• Health tips to prevent the spread of COVID-19:
    • Wash your hands frequently;
    • Maintain 2 meters social distancing;
    • Minimise outdoor activities.
    Stay safe in your bubble!

MikroTik RDP Bruteforce Login Prevention

Andy

Administrator
User ID
1
Joined
7 Jan 2019
Messages
212
Reaction score
8
Points
18
This is an expansion from our standard MikroTik SSH, Telnet and FTP Bruteforce Login Prevention.

To stop Remote Desktop Connection attacks on your router, follow the following guide:

in /ip firewall filter
Code:
add chain=forward protocol=tcp dst-port=3389 src-address-list=rdp_blacklist action=drop \
comment="drop rdp brute forcers" disabled=no

add chain=forward protocol=tcp dst-port=3389 connection-state=new \
src-address-list=rdp_stage9 action=add-src-to-address-list address-list=rdp_blacklist \
address-list-timeout=10d comment="" disabled=no

add chain=forward protocol=tcp dst-port=3389 connection-state=new \
src-address-list=rdp_stage8 action=add-src-to-address-list address-list=rdp_stage9 \
address-list-timeout=3m comment="" disabled=no

add chain=forward protocol=tcp dst-port=3389 connection-state=new \
src-address-list=rdp_stage7 action=add-src-to-address-list address-list=rdp_stage8 \
address-list-timeout=3m comment="" disabled=no

add chain=forward protocol=tcp dst-port=3389 connection-state=new \
src-address-list=rdp_stage6 action=add-src-to-address-list address-list=rdp_stage7 \
address-list-timeout=3m comment="" disabled=no

add chain=forward protocol=tcp dst-port=3389 connection-state=new \
src-address-list=rdp_stage5 action=add-src-to-address-list address-list=rdp_stage6 \
address-list-timeout=3m comment="" disabled=no

add chain=forward protocol=tcp dst-port=3389 connection-state=new \
src-address-list=rdp_stage4 action=add-src-to-address-list address-list=rdp_stage5 \
address-list-timeout=3m comment="" disabled=no

add chain=forward protocol=tcp dst-port=3389 connection-state=new \
src-address-list=rdp_stage3 action=add-src-to-address-list address-list=rdp_stage4 \
address-list-timeout=3m comment="" disabled=no

add chain=forward protocol=tcp dst-port=3389 connection-state=new \
src-address-list=rdp_stage2 action=add-src-to-address-list address-list=rdp_stage3 \
address-list-timeout=3m comment="" disabled=no

add chain=forward protocol=tcp dst-port=3389 connection-state=new \
src-address-list=rdp_stage1 action=add-src-to-address-list address-list=rdp_stage2 \
address-list-timeout=3m comment="" disabled=no

add chain=forward protocol=tcp dst-port=3389 connection-state=new action=add-src-to-address-list \
address-list=rdp_stage1 address-list-timeout=3m comment="" disabled=no
The mechanism is:
For each incoming attempt, it adds the IP address to a list. The first time it gets added to stage1, then if the IP is still in stage1 (after a minute) and another attempt made, it gets added to stage2, and so on, after it does this seven more times it is added to the rdp_blacklist list where it gets blocked for 10 days.

In simple language:
Every new incoming connection to the specified RDP port monitored for 3 minutes, and if the user fails ten times, then their IP address will be blocked for ten days.

If you want it to be more or less aggressive you can change the list timeouts, or even add more lists if you so desire.

You can add these additional rules above of the firewall rules above to allow specific IP ranges to exempt from this brute force check:
Code:
add chain=forward protocol=tcp dst-port=3389 src-address=10.0.0.0/24 action=accept
add chain=forward protocol=tcp dst-port=3389 src-address=192.168.1.123/32 action=accept
add chain=forward protocol=tcp dst-port=3389 action=drop
Just add as many of the src-address lines you need ahead of the final drop line. If you have a LOT of ranges, you can create an address-list and reference that using this:
Code:
add chain=forward protocol=tcp dst-port=3389 src-address-list=rdp_whitelist action=accept
add chain=forward protocol=tcp dst-port=3389 action=drop
And then add your addresses to the rdp_whitelist.

To add to the rdp_whitelist use the following command:
Code:
/ip firewall address-list add list=rdp_whitelist address=10.0.0.0/24
Tested and it's working perfectly fine on our CCR1009-7G-1C-1S+ (tile), RouterOS v6.44.6 (long term) 👍
 
 Short URL:
Top