Community discussions

 
User avatar
tplecko
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Mon Jun 11, 2007 12:18 pm
Location: Croatia
Contact:

Automated blocking of IP addresses

Mon Dec 10, 2007 4:02 pm

In my logs I have lots of entrys like
(50 messages not shown)
dec/10/2007 16:05:09 system,error,critical login failure for user username from 222.112.170.217 via ssh
dec/10/2007 16:05:12 system,error,critical login failure for user username from 222.112.170.217 via ssh
dec/10/2007 16:05:16 system,error,critical login failure for user user from 222.112.170.217 via ssh
dec/10/2007 16:05:19 system,error,critical login failure for user root from 222.112.170.217 via ssh
dec/10/2007 16:05:22 system,error,critical login failure for user admin from 222.112.170.217 via ssh
dec/10/2007 16:05:26 system,error,critical login failure for user test from 222.112.170.217 via ssh
dec/10/2007 16:05:29 system,error,critical login failure for user root from 222.112.170.217 via ssh
dec/10/2007 16:05:32 system,error,critical login failure for user root from 222.112.170.217 via ssh

Is there a way to automaticly block this ip after 3-4 failed logins?



Thanks
It's not funny if i have to explain it to you! (http://wiki.plecko.hr)
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Automated blocking of IP addresses

Tue Dec 11, 2007 3:30 pm

you can use access-list - so when host connects for the first time, he gets in a starting list, if it connects another time, it get further, when it connects 4th or 5th time its ip address is added to block list and he is dropped for some time.
 
User avatar
Dragonmen
Frequent Visitor
Frequent Visitor
Posts: 72
Joined: Thu Jun 16, 2005 6:20 pm
Location: Sabac, Serbia
Contact:

Re: Automated blocking of IP addresses

Wed Dec 12, 2007 9:32 am

My recommendation is to block the ports for router access in the input chain and allow connection to these port only by your ip address (or range) - this will prevent possible router hacking.
The ports are: 21,22,23,80,8291 all tcp.
 
User avatar
tplecko
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Mon Jun 11, 2007 12:18 pm
Location: Croatia
Contact:

Re: Automated blocking of IP addresses

Wed Dec 12, 2007 10:19 am

Access-lists can only be used with wireless interfaces...

My router has no wireless interfaces.

Public interface, DMZ interface and LAN interface (all wires)

On WAN i have static IP addresses and my log's are full of failed login attempts from the same IP address for hours....

I can't block remote access because i connect to the router the same way.

But regardless of where the attempts are comming from. Is there any way to prevent this?
Is there a way to add users IP to an address-list when he failes to logon? and count souch logins? If number of failed logins is greater than eg. 5 in the last minute, bloch the IP for 45 minutes?

I'm pretty new to scripting and some of the more advanced functions but i understand a good example!

Regards
It's not funny if i have to explain it to you! (http://wiki.plecko.hr)
 
User avatar
Dragonmen
Frequent Visitor
Frequent Visitor
Posts: 72
Joined: Thu Jun 16, 2005 6:20 pm
Location: Sabac, Serbia
Contact:

Re: Automated blocking of IP addresses

Wed Dec 12, 2007 10:37 am

Access-lists can only be used with wireless interfaces...

My router has no wireless interfaces.

Public interface, DMZ interface and LAN interface (all wires)

On WAN i have static IP addresses and my log's are full of failed login attempts from the same IP address for hours....

I can't block remote access because i connect to the router the same way.

But regardless of where the attempts are comming from. Is there any way to prevent this?
Is there a way to add users IP to an address-list when he failes to logon? and count souch logins? If number of failed logins is greater than eg. 5 in the last minute, bloch the IP for 45 minutes?

I'm pretty new to scripting and some of the more advanced functions but i understand a good example!

Regards
/ip firewall filter add chain=input src-address="YOURIPORSUBNET" action=accept
/ip firewall filter add chain=input action=drop

For mutiple input ip/subnets execute first rule as many times as you have ip/subnets that has to communicate with router directly.
Alternatively, you can use this:
/ip firewall filter add chain=input action=drop dst-port=21
/ip firewall filter add chain=input action=drop dst-port=22
/ip firewall filter add chain=input action=drop dst-port=23
/ip firewall filter add chain=input action=drop dst-port=80
/ip firewall filter add chain=input action=drop dst-port=8291
instead of the drop rule above to drop only "auth-type" services.

Putting ip addresses to access-list is still not secure enough (what is somebody guess you user/pass at first time?)
 
User avatar
tplecko
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Mon Jun 11, 2007 12:18 pm
Location: Croatia
Contact:

Re: Automated blocking of IP addresses

Thu Dec 13, 2007 10:02 am

I think that it is less likely that someone will guess my username and password at first...

And forgive me, i forgot to say that i must be able to access the router over the internet. I am connected thru DSL so i can't create a rule to give me access based on the IP address.

If i was on a static ip, i wouldn't be asking here.
Is there a way to do this?
It's not funny if i have to explain it to you! (http://wiki.plecko.hr)
 
yancho
Member Candidate
Member Candidate
Posts: 205
Joined: Tue Jun 01, 2004 3:04 pm
Location: LV

Re: Automated blocking of IP addresses

Thu Dec 13, 2007 6:17 pm

 
User avatar
GWISA
Member
Member
Posts: 394
Joined: Tue Jan 31, 2006 2:37 pm
Location: Johannesburg, South Africa

Re: Automated blocking of IP addresses

Fri Dec 14, 2007 12:46 am

The wiki has a great script - you could also just change the ssh port on your router...
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Automated blocking of IP addresses

Mon Dec 17, 2007 5:50 pm

i have pptp server enabled, so i can log in from wherever i need and some sites in whitelist, so i do not have to create pptp tunnel to access from these sites.
 
ArmootSystemInc
just joined
Posts: 1
Joined: Thu Nov 10, 2016 10:49 pm

Re: Automated blocking of IP addresses

Thu Nov 10, 2016 11:00 pm

Hi !!
I,m IT Expert of Armoot System Company from Iran-Tehran .
i want to do it too !! but finally i find out that not possible !! only you can user another port on SSH & Telnet & WinBox & Web Console ... but attackers can find your personal port's with port scanner software example Nmap !! For DSL user's that not have static's IP Address ... i recommend to you that use Squid Proxy server With Linux CentOS if you don't have wireless on your Mikrotik !! :)
 
User avatar
docmarius
Forum Guru
Forum Guru
Posts: 1219
Joined: Sat Nov 06, 2010 12:04 pm
Location: Timisoara, Romania
Contact:

Re: Automated blocking of IP addresses

Fri Nov 11, 2016 8:29 am

Changing access ports actually is a good practice.
Because these hack attempts are basically conducted automatically on standard ports.
There is no one trying to attack specifically your router by giving it full attention, it is just a script.
So if no open port is found by its internal logic, it will move on. No portscan, no alternate methods.
Usually, you are not special to them. Just an arbitrary system responding to a connect on port 22.
Torturing CCR1009-7G-1C-1S+, RB450G, RB750GL, RB951G-2HnD, RB960PGS, RB260GSP, OmniTIK 5HnD and NetMetal 922UAGS-5HPacD + R11e-5HnD in my home network.
 
User avatar
BlackVS
Member Candidate
Member Candidate
Posts: 171
Joined: Mon Feb 04, 2013 7:00 pm
Contact:

Re: Automated blocking of IP addresses

Fri Nov 11, 2016 10:01 am

... turbulence in forum...
see next post %)
Last edited by BlackVS on Fri Nov 11, 2016 10:05 am, edited 1 time in total.
 
User avatar
BlackVS
Member Candidate
Member Candidate
Posts: 171
Joined: Mon Feb 04, 2013 7:00 pm
Contact:

Re: Automated blocking of IP addresses

Fri Nov 11, 2016 10:03 am

Hi !!
I,m IT Expert ... but finally i find out that not possible !!
Very fun... Generally I agree with you - everything can be hacked.
Question only in resources spent (time, money, equipment etc)

But if
0. Use non-standard ports.
1. Use VPN for access. To hack proper vpn much more harder then hack telnet or http protocol.
2. Use HTTPS - even if open port to hack it not so easy. Sure you must use proper certificates not just open port.
3. Use Whitelists
4. Use Port-knocking technique. For paranoiacs - with complex 3-4 stages logic %))
5. Add some intelligence to router by detecting brute-forces. In my block-list I have usually ~5000 blocked ips.
6. The same as previous but use external sources for blacklists. I saw such lists with auto updating scripts here in the forum.
PS.
7 don't use stickers with passwords on you monitor or something like that %)

and if use all 0+1+2+3+4+5+6 then instead to directly hack you router will be much easier hack system administrators with Rubber-hose cryptanalysis ( in Russian as терморектальный криптоанализ ) ...For usual office/home router it is enough 2-3 methods from listed above.

And don't use http, telnet, ssh for accessing your router globally (and sometimes - locally) at all.

Don't use https, WinBox without additional protections from listed above.

Put all Internet globally exposed services each in own DMZ zones. In such case if somebody hack your server it hack only this server without any additional access to router or internal network.

With WinBox straightness - difficult to say due to its proprietary protocol...
Yes, I know people tried reversed engineered it (for creation custom applications), it can be analysed but in 99.99% nobody will do it.

Specially for Expert - give full access to router via WiFis not good idea...

Who is online

Users browsing this forum: No registered users and 12 guests