Sunday, June 5, 2016

Bruteforce login prevention in Mikrotik

Bruteforce login prevention for FTP, SSh, Telnet and Winbox

Please read the article: https://en.wikipedia.org/wiki/Brute-force_attack


# jun/05/2016 19:06:05 by RouterOS 6.35.2
# wahid.telco@gmail.com
#

#########################################
#Bruteforce login prevention for ftp    #
#########################################
/ip firewall filter

add action=drop chain=input comment=\
    "Bruteforce login prevention(ftp: drop ftp brute forcers)" dst-port=21 \
    protocol=tcp src-address-list=ftp_blacklist
add chain=output comment="Bruteforce login prevention(ftp: 530 Login incorrect\
    \_to limit dst address)" content="530 Login incorrect" dst-limit=\
    1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=output comment=\
    "Bruteforce login prevention(ftp: 530 Login incorrect to ftp_blacklist)" \
    content="530 Login incorrect" protocol=tcp


#########################################
#Bruteforce login prevention for ssh    #
#########################################
/ip firewall filter

add action=drop chain=input comment=\
    "Bruteforce login prevention(ssh: drop ssh brute forcers)" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=4w2d chain=input comment=\
    "Bruteforce login prevention(ssh: stage3 to blacklist)" connection-state=\
    new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1h chain=input comment=\
    "Bruteforce login prevention(ssh: stage2 to stage3)" connection-state=new \
    dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=6h chain=input comment=\
    "Bruteforce login prevention(ssh: stage1 to stage2)" connection-state=new \
    dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=12h chain=input comment=\
    "Bruteforce login prevention(ssh: stage1)" connection-state=new dst-port=\
    22 protocol=tcp
add action=drop chain=forward comment=\
    "Bruteforce login prevention(ssh: drop ssh brute downstream)" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist


#########################################
#Bruteforce login prevention for Telnet #
#########################################
If you can identify telnet attacker IP then add attacker IP in address list then make a firewall rule to droop from the address list.

/ip firewall address list
add list=telnet_droop_list_static address=ATTACKER IP comment="Add telnet attacker to this list"

/ip firewall filter
add action=drop chain=input comment=\
    "Telnet known attacker droop(from address list: telnet_droop_list_static)" \

    dst-port=23 protocol=tcp src-address-list=telnet_droop_list_static

If you want to use above mention filter rule then above rule must set top of below mentioned rule. If you don't want to use above rule then just skip above rule and copy/paste below rule.


/ip firewall filter

add action=drop chain=input comment=\
    "Bruteforce login prevention(Telnet: droop telnet brute forcers)" \
    dst-port=23 protocol=tcp src-address-list=telnet_blacklist
add action=add-src-to-address-list address-list=telnet_blacklist \
    address-list-timeout=4w2d chain=input comment=\
    "Bruteforce login prevention(Telnet: stage3 to telnet_blacklist)" \
    connection-state=new dst-port=23 protocol=tcp src-address-list=\
    telnet_stage_3
add action=add-src-to-address-list address-list=telnet_stage_3 \
    address-list-timeout=1h chain=input comment=\
    "Bruteforce login prevention(Telnet: stage2 to stage3)" connection-state=\
    new dst-port=23 protocol=tcp src-address-list=telnet_stage_2
add action=add-src-to-address-list address-list=telnet_stage_2 \
    address-list-timeout=6h chain=input comment=\
    "Bruteforce login prevention(Telnet: stage1 to stage2)" connection-state=\
    new dst-port=23 protocol=tcp src-address-list=telnet_stage_1
add action=add-src-to-address-list address-list=telnet_stage_1 \
    address-list-timeout=12h chain=input comment=\
    "Bruteforce login prevention(Telnet: stage1)" connection-state=new \
    dst-port=23 protocol=tcp


#########################################
#Bruteforce login prevention for Winbox #
#########################################
/ip firewall filter
add action=drop chain=input comment=\
    "Bruteforce login prevention(Winbox: droop Winbox brute forcers)" \
    dst-port=8291 protocol=tcp src-address-list=winbox_blacklist
add action=add-src-to-address-list address-list=winbox_blacklist \
    address-list-timeout=15d chain=input comment=\
    "Bruteforce login prevention(Winbox: stage3 to winbox_blacklist)" \
    connection-state=new dst-port=8291 protocol=tcp src-address-list=\
    winbox_stage_3
add action=add-src-to-address-list address-list=winbox_stage_3 \
    address-list-timeout=1m chain=input comment=\
    "Bruteforce login prevention(Winbox: stage2 to stage3)" connection-state=\
    new dst-port=8291 protocol=tcp src-address-list=winbox_stage_2
add action=add-src-to-address-list address-list=winbox_stage_2 \
    address-list-timeout=6h chain=input comment=\
    "Bruteforce login prevention(Winbox: stage1 to stage2)" connection-state=\
    new dst-port=8291 protocol=tcp src-address-list=winbox_stage_1
add action=add-src-to-address-list address-list=winbox_stage_1 \
    address-list-timeout=12h chain=input comment=\
    "Bruteforce login prevention(Winbox: stage1)" connection-state=new \

    dst-port=8291 protocol=tcp

No comments:

Post a Comment