Community discussions

MUM Europe 2020
 
KbzA
newbie
Topic Author
Posts: 26
Joined: Thu Feb 24, 2011 7:46 pm

Boot attemp login using brute force

Sat Jun 25, 2011 5:45 pm

Hi!

I have a problem....... in my two differents routerboards (mark connection to internet ), attemps login using random user, everyday, differents ip address.
See the pic :
Image

¿How to block this attack?
Thanks!
 
yogii
Member Candidate
Member Candidate
Posts: 148
Joined: Wed Jun 16, 2010 5:38 am
Location: Batam, Indonesia

Re: Boot attemp login using brute force

Sat Jun 25, 2011 6:21 pm

you need to make IP address restriction that will login to your router.

for example,
add the white list IP address to /ip service, fill "available from" with white list IP address.

only white list IP address can get login page. :)
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24368
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Boot attemp login using brute force

Mon Jun 27, 2011 1:00 pm

or set up higher protection for your router

http://wiki.mikrotik.com/wiki/Bruteforc ... prevention
No answer to your question? How to write posts
 
ammar83
just joined
Posts: 19
Joined: Thu Nov 24, 2011 2:00 pm

Re: Boot attemp login using brute force

Thu Nov 24, 2011 2:05 pm

or set up higher protection for your router

http://wiki.mikrotik.com/wiki/Bruteforc ... prevention

Hi normis,

and how to get the address list filled with the IPs of the attacker to name them "ftp_blacklist"

Thanks.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Boot attemp login using brute force

Thu Nov 24, 2011 2:08 pm

you can use firewall to do this.

you can look up several threads about how to solve this problem on the forum.
 
hotspotsolutions
Member Candidate
Member Candidate
Posts: 119
Joined: Thu Dec 16, 2004 1:48 pm

Re: Boot attemp login using brute force

Fri Nov 25, 2011 7:57 am

easiest way I found around this was the change the port number, those automated scanning tools only ever use the default ports, so just change your SSH, telnet ports to something different (say SSH=40022)

you can do this under /ip services
 
ammar83
just joined
Posts: 19
Joined: Thu Nov 24, 2011 2:00 pm

Re: Boot attemp login using brute force

Mon Nov 28, 2011 7:34 am

you can use firewall to do this.

you can look up several threads about how to solve this problem on the forum.
Hi janisk,

What I meant was:
If someone "an IP" make 10 attempts to access the router and none of them was successful, then add his "IP" to address list under ftp_blacklist or ssh_blacklist according to the method that he was using to access the device...
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Boot attemp login using brute force

Mon Nov 28, 2011 10:52 am

exactly, if you set firewall rules in succession that will add ip address into address list with short time-out, like 5 seconds till next new connection to attempt log in, then add it to next address-list then next (as many steps as you like) in the end add to last address list that is either permanent or will hold entries several hours.

logic something like this:

these are note actual commands:

/ip firewall filter action=drop src-list=1d-drop
/ip firewall filter action=add-to-address-list=1d-drop src-list=3rd-step address-list-timeout=1d
/ip firewall filter action=add-to-address-list=3rd-step src-list=2nd-step address-list-timeout=3s
/ip firewall filter action=add-to-address-list=2nd-step src-list=1st-step address-list-timeout=3s
/ip firewall filter action=add-to-address-list=1st-step address-list-timeout=3s


some order like this you add in firewall filter where new connections are handled

when normal customer (you) are logging in, your address will be added to 1st or maximum 2nd step that will time out shortly, of course, if you forget the login credentials and try to do this in very short time, as result you will effectively ban yourself for time set in timeout value of final address-list.

remember it is not based on login was successful or not, it only depends on that for some reason someone keeps on connecting with new connection to you several times in short period of time.
 
User avatar
THG
Member
Member
Posts: 472
Joined: Thu Oct 15, 2009 1:05 am

Re: Boot attemp login using brute force

Mon Dec 12, 2011 1:57 pm

You can also use port knocking to get rid of all malicious SSH login attempts. Port knocking is a security tecnique that opens firewalls ports on demand, providing increased security on interfaces exposed to internet and at the same time allowing flexible access for allowed users.

http://wiki.mikrotik.com/wiki/Securing_ ... t_Knocking

Who is online

Users browsing this forum: No registered users and 30 guests