Bruteforce protection - MikroTik firewall rules

Рет қаралды 33,008

Күн бұрын

Пікірлер: 38

@ChrisNicholson 2 жыл бұрын

I wrote this a few years ago and called it 3 strikes. I used firewall jump. What I fell short on... Having the ability to remove an IP from the address list once you got in.

@ipopovv 2 жыл бұрын

May I buy the training materials only (e.g. that workbook)? Because I am interesting in learning not in certification

@laacis91 2 жыл бұрын

Shoutout to Druvis. Keep those videos coming, good stuff! 👍

@alimibrahem8120 2 жыл бұрын

Very thanksful Eng Druivs for your explination, but a question to ask .. what is the meaning of not secured in third connection rule..?

@ForbiddenUser403 2 жыл бұрын

What would be really nice, is if winbox connections could be secured with RSA keys just like SSH can be. You're not going to brute force a 4096 Bit RSA key... Password authentication is just bad practices. You already have the ability to authenticate connections to your router with RSA keys via SSH, extend that to support logins as Winbox as well.

@alexn4976 2 жыл бұрын

Opening 22 port on WAN is a bad practice, do not do that. Even with RSA SSH attacker can DOS your router just overloading cpu. So RSA will not help you.

@stevebot 2 жыл бұрын

@@alexn4976 Port is irrelevant, an advanced attacker will eventually discover the ssh server and begin attack on that port. Being that advanced or determined, they most likely will also have multiple IPs available. I believe I have seen that happen, I picked out a pattern of usernames in the attempts that suggested they were the same dictionary, no randomization.

@alexn4976 2 жыл бұрын

@@stevebot Do not open SSH on WAN, use VPN. Or if you still have to you can protect router with PSD.

@kirksteinklauber260 Жыл бұрын

Any chance to add native support to CrowdSec community IPS? That will be awesome as well

@netbootdisk 2 жыл бұрын

This is a bit of a hacky workaround. Surely it'd be better if you just added this this sort of functionality natively to RouterOS to begin with?

@ON3RVH 2 жыл бұрын

Even better would be to block SSH and mgmt from the outside by default.

@netbootdisk 2 жыл бұрын

@@ON3RVH Also should be built in bruteforce blocking for VPNs like l2tp/sstp etc

@RmFrZQ 2 жыл бұрын

@@netbootdisk I'm pretty sure it could be done using MikroTik's native scripting. Still, it's better to use VPNs those support Public Key Certificates for authentication, e.g. OpenVPN, and forget about all XXtp ones.

@darksecrets874 11 ай бұрын

For some reason it doesn't work when ssh is enabled from the outside only when it's on the local area network

@FinlayDaG33k 2 жыл бұрын

I was looking at the intro like: "Why is he holding a probe lens?"... *visible worry*

@topprofil 11 ай бұрын

Can these rules be used for Winbox port by simply adding it to the port list?

@aperson1181 3 күн бұрын

How do you bring up the terminal to enter the code?

@awakeningnow5376 6 ай бұрын

What happens if the attack comes from bot farms? Tens or hundreds unique IPs each second. Memory overflow?

@FlexibleToast 2 жыл бұрын

You're essentially recreating the wheel that fail2ban already created.

@mikrotik 2 жыл бұрын

You can do one thing in many ways, result is the same. Btw fail2ban was only released in 2004, but MikroTik RouterOS has these capabilities since the late 90s

2 жыл бұрын

Just some camera equipment…?! That's a probe lens which is not cheap! 😬

@CamKilton Жыл бұрын

Allow for online courses rather than the current course structure.

@inprosis Жыл бұрын

how can i block regaetton music

@alialyemeni2024 8 ай бұрын

How to protect Mikrotik from attacks on connections

@mikrotik 8 ай бұрын

explained in the video

@alialyemeni2024 8 ай бұрын

@@mikrotik Protection from IP depletion in Mikrotik

@christiansonnenberg6306 2 жыл бұрын

if you wanted to secure a device behind your Tik and wanted to make sure to not blacklist a legit user you could monitor if there was a connection open where more than the bytes need to authenticate yourself were exchanged!

@xuxamelo Жыл бұрын

post the manual please

@ON3RVH 2 жыл бұрын

Never, EVER allow ssh or any mgmt or unsecure protocol on the outside of your network unless it comes from hosts that YOU manage and know for sure are secure. Otherwise use a mgmt subnet.

@mikrotik 2 жыл бұрын

That’s a given! But sometimes you must open it from a local network, in those situations, better use multiple layers of security (see our other recent videos about that)

@ON3RVH 2 жыл бұрын

@@mikrotik I don't see any reason why you would have to open it from to internal network unless you trust that network. That is why you have a mgmt network or mgmt hosts.

@RmFrZQ 2 жыл бұрын

This video is an ad for paid training courses. :( I use this technique only to toy with the attackers (human or not) and only "blacklist" them to build lists of rogue IPs. Everyone should disable password authentication for SSH and use Public Key authentication instead.

@mikrotik 2 жыл бұрын

We have a video about that too, you must watch it as a series

@RmFrZQ 2 жыл бұрын

@@mikrotik probably I've expected to learn something new in this video. I think it could be better, with more insight and recommendations, and also marked as "Basic" in the title. I hope you will make "advanced" videos about L2 routing protocols, policy-based routing tables, VLANs, advanced scripting, how and when to use advanced tools effectively, etc. About anything that requires setup of 3 or more MikroTik devices.

@wreckedzilla 2 жыл бұрын

Dru best!

@m4d3ng 2 жыл бұрын

Poor man's fail2ban. Precede your last drop-all rule with a rule to add the src addr to a drop list. Deny that drop list from anything that you must have open, eg your secure VPN port(s).

@mikrotik 2 жыл бұрын

Fail2Ban was created much later than this method but ok 🙂

@Anavllama Жыл бұрын

The MT is not an edge router, it cannot handle such attacks. Dont waste your time. This is the job of your ISP and further up the food chain. Such configurations create bloatware on the config leading to config errors and difficulty troubleshooting. Focus on needed traffic! Drop all else. KISS