Community discussions

MikroTik App
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

how to dynamic block unwanted ips?

Wed Jun 08, 2022 11:00 am

Hello,
I have a Openvpn server on my Mikrotik router
I'm able to connect to it - and everything is working
when I connect to the server it's from unknown\dynamic IP (using android device on cellular network)
today I saw there are many Ip that are trying to connect (which are not my trying)
for example:
162.142.125.129
167.94.138.117
167.248.133.63
how can I block them ?
I can't do "Port-Knocking" because I'm using the standart openVPN app
is there something I can do ?

Thanks,
 
erlinden
Forum Guru
Forum Guru
Posts: 1900
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: how to dynamic block unwanted ips?

Wed Jun 08, 2022 11:25 am

Two approaches I can think of: whitelisting or blacklisting.
I used to have a blacklist and added IP blocks by hand, based on logging. I stopped with that as the list got very long. But it might suit you. I know there are also geo lists available.
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: how to dynamic block unwanted ips?

Wed Jun 08, 2022 11:56 am

This is what I thought to do also - but as you said it's whould be maintain manually
is there any way to know maybe if the user put wrong pass 3 times from the same IP - then I will block it for 1 hour (example of thinking)
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: how to dynamic block unwanted ips?

Wed Jun 08, 2022 1:24 pm

I can't do "Port-Knocking" because I'm using the standart openVPN app
is there something I can do ?
So ? Just install a "port-knock" app on your Android device.
This has nothing to do with the VPN-app.
The only thing : you first need to execute the portknock-app, then launch the OpenVPN app.
I use an Android app call "Port Knocker" where you can setup the sequence that needs to be knocked.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: how to dynamic block unwanted ips?

Wed Jun 08, 2022 1:32 pm

This may just be port tester.

You can block IP trying to get inn if there are x number of failed attempts. (Solution found in this forum) I do use it.
You can block all IP trying to use a port that is not open on your router, for example for 24 hours. This stops port scanners as soon as it hits first blocked port. I do use this solution as well. (Solution found in this forum)
 
User avatar
boldsuck
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Sun Sep 01, 2013 1:07 am
Location: Germany

Re: how to dynamic block unwanted ips?

Wed Jun 22, 2022 1:10 pm

This is what I thought to do also - but as you said it's whould be maintain manually
is there any way to know maybe if the user put wrong pass 3 times from the same IP - then I will block it for 1 hour (example of thinking)
You could use 3 stage address-list. Works in all chains input, nat, raw.. Example for SSH
add action=drop chain=input comment="Drop SSH brute forcers from WAN <- Src. Address List: ssh_blacklist" dst-port=22 in-interface-list=WAN protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input comment="Address-list SSH 4th attempt: add ssh_stage3 -> ssh_blacklist" connection-state=new dst-port=22 in-interface-list=WAN protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=10m chain=input comment="Address-list SSH 3rd attempt: add ssh_stage2 -> ssh_stage3" connection-state=new dst-port=22 in-interface-list=WAN protocol=tcp src-address-list= ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=10m chain=input comment="Address-list SSH 2nd attempt: add ssh_stage1 -> ssh_stage2" connection-state=new dst-port=22 in-interface-list=WAN protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input comment="Address-list SSH first attempt: -> add ssh_stage1" connection-state=new dst-port=22 in-interface-list=WAN protocol=tcp
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: how to dynamic block unwanted ips?

Sun Jul 03, 2022 3:40 pm

I didn't know there is an Andriod App for this ... thanks!

but now that I'm thinking about it , I have another problem
my Mikrotik is behind another router that he is the main gateway
in the "Main router" I have only port forward the VPN port TCP_1194 - so will the port knocking is not afective , unless I open another port and forward it to the Mikrotik - no?

this is what I see in the log , it's seem that some success connect to my netwrok, no ?
15:20:28 ovpn,info TCP connection established from 167.94.138.47 
15:20:28 ovpn,debug,packet sent P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=7843a8f18b30eeb3 pid=0 DATA len=0 
15:20:28 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=3d56fddc9a0938f pid=0 DATA len=0 
15:20:28 ovpn,debug,packet sent P_ACK kid=0 sid=7843a8f18b30eeb3 [0 sid=3d56fddc9a0938f] DATA len=0 
15:20:28 ovpn,debug <167.94.138.47>: disconnected <peer disconnected> 
15:20:28 ovpn,info TCP connection established from 167.94.138.47 
15:20:28 ovpn,debug,packet sent P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=15f09831dff6ddb4 pid=0 DATA len=0 
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: how to dynamic block unwanted ips?

Sun Jul 03, 2022 4:51 pm

You need to open all port you like to use in port knocking on the front router to reach your MikroTik router.

Who is online

Users browsing this forum: No registered users and 13 guests