otherwise what should be small simple config, but worse on a legitimate complex config - I speak up.
I have many reads of people complaining about MT security when the vast majority (if not all) were improperly or unsafely configured devices.
I am simply suggesting, keep the rules simple and use a secure protocol.
Normally I would ask why are you asking this question in a forum designated for Scripts ;-P
In any case, I will be off forum for awhile, clearly pissing to many sensitive people off lately.
The more I use MT products, the more I am attracted to less is more and efficient use of available config setups.
When I see many rules that are not for practical purposes (mangle rules, queing rules, etc) way beyond my usage I
dont say boo. When I see many 'extra' protection rules, I just dont see the point for a home router and especially when they interfere with proper functioning of an otherwise what should be small simple config, but worse on a legitimate complex config - I speak up.
I have many reads of people complaining about MT security when the vast majority (if not all) were improperly or unsafely configured devices.
I am simply suggesting, keep the rules simple and use a secure protocol.
Normally I would ask why are you asking this question in a forum designated for Scripts ;-P
In any case, I will be off forum for awhile, clearly pissing to many sensitive people off lately.
Re: Help with firewall
Thank you, i also used ftp in the past (sync my mobile phone files with a external storage attach to the mikrotik router) i get it, keep it simple. The "extra security" for a simple router was that external storage sync with my mobile. I will update to the latest stable os and i will try to addapt the same rule as ssh or that port knok example offered in the other thread. (my ips provide domain name that alway redirect to my router even if i have dynamic ip) Many Thanks againDon't worry about @anav, he's the unofficial rude element of this forum.
By wrong details I mean e.g. insisting on upgrading to latest version. Sure, it's good idea, but it's not like every slightly older version is automatically full of security holes.
About missing important details, the obvious problem here: Order or rules is important, they are processed from top to bottom, the first matching one is used and that's where it stops. So if you first allow access to pptp port and then try to block some sources after that, it's useless.
Other things he was hinting at, attempts to block stuff. You're detecting ports scanners, add them to list, only to not use it at all. And why even care about port scanners, they don't hurt you. Similar with bruteforcers. There's practically zero chance that you need ftp open to internet, so why bother with that? There may be some reason for ssh, except in your case, if pppoe-out1 is your WAN interface, then everything after:
is pretty much useless, because no connection from internet will ever get to that.Code: Select alladd action=drop chain=input in-interface=pppoe-out1
Other thing, instead of blocking different addresses using individual rules, it's more efficient to use only one rule and address list.
And regarding your main problem, you could adapt ssh blocking rules for pptp, just change the port. But you need to undestand that they only count connections, both successful and unsuccessful. So if legitimate users reconnect too quickly, they can be blocked too. Other method would be parsing logs and looking for failed attempts there, but it would be ugly and much more difficult.
Last edited by cezars on Mon Jun 01, 2020 11:49 am, edited 1 time in total.
Re: Help with firewall
Your "attempt" was to show that you are a "god" on routeros... nevermind that. If something is beyond my understanding i never say "boo" as you insinuate, i req help.. as i did. You forget one thing this is a forum to help people not to insult people who don`t have any idea how to fix a problem. This is my first time wen i got routeros/mikrotik and probable for a lot of people will be the last time wen they get a mikrotik router if they find this support on a official forum. Is not about sensitive, it`s about a firm that respect his costumers... it`s about respect. Many costumers wen they came to the official forum of a product to ask for help and find a person like you that simple they make fun of their customers... do you think they will ever buy a product from mikrotik???. I`m sorry that i post on the wrong forum but i think this was not a reason to make fun of a customers. Regards, a miktorik costumer.my attempt was not intentionally rude, and was in fact aimed at the long run of making life using the MT a lot easier.
The more I use MT products, the more I am attracted to less is more and efficient use of available config setups.
When I see many rules that are not for practical purposes (mangle rules, queing rules, etc) way beyond my usage I
dont say boo. When I see many 'extra' protection rules, I just dont see the point for a home router and especially when they interfere with proper functioning of an otherwise what should be small simple config, but worse on a legitimate complex config - I speak up.
I have many reads of people complaining about MT security when the vast majority (if not all) were improperly or unsafely configured devices.
I am simply suggesting, keep the rules simple and use a secure protocol.
Normally I would ask why are you asking this question in a forum designated for Scripts ;-P
In any case, I will be off forum for awhile, clearly pissing to many sensitive people off lately.
Who is online
Users browsing this forum: Google [Bot], Majestic-12 [Bot] and 30 guests