Community discussions

 
Rubi02
just joined
Topic Author
Posts: 5
Joined: Sat Mar 12, 2016 12:09 pm

Ftp Bruteforce Protection

Tue Jul 31, 2018 8:58 am

Hello,

I have a question aboute a firewall rule. In the Mikrotik Wiki ist a manual for a FTP Bruteforce login pervention https://wiki.mikrotik.com/wiki/Brutefor ... prevention
This manual ist for the input cain but i want to secure a FTP server behind the Mikrotik whit this rule thats why i changed all the rules to forward but it doesen't work. Here is my config.
add chain=forward protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \
comment="drop ftp brute forcers"

add chain=forward action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m

add chain=forward action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \
address-list=ftp_blacklist address-list-timeout=3h
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1309
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Ftp Bruteforce Protection

Tue Jul 31, 2018 11:19 am

I was not able to make this work as well, so I used this variation.
/ ip firewall filter
add chain=forward protocol=tcp dst-port=21 src-address-list=black_list_ftp action=drop \
comment="Drop FTP brute forcers" disabled=no log=yes log-prefix="FW_Block_Bruteforce_FTP"
add chain=forward protocol=tcp dst-port=21 connection-state=new \
src-address-list=ftp_stage2 action=add-src-to-address-list address-list=black_list_ftp address-list-timeout=1d \
comment="" disabled=no
add chain=forward protocol=tcp dst-port=21 connection-state=new \
src-address-list=ftp_stage1 action=add-src-to-address-list address-list=ftp_stage2 address-list-timeout=5m \
comment="" disabled=no
add chain=forward protocol=tcp dst-port=21 connection-state=new \
action=add-src-to-address-list address-list=ftp_stage1 address-list-timeout=5m comment="" \
disabled=no
Here is how its work:
When some tries to FTP to you, the bottom rules hits inn.
It will add the IP to an temporary access-list ftp_stage1 and it stays there for 5 min.

2 attempt
If the user tries again, second rule from bottom will run, since IP is in access-list ftp_stage1
This will then add user to access-list ftp_stage2 and it stays there for 5 min.

3 attempt
If the user tries again, third rule from bottom will run, since IP is in access-list ftp_stage2
This will then add user to access-list black_list_ftp and it stays there for 1 day.

4 attempt
Top rule will hit since IP is in access-list black_list_ftp and user will not be able to log inn.

This is a simple way to do it. It works.
You can add more steps, change timers.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 

Who is online

Users browsing this forum: No registered users and 25 guests