Sign up with Google
AfricanTech
Honorary Master
- Joined
- Mar 19, 2010
- Messages
- 40,369
So, fibre got switched on yesterday, and aside from the fact that that my 40/10 line appears to be configured as a 20/1 line (not according to the Call Centre so they're sending someone out to have a look), I've also had occasion to dip into the log.
All of a sardine, I've noticed that there is a long list of critical login failures of non-existed user-names on ftp port 21, ssh port 22 and telnet port 23 - obviously attempts to login to my router since the IP addresses are from all over the place (Brazil, S Korea, Netherlands, etc).
As a quick fix I've disabled ftp, ssh and telnet via Winbox. Is it better to do that or to use firewall rules such as in the examples below. I only ever access the Mikrotik locally so do I need to go the trouble of setting up the firewall rules or is it better to just leave those services disabled?
Allows only 10 FTP login incorrect answers per minute
and, prevent a SSH brute forcer to be banned for 10 days after repetitive attempts. Change the timeouts as necessary.
All of a sardine, I've noticed that there is a long list of critical login failures of non-existed user-names on ftp port 21, ssh port 22 and telnet port 23 - obviously attempts to login to my router since the IP addresses are from all over the place (Brazil, S Korea, Netherlands, etc).
As a quick fix I've disabled ftp, ssh and telnet via Winbox. Is it better to do that or to use firewall rules such as in the examples below. I only ever access the Mikrotik locally so do I need to go the trouble of setting up the firewall rules or is it better to just leave those services disabled?
Allows only 10 FTP login incorrect answers per minute
Code:
/ip firewall filter
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \
address-list=ftp_blacklist address-list-timeout=3hand, prevent a SSH brute forcer to be banned for 10 days after repetitive attempts. Change the timeouts as necessary.
Code:
/ip firewall filter
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
