MikroTik Bruteforce Login Prevention

[Andy]

To stop SSH, Telnet and FTP attacks on your router, follow the following advise:

This configuration allows only 10 FTP login incorrect answers per minute.

in /ip firewall filter

add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \
comment="drop ftp brute forcers"

add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m

add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \
address-list=ftp_blacklist address-list-timeout=3h

This will prevent an SSH brute forcer to be banned for 10 days after repetitive attempts. Change the timeouts as necessary.

in /ip firewall filter

add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

This will prevent a Telnet brute forcer to be banned for 10 days after repetitive attempts. Change the timeouts as necessary.

in /ip firewall filter

add chain=input protocol=tcp dst-port=23 src-address-list=telnet_blacklist action=drop \
comment="drop telnet brute forcers" disabled=no

add chain=input protocol=tcp dst-port=23 connection-state=new \
src-address-list=telnet_stage3 action=add-src-to-address-list address-list=telnet_blacklist \
address-list-timeout=10d comment="" disabled=no

add chain=input protocol=tcp dst-port=23 connection-state=new \
src-address-list=telnet_stage2 action=add-src-to-address-list address-list=telnet_stage3 \
address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=23 connection-state=new src-address-list=telnet_stage1 \
action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=23 connection-state=new action=add-src-to-address-list \
address-list=telnet_stage1 address-list-timeout=1m comment="" disabled=no

If you want to block downstream access as well, you need to block the with the forward chain:

add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute downstream" disabled=no

To view the contents of your Blacklist, go to “/ip firewall address-list” and type “print” to see the contents.

This is the recommended Bruteforce prevention, officially from the MikroTik Wiki. Despite their page was last edited on 7 August 2013, at 09:47 this method is still pretty much effective until present.

 

[Andy]

Spoiler: Unfinished/Untested

Recently I found my Winbox got brute-forced, so I created this additional rule:

in /ip firewall filter

add chain=input protocol=tcp dst-port=8291 src-address-list=winbox_blacklist action=drop \
comment="drop winbox brute forcers" disabled=no

add chain=input protocol=tcp dst-port=8291 connection-state=new \
src-address-list=winbox_stage3 action=add-src-to-address-list address-list=winbox_blacklist \
address-list-timeout=10d comment="" disabled=no

add chain=input protocol=tcp dst-port=8291 connection-state=new \
src-address-list=winbox_stage2 action=add-src-to-address-list address-list=winbox_stage3 \
address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=8291 connection-state=new src-address-list=winbox_stage1 \
action=add-src-to-address-list address-list=winbox_stage2 address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=8291 connection-state=new action=add-src-to-address-list \
address-list=winbox_stage1 address-list-timeout=1m comment="" disabled=no

–––

And for extra security, I secured my WebFix interface as well:

in /ip firewall filter

add chain=input protocol=tcp dst-port=8080 src-address-list=webfig_blacklist action=drop \
comment="drop webfig brute forcers" disabled=no

add chain=input protocol=tcp dst-port=8080 connection-state=new \
src-address-list=webfig_stage3 action=add-src-to-address-list address-list=webfig_blacklist \
address-list-timeout=10d comment="" disabled=no

add chain=input protocol=tcp dst-port=8080 connection-state=new \
src-address-list=webfig_stage2 action=add-src-to-address-list address-list=webfig_stage3 \
address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=8080 connection-state=new src-address-list=webfig_stage1 \
action=add-src-to-address-list address-list=webfig_stage2 address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=8080 connection-state=new action=add-src-to-address-list \
address-list=webfig_stage1 address-list-timeout=1m comment="" disabled=no

Now we have all IP services port secured from brute force attacks

 

[Andy]

We have expanded this rule to also prevent RDP (Remote Desktop Connection) Bruteforce attacks. Follow the link down below to see the script:

MikroTik RDP Bruteforce Login Prevention

This is an expansion from our standard MikroTik SSH, Telnet and FTP Bruteforce Login Prevention. To stop Remote Desktop Connection attacks on your router, follow the following guide: in /ip firewall filter add chain=forward protocol=tcp dst-port=3389 src-address-list=rdp_blacklist action=drop...

saputra.org