Turning off SSH and FTP on RouterOS?

brianlewis · Wed Mar 12, 2008 3:39 pm

Is there a way to turn off or at least change the ports on RouterOS for SSH and FTP?
My logs fill up constantly since this is an Internet router of attempted hacks on both ports.
The problem is the router has many ip addresses configured on its interfaces, so it would be a page long for me to setup input firewall rules with each destination ip. Sure its easy for someone who has 1 ip address exposed, they set 2 rules, one for port 21, one for port 22 to block on input when destination is the ip exposed, but if you have 10 or 20 or more ip addresses bound to the different interfaces and vlan interfaces it would be alot easier if I could just turn off these services until needed. I use Winbox for most of my configuration needs.

raktim · Wed Mar 12, 2008 3:44 pm

add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

brianlewis · Wed Mar 12, 2008 4:37 pm

That looks like a great solution but how do I get to a linux prompt to paste those commands in? All I can get is to the Mikrotik menu.

paisapipe · Wed Mar 12, 2008 6:54 pm

If you are using WinBox, you can go to New Terminal menu, then, in Console you type:
[admin@xxx] >ip firewall filter
press Enter.
finally, copy the commands and paste it on the console

WinBox.jpg

paisapipe · Wed Mar 12, 2008 7:01 pm

A simple solution:
on WinBox, you can go to IP - Services, select the desired services and click on the red X, after this the selected services are disabled.

brianlewis · Wed Mar 12, 2008 7:36 pm

Turned off all services except for Winbox, worked great!! Thank you

janisk · Thu Mar 13, 2008 11:07 am

if you have 100000000 ip addresses on your wan port and you want to block access to your port 21 from wan, but want to allow local users to use them

add firewall rule, that will look like this:

/ip firewall filter add chain=input in-interface="my wan port" protocol=tcp port=21 action=drop

that way ftp service will be available form inside your network but not available from outside.

also i would suggest to create allow-list in address-lists, so you can connect from these hosts in case of emergency. also secure solution would be that you crate tunnel to your router and then connect to router through the tunnel.

wispnet · Sun Mar 08, 2020 2:38 am

To turn off the service:

ip service disable [/ip service find name="ftp"]

wispnet · Sun Mar 08, 2020 2:39 am

To turn off the service:
FTP:

ip service disable [/ip service find name="ftp"]

SSH:

ip service disable [/ip service find name="ssh"]

Turning off SSH and FTP on RouterOS?

Turning off SSH and FTP on RouterOS?

Re: Turning off SSH and FTP on RouterOS?

Re: Turning off SSH and FTP on RouterOS?

Re: Turning off SSH and FTP on RouterOS?

Re: Turning off SSH and FTP on RouterOS?

Re: Turning off SSH and FTP on RouterOS?

Re: Turning off SSH and FTP on RouterOS?

Re: Turning off SSH and FTP on RouterOS?

Re: Turning off SSH and FTP on RouterOS?