Hi!

I have a problem....... in my two differents routerboards (mark connection to internet ), attemps login using random user, everyday, differents ip address.
See the pic :


¿How to block this attack?
Thanks!

you need to make IP address restriction that will login to your router.

for example,
add the white list IP address to /ip service, fill "available from" with white list IP address.

only white list IP address can get login page.

or set up higher protection for your router

http://wiki.mikrotik.com/wiki/Bruteforc ... prevention

or set up higher protection for your router

http://wiki.mikrotik.com/wiki/Bruteforc ... prevention

Hi normis,

and how to get the address list filled with the IPs of the attacker to name them "ftp_blacklist"

Thanks.

you can use firewall to do this.

you can look up several threads about how to solve this problem on the forum.

easiest way I found around this was the change the port number, those automated scanning tools only ever use the default ports, so just change your SSH, telnet ports to something different (say SSH=40022)

you can do this under /ip services

you can use firewall to do this.

you can look up several threads about how to solve this problem on the forum.

Hi janisk,

What I meant was:
If someone "an IP" make 10 attempts to access the router and none of them was successful, then add his "IP" to address list under ftp_blacklist or ssh_blacklist according to the method that he was using to access the device...

exactly, if you set firewall rules in succession that will add ip address into address list with short time-out, like 5 seconds till next new connection to attempt log in, then add it to next address-list then next (as many steps as you like) in the end add to last address list that is either permanent or will hold entries several hours.

logic something like this:

these are note actual commands:

/ip firewall filter action=drop src-list=1d-drop
/ip firewall filter action=add-to-address-list=1d-drop src-list=3rd-step address-list-timeout=1d
/ip firewall filter action=add-to-address-list=3rd-step src-list=2nd-step address-list-timeout=3s
/ip firewall filter action=add-to-address-list=2nd-step src-list=1st-step address-list-timeout=3s
/ip firewall filter action=add-to-address-list=1st-step address-list-timeout=3s


some order like this you add in firewall filter where new connections are handled

when normal customer (you) are logging in, your address will be added to 1st or maximum 2nd step that will time out shortly, of course, if you forget the login credentials and try to do this in very short time, as result you will effectively ban yourself for time set in timeout value of final address-list.

remember it is not based on login was successful or not, it only depends on that for some reason someone keeps on connecting with new connection to you several times in short period of time.

You can also use port knocking to get rid of all malicious SSH login attempts. Port knocking is a security tecnique that opens firewalls ports on demand, providing increased security on interfaces exposed to internet and at the same time allowing flexible access for allowed users.

http://wiki.mikrotik.com/wiki/Securing_ ... t_Knocking