Community discussions

MikroTik App
 
frednks
newbie
Topic Author
Posts: 26
Joined: Sun Jul 30, 2017 3:12 am
Location: Brasil

Help! Create script for possible future security Ddos

Sat May 29, 2021 9:32 am

block the attempt to access the winbox via ACL
in ip service, where only the registered ip can access the winbox
ok it works very well, however I get a lot of attempts but all unsuccessful

have these attempts by looking in the "log"
the record appears in blue, in "topics" of the "warning" type

I think of it this way:
those who are interested in trying to access the router, may also be interested in Ddos attacks.

To avoid this possible interest, I would like to send this attacking ip to blackhole.

I know that to see this log of attempted access via terminal, it is by the command: /log print where topics = warning

in the example below I will demonstrate how the script dynamics would be:

the script run the command: / log print where topics = warning
this is a real result:
may / 28 12:39:14 warning denied winbox / dude connect from 181.46.136.147
may / 28 12:39:16 warning denied winbox / dude connect from 181.46.136.147
may / 28 12:39:18 warning denied winbox / dude connect from 181.46.136.147
may / 28 12:39:20 warning denied winbox / dude connect from 181.46.136.147
may / 28 12:39:23 warning denied winbox / dude connect from 181.46.136.147
may / 28 12:39:25 warning denied winbox / dude connect from 181.46.136.147
may / 28 12:39:27 warning denied winbox / dude connect from 181.46.136.147
may / 28 12:39:30 warning denied winbox / dude connect from 181.46.136.147
may / 28 12:40:26 warning denied winbox / dude connect from 181.46.136.147
may / 28 12:40:29 warning denied winbox / dude connect from 181.46.136.147
may / 28 12:40:31 warning denied winbox / dude connect from 181.46.136.147

the script then captures the source ip, in this case: 181.46.136.147 and sends it to blackhole with this command:
/ ip route dst-address = 181.46.136.147 type = blackhole

only that! but I never did a script before !!
does anyone have a script or help me build a script for this.

today in my bgp i do good ddos ​​practices, i have fastnetmon with exabgp installed parallel, closing a bgp session
I also have two bgp sessions with cymru, I get 1400 routes
and put my public ips that I don’t use in the blackhole avoiding a static loop

but more security is never too much !!
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Help! Create script for possible future security Ddos

Sat May 29, 2021 9:44 am

You don't even need a script for that, just make use of the firewall rules. You can configure a rule that a certain public IP, that "tries" to connect to an IP on your router, is automagically added to an ACL and then you can do with it what you want.

Apart from that, you should not/never make your Mikrotik accessible from "Internet" !!
I read in your post you probably are small ISP running BGP ?

1) Filter source-IP's so only selected IP's will be able to interface on Winbox/API/Webfig port
2) Use VPN to manage your systems remotely
3) Keep it completely out-of-band
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Help! Create script for possible future security Ddos

Sat May 29, 2021 10:17 am

Is not better to change winbox port at random like 56897, and use "port knocking" to temporary allow that single IP "knock"
and simply dropping all the other connections?

these rules can not permit any type of ddos attack.
viewtopic.php?f=13&t=175129&p=856824&hi ... st#p856824
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Help! Create script for possible future security Ddos

Sat May 29, 2021 11:00 am

This is some I have posted several times. If you need to access Winbox remote use VPN.
If VPN is not and option:

1. Use another port than default.
2. Use port knocking. This prevents someone from seeing open ports.
3. Use a long and good password.
4. Use access list to prevent any random internet from accessing your router.
5. Log everything. (See my signature for example.)
6. Upgrade firmware to latest stable release
7. ++++

I also block all IP for 24 hours that tries to access a port that is not open. So any port scanners are blocked after first wrong port.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help! Create script for possible future security Ddos

Sat May 29, 2021 7:36 pm

Its a layered approach.
Use IKEv2 VPN to access the router to manage it.
Port knocking works but is a temp solution.
Wireguard will be easy and best once it moved from beta to stable release (works fantastically).

Never use default ports or passwords (including winbox port).
Use input chain access rule for the router itself (use firewall address list to delineate IPs allowed).
Use IP services for the same. ( I tend to use subnets in IP services and actual IPs in firewall address list - just personal preference).
MAKE use of MAC WINBOX MAC SERVER - where you state which interface is permitted access.
I usually create a MNGT interface and then only put the vlans or subnets with access in there as well.
Usually mirrors the ip services entries...... (but is another layer of control)

@jotne, would be nice to see your 'set' of rule(s) that do this blocking for 24 hours etc
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Help! Create script for possible future security Ddos

Sat May 29, 2021 8:23 pm

@jotne, would be nice to see your 'set' of rule(s) that do this blocking for 24 hours etc
Here you go. (it may not bee perfect, but works for me)

Upper blocking part (not at top, but high in the filter list)
/ip firewall filter
add action=jump chain=input comment="Drop user that has tried ports that are not open and has bin added to block list- Send to TARPIT to prewent DDOS CPU problems" in-interface=ether1 jump-target=TARPIT log-prefix=FI_J_TCP-port-test protocol=tcp src-address-list=FW_Block_unkown_port
add action=tarpit chain=TARPIT limit=10,5:packet log-prefix=FX_T_TCP-port-test protocol=tcp
add action=drop chain=TARPIT log-prefix=FX_D_TCP-port-test protocol=tcp
add action=drop chain=input in-interface=ether1 log-prefix=FI_D_UDP-port-test protocol=udp src-address-list=FW_Block_unkown_port


Bottom (at the end of filter list)part that adds an IP to access list if no rule above has been used.
/ip firewall filter
add action=add-src-to-address-list address-list=FW_Block_unkown_port address-list-timeout=1d chain=input comment= "Add IP of user to access list if they have tried port that is not open." in-interface=ether1 log-prefix=FI_AS_port-test
add action=drop chain=input comment="Drop packets that has not been allowed or droped before." in-interface=ether1 log=yes log-prefix=FI_D_port-test
 
frednks
newbie
Topic Author
Posts: 26
Joined: Sun Jul 30, 2017 3:12 am
Location: Brasil

Re: Help! Create script for possible future security Ddos

Sun May 30, 2021 7:06 am

Thanks for the answers
i'm from brazil my english is not good!
I think I was not very clear, I will try to explain it better

I'm not having any problems with attacks!
I did an ACL where only certain IPs can access the winbox, and it works great! These access attempts are unsuccessful, the attacker is unable to achieve anything because of the ACL

I don't want to use fierwall rules because of Fast Path
this box is only for BGP, I do not do NAT

I want to make this script just for the sake of attention, because whoever tries to access the winbox, can try to attack Ddos
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Help! Create script for possible future security Ddos

Sun May 30, 2021 9:35 am

OK, now I understand the use-case better.
In that scenario, its indeed better to "scan" the logs and try to extract the IP's on login-attemps.
Many scripts exist that are *almost* what you need, for example this one from Jotne

viewtopic.php?t=148397

Basically you need to adapt slightly so it the action here is no to add it to access-list, but blackhole this /32 host.
You can change the "message" variable to for example "warning denied winbox"

I think this is a very good start to accomplish your goal.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Help! Create script for possible future security Ddos

Sun May 30, 2021 9:50 am

I did an ACL where only certain IPs can access the winbox, and it works great!
This in it self is not enough, you should implement more of the list in my first post.
Do no use default port for the first. Many scans for this port since it has been flawed before.
Port knock will prevent any from seeing the open port before right combination is knocked.

I do use Splunk to log this rule and can see who tries to attack me.
_time	type	dir	act	rule	chain	in_if	out_if	src_mac	protocol	src_ip	src_port	dest_ip	dest_port	City	Country
2021-05-30 08:49:56	F	I	D	FI_D_port-test	input	ether1	(unknown 0)	00:05:00:01:00:01	TCP	192.35.168.70	38286	92.2xx.2xx.9x	502		United States
2021-05-30 08:48:56	F	I	D	FI_D_port-test	input	ether1	(unknown 0)	00:05:00:01:00:01	TCP	172.217.20.34	443	92.2xx.2xx.9x	38402		United States
2021-05-30 08:48:39	F	I	D	FI_D_port-test	input	ether1	(unknown 0)	00:05:00:01:00:01	TCP	190.190.219.160	49222	92.2xx.2xx.9x	30884	Benavidez	Argentina
2021-05-30 08:48:05	F	I	D	FI_D_port-test	input	ether1	(unknown 0)	00:05:00:01:00:01	TCP	176.65.3.36	1957	92.2xx.2xx.9x	8088	Gaza	Palestine
2021-05-30 08:47:59	F	I	D	FI_D_port-test	input	ether1	(unknown 0)	00:05:00:01:00:01	TCP	185.219.52.160	59968	92.2xx.2xx.9x	27017	Warsaw	Poland
2021-05-30 08:47:21	F	I	D	FI_D_port-test	input	ether1	(unknown 0)	00:05:00:01:00:01	TCP	195.230.103.242	58191	92.2xx.2xx.9x	179	Kharkiv	Ukraine
2021-05-30 08:46:33	F	I	D	FI_D_port-test	input	ether1	(unknown 0)	00:05:00:01:00:01	TCP	190.220.115.11	43575	92.2xx.2xx.9x	445		Argentina
2021-05-30 08:45:57	F	I	D	FI_D_port-test	input	ether1	(unknown 0)	00:05:00:01:00:01	TCP	165.227.36.93	61953	92.2xx.2xx.9x	4080	Toronto	Canada
2021-05-30 08:45:40	F	I	D	FI_D_port-test	input	ether1	(unknown 0)	00:05:00:01:00:01	UDP	51.15.144.168	5447	92.2xx.2xx.9x	5060	Paris	France
2021-05-30 08:44:53	F	I	D	FI_D_port-test	input	ether1	(unknown 0)	00:05:00:01:00:01	UDP	182.186.255.200	33898	92.2xx.2xx.9x	32480	Faisalabad	Pakistan
2021-05-30 08:44:27	F	I	D	FI_D_port-test	input	ether1	(unknown 0)	00:05:00:01:00:01	UDP	51.195.166.22	1900	92.2xx.2xx.9x	5353		France
2021-05-30 08:44:21	F	I	D	FI_D_port-test	input	ether1	(unknown 0)	00:05:00:01:00:01	UDP	89.64.18.233	20700	92.2xx.2xx.9x	12347	Warsaw	Poland
2021-05-30 08:43:25	F	I	D	FI_D_port-test	input	ether1	(unknown 0)	00:05:00:01:00:01	UDP	103.79.254.65	61127	92.2xx.2xx.9x	12347	Panjim	India
2021-05-30 08:43:02	F	I	D	FI_D_port-test	input	ether1	(unknown 0)	00:05:00:01:00:01	TCP	193.163.125.28	51318	92.2xx.2xx.9x	3389		Denmark
2021-05-30 08:42:27	F	I	D	FI_D_port-test	input	ether1	(unknown 0)	00:05:00:01:00:01	UDP	122.3.103.0	1038	92.2xx.2xx.9x	12347	Carcar	Philippines
2021-05-30 08:42:20	F	I	D	FI_D_port-test	input	ether1	(unknown 0)	00:05:00:01:00:01	TCP	157.245.5.223	443	92.2xx.2xx.9x	27017	New York	United States
2021-05-30 08:42:19	F	I	D	FI_D_port-test	input	ether1	(unknown 0)	00:05:00:01:00:01	TCP	185.107.71.138	56654	92.2xx.2xx.9x	30965		Netherlands
2021-05-30 08:42:13	F	I	D	FI_D_port-test	input	ether1	(unknown 0)	00:05:00:01:00:01	TCP	121.5.160.181	56596	92.2xx.2xx.9x	2375		China
2021-05-30 08:42:00	F	I	D	FI_D_port-test	input	ether1	(unknown 0)	00:05:00:01:00:01	TCP	185.200.118.37	42605	92.2xx.2xx.9x	1080	London	United Kingdom
Top scanned ports last 30 days
dest_port	protocol	count
30884	UDP	24764
12347	UDP	17051
30965	UDP	14757
32480	UDP	10261
57302	UDP	8296
30884	TCP	6687
1	UDP	5742
12347	TCP	5646
30965	TCP	5182
23	TCP	3904
29320	UDP	3528
32480	TCP	2853
Top country scanning me last 30 days:
Country	count
United States	31957
China	12909
India	12486
United Kingdom	7286
Netherlands	6569
Brazil	6083
Canada	5967
Philippines	5119
Russia	4177
South Africa	3833
Australia	3711
Germany	2994
Israel	2871
 
frednks
newbie
Topic Author
Posts: 26
Joined: Sun Jul 30, 2017 3:12 am
Location: Brasil

Re: Help! Create script for possible future security Ddos

Tue Jun 01, 2021 2:35 am

tanks @jvanhambelgium
I see the topic, it helped me a lot, and the coolest @Jotne is participating here too, so I believe it works! I'll show you what I did, it was practically what you said!!!
# Script DENIED-WINBOX
# Find all "negotiation failed" error last 5 min
:local loglist [:toarray [/log find  time>([/system clock get time] - 5m) message~"denied winbox"]]

# for all error do
:foreach i in=$loglist do={

# find message
	:local logMessage [/log get $i message]
# find ip
	:local ip [:pick $logMessage 0 [:find $logMessage " "]]

# Add ip to blackhole
	/ip route add dst-address=$ip type=blackhole comment="ips-malicioso"
# Send a message to the log	
	:log info message="script=DENIED-WINBOX_failed src_ip=$ip"
	}
but it didn't go to blackhole!
Any idea?

about Splunk, I found it very interesting, I'll understand better, I install it in a linux parallel to mikrotik?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Help! Create script for possible future security Ddos

Tue Jun 01, 2021 2:39 am

again with ([/system clock get time] - 5m) ???

00:01:00 - 5m = -23:56:00

read this
viewtopic.php?f=9&t=148397&p=857899&hil ... me#p857899

I suggest using blacklist and drop without any kind of response on /firewall raw
instead of adding the IP to the route table.
The list can grow so large and the LIMITED routes table can fill up very quickly.

and use this script for the blacklist:
# Revised from Rextended v1.2.rex
#
# Created Jotne 2019 v1.2
#
# This script add ip with "denied winbox" to a block list for 7 days
# Schedule the script to run every 5 min
# It should run on all routerOS version - Rex test it on 6.47.9

# may / 28 12:39:14 warning denied winbox / dude connect from 181.46.136.147

:local logMessage ""
:local logIp 10.6.6.6

/log

:foreach i in=[find where message~"denied winbox"] do={

    :set logMessage [get $i message]

    :if ($logMessage~"denied winbox") do={
        :set logIp [:toip [:pick $logMessage ([:find $logMessage "from " -1]+5) [:len $logMessage]]]
        :if ([:len [/ip fire addr find where address=$logIp]] < 1) do={
            /ip fire addr add address=$logIp list=blacklist timeout=7d
            :log info message="add $logIp to list blacklist"
        }
    }

}



If you want stil to add routes instead of drop traffic:
# Revised from Rextended v1.2.rex
#
# Created Jotne 2019 v1.2
#
# This script add blackhole route for each "denied winbox"
# Schedule the script to run every 5 min
# It should run on all routerOS version - Rex test it on 6.47.9

# may / 28 12:39:14 warning denied winbox / dude connect from 181.46.136.147

:local logMessage ""
:local logIp 10.6.6.6

/log

:foreach i in=[find where message~"denied winbox"] do={

    :set logMessage [get $i message]

    :if ($logMessage~"denied winbox") do={
        :set logIp [:toip [:pick $logMessage ([:find $logMessage "from " -1]+5) [:len $logMessage]]]
        :if ([:len [/ip route find where dst-address=($logIp."/32") and type=blackhole]] < 1) do={
            /ip route add dst-address=$logIp type=blackhole comment="ips-malicioso"
            :log info message="add $logIp to blackhole route"
        }
    }

}
 
frednks
newbie
Topic Author
Posts: 26
Joined: Sun Jul 30, 2017 3:12 am
Location: Brasil

Re: Help! Create script for possible future security Ddos

Thu Jun 03, 2021 3:21 am

@rextended Thanks for the collaboration
I will test here and say

Who is online

Users browsing this forum: No registered users and 20 guests