Bruteforce protection - MikroTik firewall rules
Vložit
- čas přidán 16. 11. 2022
- Here is an example of how to defend against bruteforce attacks on an ssh port. Please note, that ssh allows 3 login attempts per connection and the address lists are not cleared upon a successful login, so it is possible to blacklist yourself accidentally.
help.mikrotik.com/docs/displa... - Věda a technologie
Shoutout to Druvis. Keep those videos coming, good stuff! 👍
Very thanksful Eng Druivs for your explination, but a question to ask ..
what is the meaning of not secured in third connection rule..?
I wrote this a few years ago and called it 3 strikes. I used firewall jump. What I fell short on... Having the ability to remove an IP from the address list once you got in.
May I buy the training materials only (e.g. that workbook)? Because I am interesting in learning not in certification
Any chance to add native support to CrowdSec community IPS? That will be awesome as well
For some reason it doesn't work when ssh is enabled from the outside only when it's on the local area network
What would be really nice, is if winbox connections could be secured with RSA keys just like SSH can be. You're not going to brute force a 4096 Bit RSA key... Password authentication is just bad practices. You already have the ability to authenticate connections to your router with RSA keys via SSH, extend that to support logins as Winbox as well.
@Alex N Port is irrelevant, an advanced attacker will eventually discover the ssh server and begin attack on that port. Being that advanced or determined, they most likely will also have multiple IPs available. I believe I have seen that happen, I picked out a pattern of usernames in the attempts that suggested they were the same dictionary, no randomization.
Can these rules be used for Winbox port by simply adding it to the port list?
how can i block regaetton music
What happens if the attack comes from bot farms? Tens or hundreds unique IPs each second. Memory overflow?
I was looking at the intro like: "Why is he holding a probe lens?"... *visible worry*
This is a bit of a hacky workaround. Surely it'd be better if you just added this this sort of functionality natively to RouterOS to begin with?
Even better would be to block SSH and mgmt from the outside by default.
@@ON3RVH Also should be built in bruteforce blocking for VPNs like l2tp/sstp etc
@@netbootdisk I'm pretty sure it could be done using MikroTik's native scripting. Still, it's better to use VPNs those support Public Key Certificates for authentication, e.g. OpenVPN, and forget about all XXtp ones.
post the manual please
You're essentially recreating the wheel that fail2ban already created.
You can do one thing in many ways, result is the same. Btw fail2ban was only released in 2004, but MikroTik RouterOS has these capabilities since the late 90s
Just some camera equipment…?! That's a probe lens which is not cheap! 😬
Allow for online courses rather than the current course structure.
Dru best!
if you wanted to secure a device behind your Tik and wanted to make sure to not blacklist a legit user you could monitor if there was a connection open where more than the bytes need to authenticate yourself were exchanged!
How to protect Mikrotik from attacks on connections
explained in the video
@@mikrotik
Protection from IP depletion in Mikrotik
This video is an ad for paid training courses. :(
I use this technique only to toy with the attackers (human or not) and only "blacklist" them to build lists of rogue IPs.
Everyone should disable password authentication for SSH and use Public Key authentication instead.
We have a video about that too, you must watch it as a series
@@mikrotik probably I've expected to learn something new in this video. I think it could be better, with more insight and recommendations, and also marked as "Basic" in the title. I hope you will make "advanced" videos about L2 routing protocols, policy-based routing tables, VLANs, advanced scripting, how and when to use advanced tools effectively, etc. About anything that requires setup of 3 or more MikroTik devices.
Poor man's fail2ban. Precede your last drop-all rule with a rule to add the src addr to a drop list. Deny that drop list from anything that you must have open, eg your secure VPN port(s).
Fail2Ban was created much later than this method but ok 🙂
Never, EVER allow ssh or any mgmt or unsecure protocol on the outside of your network unless it comes from hosts that YOU manage and know for sure are secure. Otherwise use a mgmt subnet.
That’s a given! But sometimes you must open it from a local network, in those situations, better use multiple layers of security (see our other recent videos about that)
@@mikrotik I don't see any reason why you would have to open it from to internal network unless you trust that network. That is why you have a mgmt network or mgmt hosts.
The MT is not an edge router, it cannot handle such attacks. Dont waste your time. This is the job of your ISP and further up the food chain. Such configurations create bloatware on the config leading to config errors and difficulty troubleshooting. Focus on needed traffic! Drop all else. KISS