Community discussions

MikroTik App
 
Borage
Member Candidate
Member Candidate
Topic Author
Posts: 170
Joined: Sun Sep 26, 2004 10:19 pm

To prevent password bruteforcing your FTP server

Wed Jul 04, 2007 6:33 pm

Here is a few firewall rules to stop/slow down brute forcers from cracking passwords to your FTP server. In this example, the FTP server is the MikroTik router. To protect a FTP server behind MikroTik, you have to use the forward chain instead of the input & output chains.

The initial stage (stage 1) adds the IP address to the temporary address list ftp_stage1 (timeouts after 1 minute). And thereafter every login attempt within one minute trigger the next stages (stage2 - stage4) until it reaches the last stage (stage 5) that adds the IP address to the ftp_blacklist (timeouts after 1 week).

You have to change in-interface to something else if ether1 is not the network interface card (NIC) connected to the Internet.


This rule drops all listed brute forcers
/ ip firewall filter 
add chain=input in-interface=ether1 protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \
    comment="drop ftp brute forcers" disabled=no
This rule adds brute forcers to the blacklist (fourth login attempt within a minute)
/ ip firewall filter 
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage4 action=add-dst-to-address-list \
    address-list=ftp_blacklist address-list-timeout=1w comment="auto-firewall ftp - stage 5" disabled=no
Third login attempt (within a minute)
/ ip firewall filter 
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage3 action=add-dst-to-address-list \
    address-list=ftp_stage4 address-list-timeout=1m comment="auto-firewall ftp - stage 4" disabled=no
Second login attempt (within a minute)
/ ip firewall filter 
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage2 action=add-dst-to-address-list \
    address-list=ftp_stage3 address-list-timeout=1m comment="auto-firewall ftp - stage 3" disabled=no
First login attempt (within a minute)
/ ip firewall filter 
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage1 action=add-dst-to-address-list \
    address-list=ftp_stage2 address-list-timeout=1m comment="auto-firewall ftp - stage 2" disabled=no
Initial stage
/ ip firewall filter 
add chain=input in-interface=ether1 protocol=tcp dst-port=21 action=add-src-to-address-list \
    address-list=ftp_stage1 address-list-timeout=1m comment="auto-firewall ftp - stage 1" disabled=no
Last edited by Borage on Thu Jul 12, 2007 3:47 am, edited 2 times in total.
 
User avatar
skillful
Trainer
Trainer
Posts: 557
Joined: Wed Sep 06, 2006 1:42 pm
Location: Abuja, Nigeria
Contact:

Re: To prevent password bruteforcing your FTP server

Wed Jul 04, 2007 10:55 pm

You should put it in the wiki.
 
Borage
Member Candidate
Member Candidate
Topic Author
Posts: 170
Joined: Sun Sep 26, 2004 10:19 pm

Re: To prevent password bruteforcing your FTP server

Thu Jul 05, 2007 3:07 am

Maybe, if a native English speaker can correct all my grammar and spelling errors. I also would like some input if it is wise to create two new chains and jump target the traffic (I did that on my own router). I also have a similar solution to protect the SSH server in MikroTik RouterOS from bruteforcing attempts.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6147
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: To prevent password bruteforcing your FTP server

Wed Jul 11, 2007 8:41 am

good :) BUT there is much simple way to do this ( only two rules will be used):
/ ip firewall filter
add chain=input in-interface=ether1 protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop

/ ip firewall filter
add chain=output action=add-src-to-address-list protocol=tcp content=530 Login incorrect dst-limit=10/1m,0,dst-address/1m40s address-list=blacklist

Rule above allows only 10 login incorrect answers per minute
 
Borage
Member Candidate
Member Candidate
Topic Author
Posts: 170
Joined: Sun Sep 26, 2004 10:19 pm

Re: To prevent password bruteforcing your FTP server

Wed Jul 11, 2007 9:39 am

I tried, but the traffic gets blocked after the first login attempt. :(
 
epproach_lyle
Frequent Visitor
Frequent Visitor
Posts: 51
Joined: Tue Jul 10, 2007 1:13 am
Location: North Carolina, USA
Contact:

Re: To prevent password bruteforcing your FTP server

Thu Jul 12, 2007 3:18 am

nice script..
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6147
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: To prevent password bruteforcing your FTP server

Mon Jul 23, 2007 4:08 pm

I tried, but the traffic gets blocked after the first login attempt. :(
sorry my mistake:
/ ip firewall filter
add chain=input in-interface=ether1 protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop

# accept 10 incorrect logins per minute
/ ip firewall filter
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m

#add to blacklist
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" address-list=blacklist address-list-timeout=3h
This is working correctly. Tested :)
Last edited by mrz on Wed Sep 12, 2007 1:52 pm, edited 2 times in total.
 
User avatar
jorj
Member
Member
Posts: 398
Joined: Mon Mar 12, 2007 4:34 pm
Location: /dev/null

Re: To prevent password bruteforcing your FTP server

Fri Aug 17, 2007 11:53 am

Tested and working.

Another way to protect you:
Make an account with ONLY ftp permission.
This should not compromise too much your server.
also, leave admin account with no rights at all, and make another with a name of your choice.
This should make it even harder for the attacker to get a valid pair username/password for access to your network.
 
[a]
Trainer
Trainer
Posts: 21
Joined: Wed Aug 31, 2005 3:19 pm
Location: Jakarta, Indonesia
Contact:

Re: To prevent password bruteforcing your FTP server

Thu Aug 23, 2007 5:12 pm

to mrz,

hi, i'm asking a permission to use your script to be included in tutorial that i'm about to make...it's in Bahasa Indonesia...

Thank you for your great script...
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6147
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: To prevent password bruteforcing your FTP server

Fri Aug 24, 2007 8:42 am

hi, i'm asking a permission to use your script to be included in tutorial that i'm about to make...
Yes, you may use this script in your tutorial :)
 
Mactrekr
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Wed Dec 28, 2005 3:32 am
Location: SE Arizona
Contact:

Re: To prevent password bruteforcing your FTP server

Fri Apr 11, 2008 2:50 am

mrz,

I can't seem to get your script working at all, I've very carefully entered it, and verified it in winbox. I can still ssh into the box even after as many as 12 failed attempts. Any insight would be appreciated.

Mac
 
Mactrekr
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Wed Dec 28, 2005 3:32 am
Location: SE Arizona
Contact:

Re: To prevent password bruteforcing your FTP server

Fri Apr 11, 2008 7:47 am

Nevermind, got it working thanks!
 
joie
newbie
Posts: 46
Joined: Tue May 22, 2007 10:49 pm

Re: To prevent password bruteforcing your FTP server

Wed Jul 15, 2015 8:08 pm

I have just tried to implement this script and it is not working.

I used the script from the wiki which omitted the interface reference.

http://wiki.mikrotik.com/wiki/Bruteforc ... ion_%28FTP

Below is the script as I am running it.
add action=drop chain=forward comment="Drop FTP Brute Force" disabled=no \
    dst-port=21 protocol=tcp src-address-list=ftp_blacklist

add action=accept chain=forward comment="" content="530 1326" disabled=no \
    dst-limit=1/1m,9,dst-address/1m protocol=tcp

add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=forward comment="" content="530 1326" \
    disabled=no protocol=tcp
The Mikrotik is not the FTP server so I have changed the chains from input/output to forward and updated the 530 Incorrect Login to match the response my server gives but it still doesn't work. I have tried adding the interface as well as using input/output instead of forward but it doesn't show as seeing any traffic.

Regards,
Joie
 
mamadmade
just joined
Posts: 3
Joined: Mon Oct 26, 2015 9:49 am

Re: To prevent password bruteforcing your FTP server

Mon Oct 26, 2015 1:10 pm

Here is a few firewall rules to stop/slow down brute forcers from cracking passwords to your FTP server. In this example, the FTP server is the MikroTik router. To protect a FTP server behind MikroTik, you have to use the forward chain instead of the input & output chains.

The initial stage (stage 1) adds the IP address to the temporary address list ftp_stage1 (timeouts after 1 minute). And thereafter every login attempt within one minute trigger the next stages (stage2 - stage4) until it reaches the last stage (stage 5) that adds the IP address to the ftp_blacklist (timeouts after 1 week).

You have to change in-interface to something else if ether1 is not the network interface card (NIC) connected to the Internet.


This rule drops all listed brute forcers
/ ip firewall filter 
add chain=input in-interface=ether1 protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \
    comment="drop ftp brute forcers" disabled=no
This rule adds brute forcers to the blacklist (fourth login attempt within a minute)
/ ip firewall filter 
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage4 action=add-dst-to-address-list \
    address-list=ftp_blacklist address-list-timeout=1w comment="auto-firewall ftp - stage 5" disabled=no
Third login attempt (within a minute)
/ ip firewall filter 
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage3 action=add-dst-to-address-list \
    address-list=ftp_stage4 address-list-timeout=1m comment="auto-firewall ftp - stage 4" disabled=no
Second login attempt (within a minute)
/ ip firewall filter 
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage2 action=add-dst-to-address-list \
    address-list=ftp_stage3 address-list-timeout=1m comment="auto-firewall ftp - stage 3" disabled=no
First login attempt (within a minute)
/ ip firewall filter 
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage1 action=add-dst-to-address-list \
    address-list=ftp_stage2 address-list-timeout=1m comment="auto-firewall ftp - stage 2" disabled=no
Initial stage
/ ip firewall filter 
add chain=input in-interface=ether1 protocol=tcp dst-port=21 action=add-src-to-address-list \
    address-list=ftp_stage1 address-list-timeout=1m comment="auto-firewall ftp - stage 1" disabled=no

Does anyone know how to make this rule result, sending by email? some kind of mail report from it. Thanks a lot for anyone who can help me.

Who is online

Users browsing this forum: No registered users and 35 guests