Andy

Administrator
Creative Team
User ID
1
Joined
7 Jan 2019
Messages
943
Reaction score
40
Points
28
To stop SSH, Telnet and FTP attacks on your router, follow the following advise:

This configuration allows only 10 FTP login incorrect answers per minute.

in /ip firewall filter
Code:
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \
comment="drop ftp brute forcers"

add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m

add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \
address-list=ftp_blacklist address-list-timeout=3h

This will prevent an SSH brute forcer to be banned for 10 days after repetitive attempts. Change the timeouts as necessary.

in /ip firewall filter
Code:
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

This will prevent a Telnet brute forcer to be banned for 10 days after repetitive attempts. Change the timeouts as necessary.

in /ip firewall filter
Code:
add chain=input protocol=tcp dst-port=23 src-address-list=telnet_blacklist action=drop \
comment="drop telnet brute forcers" disabled=no

add chain=input protocol=tcp dst-port=23 connection-state=new \
src-address-list=telnet_stage3 action=add-src-to-address-list address-list=telnet_blacklist \
address-list-timeout=10d comment="" disabled=no

add chain=input protocol=tcp dst-port=23 connection-state=new \
src-address-list=telnet_stage2 action=add-src-to-address-list address-list=telnet_stage3 \
address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=23 connection-state=new src-address-list=telnet_stage1 \
action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=23 connection-state=new action=add-src-to-address-list \
address-list=telnet_stage1 address-list-timeout=1m comment="" disabled=no

If you want to block downstream access as well, you need to block the with the forward chain:
Code:
add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute downstream" disabled=no

To view the contents of your Blacklist, go to “/ip firewall address-list” and type “print” to see the contents.

This is the recommended Bruteforce prevention, officially from the MikroTik Wiki. Despite their page was last edited on 7 August 2013, at 09:47 this method is still pretty much effective until present.
 

Andy

Administrator
Creative Team
User ID
1
Joined
7 Jan 2019
Messages
943
Reaction score
40
Points
28
Recently I found my Winbox got brute-forced, so I created this additional rule:

in /ip firewall filter
Code:
add chain=input protocol=tcp dst-port=8291 src-address-list=winbox_blacklist action=drop \
comment="drop winbox brute forcers" disabled=no

add chain=input protocol=tcp dst-port=8291 connection-state=new \
src-address-list=winbox_stage3 action=add-src-to-address-list address-list=winbox_blacklist \
address-list-timeout=10d comment="" disabled=no

add chain=input protocol=tcp dst-port=8291 connection-state=new \
src-address-list=winbox_stage2 action=add-src-to-address-list address-list=winbox_stage3 \
address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=8291 connection-state=new src-address-list=winbox_stage1 \
action=add-src-to-address-list address-list=winbox_stage2 address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=8291 connection-state=new action=add-src-to-address-list \
address-list=winbox_stage1 address-list-timeout=1m comment="" disabled=no

–––

And for extra security, I secured my WebFix interface as well:

in /ip firewall filter
Code:
add chain=input protocol=tcp dst-port=8080 src-address-list=webfig_blacklist action=drop \
comment="drop webfig brute forcers" disabled=no

add chain=input protocol=tcp dst-port=8080 connection-state=new \
src-address-list=webfig_stage3 action=add-src-to-address-list address-list=webfig_blacklist \
address-list-timeout=10d comment="" disabled=no

add chain=input protocol=tcp dst-port=8080 connection-state=new \
src-address-list=webfig_stage2 action=add-src-to-address-list address-list=webfig_stage3 \
address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=8080 connection-state=new src-address-list=webfig_stage1 \
action=add-src-to-address-list address-list=webfig_stage2 address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=8080 connection-state=new action=add-src-to-address-list \
address-list=webfig_stage1 address-list-timeout=1m comment="" disabled=no

Now we have all IP services port secured from brute force attacks :)
 

Andy

Administrator
Creative Team
User ID
1
Joined
7 Jan 2019
Messages
943
Reaction score
40
Points
28
We have expanded this rule to also prevent RDP (Remote Desktop Connection) Bruteforce attacks. Follow the link down below to see the script:
 
 Short URL:
Top