Pokus o utok na mikrotik, ako zakazat IP utocnika

[czatlantis]

no jo ale kdyby se me dostal do PC-routeru a zmenil heslo tak akorat preinstaluju OS a obnovim zalohu, horsi by to bylo do routerboardu co mam na strese, to bych tam musel vylezt

[radocicala]

Tu je velmi pekne fungujuce pravidlo na blokovanie skusacov hesiel pomocou ftp(zakaze pristup vsetkym ip adresam ktore sa skusia prihlasit viac ako 4 krat v priebehu minuty)

zaciatok

/ ip firewall filter
add chain=input in-interface=ether1 protocol=tcp dst-port=21 action=add-src-to-address-list \
address-list=ftp_stage1 address-list-timeout=1m comment="auto-firewall ftp - stage 1" disabled=no

prvy pokus o prihlasenie(v priebehu minuty)

/ ip firewall filter
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage1 action=add-dst-to-address-list \
address-list=ftp_stage2 address-list-timeout=1m comment="auto-firewall ftp - stage 2" disabled=no


Druhy pokus o prihlasenie(v priebehu minuty)

/ ip firewall filter
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage2 action=add-dst-to-address-list \
address-list=ftp_stage3 address-list-timeout=1m comment="auto-firewall ftp - stage 3" disabled=no

Treti pokus o prihlasenie(v prebehu minuty)

/ ip firewall filter
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage3 action=add-dst-to-address-list \
address-list=ftp_stage4 address-list-timeout=1m comment="auto-firewall ftp - stage 4" disabled=no

toto pravidlo da utocnikovu ip do blacklistu(utocnika ktory sa prihlasil 4 krat v priebehu minuty)

/ ip firewall filter
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage4 action=add-dst-to-address-list \
address-list=ftp_blacklist address-list-timeout=1w comment="auto-firewall ftp - stage 5" disabled=no

toto pravidlo zakaze pristup vsetkym ip ktore sa predchadzajucim mechanizmom zapisali do blacklistu

/ ip firewall filter
add chain=input in-interface=ether1 protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \
comment="drop ftp brute forcers" disabled=no

ssh pristup povolte v ip service len na urcitu ip adresu alebo na skupinu, tym zablokujete pokusy cez ssh

[Petr Vlašic]

/ ip firewall filter
add chain=input in-interface=ether1 protocol=tcp dst-port=21 action=add-src-to-address-list \
address-list=ftp_stage1 address-list-timeout=1m comment="auto-firewall ftp - stage 1" disabled=no

prvy pokus o prihlasenie(v priebehu minuty)

/ ip firewall filter
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage1 action=add-dst-to-address-list \
address-list=ftp_stage2 address-list-timeout=1m comment="auto-firewall ftp - stage 2" disabled=no


Druhy pokus o prihlasenie(v priebehu minuty)

/ ip firewall filter
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage2 action=add-dst-to-address-list \
address-list=ftp_stage3 address-list-timeout=1m comment="auto-firewall ftp - stage 3" disabled=no

Treti pokus o prihlasenie(v prebehu minuty)

/ ip firewall filter
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage3 action=add-dst-to-address-list \
address-list=ftp_stage4 address-list-timeout=1m comment="auto-firewall ftp - stage 4" disabled=no

toto pravidlo da utocnikovu ip do blacklistu(utocnika ktory sa prihlasil 4 krat v priebehu minuty)

/ ip firewall filter
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage4 action=add-dst-to-address-list \
address-list=ftp_blacklist address-list-timeout=1w comment="auto-firewall ftp - stage 5" disabled=no

toto pravidlo zakaze pristup vsetkym ip ktore sa predchadzajucim mechanizmom zapisali do blacklistu

/ ip firewall filter
add chain=input in-interface=ether1 protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \
comment="drop ftp brute forcers" disabled=no

Pěkné ,ale není prostě jednodušší vypnout FTP a používat SCP(SFTP)?

[belmorfeus]

horší je že u RB133tky to neúměrně přetíží CPU, proto taky řeším nějakou šikovnou blokaci. Nejraději bych to co tu bylo zmiňované ale nebylu tu napsané jak to uděla - Po několika neúspěšných zadáních adress list block a byl by klid

[net.work]

Tu je velmi pekne fungujuce pravidlo na blokovanie skusacov hesiel pomocou ftp(zakaze pristup vsetkym ip adresam ktore sa skusia prihlasit viac ako 4 krat v priebehu minuty)

zaciatok

/ ip firewall filter
add chain=input in-interface=ether1 protocol=tcp dst-port=21 action=add-src-to-address-list \
address-list=ftp_stage1 address-list-timeout=1m comment="auto-firewall ftp - stage 1" disabled=no

prvy pokus o prihlasenie(v priebehu minuty)

/ ip firewall filter
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage1 action=add-dst-to-address-list \
address-list=ftp_stage2 address-list-timeout=1m comment="auto-firewall ftp - stage 2" disabled=no


Druhy pokus o prihlasenie(v priebehu minuty)

/ ip firewall filter
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage2 action=add-dst-to-address-list \
address-list=ftp_stage3 address-list-timeout=1m comment="auto-firewall ftp - stage 3" disabled=no

Treti pokus o prihlasenie(v prebehu minuty)

/ ip firewall filter
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage3 action=add-dst-to-address-list \
address-list=ftp_stage4 address-list-timeout=1m comment="auto-firewall ftp - stage 4" disabled=no

toto pravidlo da utocnikovu ip do blacklistu(utocnika ktory sa prihlasil 4 krat v priebehu minuty)

/ ip firewall filter
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage4 action=add-dst-to-address-list \
address-list=ftp_blacklist address-list-timeout=1w comment="auto-firewall ftp - stage 5" disabled=no

toto pravidlo zakaze pristup vsetkym ip ktore sa predchadzajucim mechanizmom zapisali do blacklistu

/ ip firewall filter
add chain=input in-interface=ether1 protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \
comment="drop ftp brute forcers" disabled=no

ssh pristup povolte v ip service len na urcitu ip adresu alebo na skupinu, tym zablokujete pokusy cez ssh

Zdrawicko,

mam k tomuhle nastaveni jeden dotaz - zkousel sem to aplikovat a problem je v tom ze MT nepostupuje od stage 1 do stage 5, ale zapise do address listu rovnou vsech 5 stage - takze po 1 neuspesnem pokusu se to blokne.. Neumite poradit co je v tom spatne?

ThX

[Jan Holub]

Nestačilo by řadit to obráceneně? Od blacklistu po Stage1. Takhle se hned postupně plní všechny podmínky a je to hned blacklist.

[net.work]

Nestačilo by řadit to obráceneně? Od blacklistu po Stage1. Takhle se hned postupně plní všechny podmínky a je to hned blacklist.

mno, vyzkousim to a napisu - dik za tip tohle me vubec nenapadlo... presne tak vsechny skupiny se plnili zaroven vc blacklistu, takze to nebylo funkcni

[net.work]

takze ani jine preskupeni pravidel nepomohlo... myslim ze problem je v policku content, coz by dle MT manualu melo byt toto:

Kód: Vybrat vše

content (text) - the text packets should contain in order to match the rule

ovsem netusim co je napsano v packetu ktery se vraci zpet s chybovou hlaskou ......

[Jan Holub]

Na zkoušku jsem to nastavil a maká to, když se to dá obráceně. Čtyři pokusy a šmitec.
Takhle jsem to měl:

Kód: Vybrat vše

179   ;;; auto-firewall ftp - stage 5
     chain=output content=530 Login incorrect dst-address-list=ftp_stage4 action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=1w

180   ;;; auto-firewall ftp - stage 4
     chain=output content=530 Login incorrect dst-address-list=ftp_stage3 action=add-dst-to-address-list address-list=ftp_stage4 address-list-timeout=1m

181   ;;; auto-firewall ftp - stage 3
     chain=output content=530 Login incorrect dst-address-list=ftp_stage2 action=add-dst-to-address-list address-list=ftp_stage3 address-list-timeout=1m

182   ;;; auto-firewall ftp - stage 2
     chain=output content=530 Login incorrect dst-address-list=ftp_stage1 action=add-dst-to-address-list address-list=ftp_stage2 address-list-timeout=1m

183   ;;; auto-firewall ftp - stage 1
     chain=input in-interface=ether1 protocol=tcp dst-port=21 action=add-src-to-address-list address-list=ftp_stage1 address-list-timeout=1m

184   ;;; drop ftp brute forcers
     chain=input in-interface=ether1 protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop


[net.work]

Na zkoušku jsem to nastavil a maká to, když se to dá obráceně. Čtyři pokusy a šmitec.
Takhle jsem to měl:

Kód: Vybrat vše

179   ;;; auto-firewall ftp - stage 5
     chain=output content=530 Login incorrect dst-address-list=ftp_stage4 action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=1w

180   ;;; auto-firewall ftp - stage 4
     chain=output content=530 Login incorrect dst-address-list=ftp_stage3 action=add-dst-to-address-list address-list=ftp_stage4 address-list-timeout=1m

181   ;;; auto-firewall ftp - stage 3
     chain=output content=530 Login incorrect dst-address-list=ftp_stage2 action=add-dst-to-address-list address-list=ftp_stage3 address-list-timeout=1m

182   ;;; auto-firewall ftp - stage 2
     chain=output content=530 Login incorrect dst-address-list=ftp_stage1 action=add-dst-to-address-list address-list=ftp_stage2 address-list-timeout=1m

183   ;;; auto-firewall ftp - stage 1
     chain=input in-interface=ether1 protocol=tcp dst-port=21 action=add-src-to-address-list address-list=ftp_stage1 address-list-timeout=1m

184   ;;; drop ftp brute forcers
     chain=input in-interface=ether1 protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop


mno mne to nefungovalo zrejme asi proto ze sem to predelal na SSH (port 22)... Nevíte někdo co napsat do content abych uplně stejným způsobem ošetřil přístup přes ssh? děkuji

[Jan Holub]

mno mne to nefungovalo zrejme asi proto ze sem to predelal na SSH (port 22)... Nevíte někdo co napsat do content abych uplně stejným způsobem ošetřil přístup přes ssh? děkuji

Na SSH to nejde, protože je to šifrované a tím pádem MT žádný content nepřečte.

[net.work]

mno mne to nefungovalo zrejme asi proto ze sem to predelal na SSH (port 22)... Nevíte někdo co napsat do content abych uplně stejným způsobem ošetřil přístup přes ssh? děkuji

Na SSH to nejde, protože je to šifrované a tím pádem MT žádný content nepřečte.

HMM, to me nenapadlo a jak tedy osetrit ssh nejaky podobnym zpusobem @la 5 pokusy a dost?
dik

[iTomB]

mno mne to nefungovalo zrejme asi proto ze sem to predelal na SSH (port 22)... Nevíte někdo co napsat do content abych uplně stejným způsobem ošetřil přístup přes ssh? děkuji

Na SSH to nejde, protože je to šifrované a tím pádem MT žádný content nepřečte.

HMM, to me nenapadlo a jak tedy osetrit ssh nejaky podobnym zpusobem @la 5 pokusy a dost?
dik

Pomerne jednoduse

Kód: Vybrat vše

/ ip firewall filter
add chain=input action=accept connection-state=new dst-port=22 protocol=tcp src-address-list=sshaccept comment="" disabled=no
add chain=input action=drop connection-state=new dst-port=22 protocol=tcp src-address-list=sshdrop comment="" disabled=no
add chain=input action=add-src-to-address-list connection-state=new dst-port=22 protocol=tcp src-address-list=stage4 address-list=sshdrop address-list-timeout=0s comment="" disabled=no
add chain=input action=add-src-to-address-list connection-state=new dst-port=22 protocol=tcp src-address-list=stage3 address-list=stage4 address-list-timeout=20s comment="" disabled=no
add chain=input action=add-src-to-address-list connection-state=new dst-port=22 protocol=tcp src-address-list=stage2 address-list=stage3 address-list-timeout=20s comment="" disabled=no
add chain=input action=add-src-to-address-list connection-state=new dst-port=22 protocol=tcp src-address-list=stage1 address-list=stage2 address-list-timeout=20s comment="" disabled=no
add chain=input action=add-src-to-address-list connection-state=new dst-port=22 protocol=tcp address-list=stage1 address-list-timeout=20s comment="" disabled=no


Minimalni doba je 20s maximalni 80s a pak ma smolika.

[soooc]

Hej moc dik, funguje skvele.

[net.work]

Pomerne jednoduse

Kód: Vybrat vše

/ ip firewall filter
add chain=input action=accept connection-state=new dst-port=22 protocol=tcp src-address-list=sshaccept comment="" disabled=no
add chain=input action=drop connection-state=new dst-port=22 protocol=tcp src-address-list=sshdrop comment="" disabled=no
add chain=input action=add-src-to-address-list connection-state=new dst-port=22 protocol=tcp src-address-list=stage4 address-list=sshdrop address-list-timeout=0s comment="" disabled=no
add chain=input action=add-src-to-address-list connection-state=new dst-port=22 protocol=tcp src-address-list=stage3 address-list=stage4 address-list-timeout=20s comment="" disabled=no
add chain=input action=add-src-to-address-list connection-state=new dst-port=22 protocol=tcp src-address-list=stage2 address-list=stage3 address-list-timeout=20s comment="" disabled=no
add chain=input action=add-src-to-address-list connection-state=new dst-port=22 protocol=tcp src-address-list=stage1 address-list=stage2 address-list-timeout=20s comment="" disabled=no
add chain=input action=add-src-to-address-list connection-state=new dst-port=22 protocol=tcp address-list=stage1 address-list-timeout=20s comment="" disabled=no


Minimalni doba je 20s maximalni 80s a pak ma smolika.

Uzasne THx za to... jeste dotaz - neslo by nejak udelat aby ten co se dostane do blacklistu tam byl naporad, jelikoz sleduji ze po nejake dobe (10sec) se blacklist smaze.....