To prevent password bruteforcing your FTP server

Borage · Wed Jul 04, 2007 6:33 pm

Here is a few firewall rules to stop/slow down brute forcers from cracking passwords to your FTP server. In this example, the FTP server is the MikroTik router. To protect a FTP server behind MikroTik, you have to use the forward chain instead of the input & output chains.

The initial stage (stage 1) adds the IP address to the temporary address list ftp_stage1 (timeouts after 1 minute). And thereafter every login attempt within one minute trigger the next stages (stage2 - stage4) until it reaches the last stage (stage 5) that adds the IP address to the ftp_blacklist (timeouts after 1 week).

You have to change in-interface to something else if ether1 is not the network interface card (NIC) connected to the Internet.

This rule drops all listed brute forcers

/ ip firewall filter 
add chain=input in-interface=ether1 protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \
    comment="drop ftp brute forcers" disabled=no

This rule adds brute forcers to the blacklist (fourth login attempt within a minute)

/ ip firewall filter 
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage4 action=add-dst-to-address-list \
    address-list=ftp_blacklist address-list-timeout=1w comment="auto-firewall ftp - stage 5" disabled=no

Third login attempt (within a minute)

/ ip firewall filter 
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage3 action=add-dst-to-address-list \
    address-list=ftp_stage4 address-list-timeout=1m comment="auto-firewall ftp - stage 4" disabled=no

Second login attempt (within a minute)

/ ip firewall filter 
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage2 action=add-dst-to-address-list \
    address-list=ftp_stage3 address-list-timeout=1m comment="auto-firewall ftp - stage 3" disabled=no

First login attempt (within a minute)

/ ip firewall filter 
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage1 action=add-dst-to-address-list \
    address-list=ftp_stage2 address-list-timeout=1m comment="auto-firewall ftp - stage 2" disabled=no

Initial stage

/ ip firewall filter 
add chain=input in-interface=ether1 protocol=tcp dst-port=21 action=add-src-to-address-list \
    address-list=ftp_stage1 address-list-timeout=1m comment="auto-firewall ftp - stage 1" disabled=no

skillful · Wed Jul 04, 2007 10:55 pm

You should put it in the wiki.

Borage · Thu Jul 05, 2007 3:07 am

Maybe, if a native English speaker can correct all my grammar and spelling errors. I also would like some input if it is wise to create two new chains and jump target the traffic (I did that on my own router). I also have a similar solution to protect the SSH server in MikroTik RouterOS from bruteforcing attempts.

mrz · Wed Jul 11, 2007 8:41 am

good

BUT there is much simple way to do this ( only two rules will be used):

/ ip firewall filter
add chain=input in-interface=ether1 protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop

/ ip firewall filter
add chain=output action=add-src-to-address-list protocol=tcp content=530 Login incorrect dst-limit=10/1m,0,dst-address/1m40s address-list=blacklist

Rule above allows only 10 login incorrect answers per minute

Borage · Wed Jul 11, 2007 9:39 am

I tried, but the traffic gets blocked after the first login attempt.

epproach_lyle · Thu Jul 12, 2007 3:18 am

nice script..

mrz · Mon Jul 23, 2007 4:08 pm

I tried, but the traffic gets blocked after the first login attempt.

sorry my mistake:

/ ip firewall filter
add chain=input in-interface=ether1 protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop

# accept 10 incorrect logins per minute
/ ip firewall filter
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m

#add to blacklist
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" address-list=blacklist address-list-timeout=3h

This is working correctly. Tested

jorj · Fri Aug 17, 2007 11:53 am

Tested and working.

Another way to protect you:
Make an account with ONLY ftp permission.
This should not compromise too much your server.
also, leave admin account with no rights at all, and make another with a name of your choice.
This should make it even harder for the attacker to get a valid pair username/password for access to your network.

mrz · Fri Aug 24, 2007 8:42 am

hi, i'm asking a permission to use your script to be included in tutorial that i'm about to make...

Yes, you may use this script in your tutorial

Mactrekr · Fri Apr 11, 2008 2:50 am

mrz,

I can't seem to get your script working at all, I've very carefully entered it, and verified it in winbox. I can still ssh into the box even after as many as 12 failed attempts. Any insight would be appreciated.

Mac

Mactrekr · Fri Apr 11, 2008 7:47 am

Nevermind, got it working thanks!

joie · Wed Jul 15, 2015 8:08 pm

I have just tried to implement this script and it is not working.

I used the script from the wiki which omitted the interface reference.

http://wiki.mikrotik.com/wiki/Bruteforc ... ion_%28FTP

Below is the script as I am running it.

add action=drop chain=forward comment="Drop FTP Brute Force" disabled=no \
    dst-port=21 protocol=tcp src-address-list=ftp_blacklist

add action=accept chain=forward comment="" content="530 1326" disabled=no \
    dst-limit=1/1m,9,dst-address/1m protocol=tcp

add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=forward comment="" content="530 1326" \
    disabled=no protocol=tcp

The Mikrotik is not the FTP server so I have changed the chains from input/output to forward and updated the 530 Incorrect Login to match the response my server gives but it still doesn't work. I have tried adding the interface as well as using input/output instead of forward but it doesn't show as seeing any traffic.

Regards,
Joie

mamadmade · Mon Oct 26, 2015 1:10 pm

Here is a few firewall rules to stop/slow down brute forcers from cracking passwords to your FTP server. In this example, the FTP server is the MikroTik router. To protect a FTP server behind MikroTik, you have to use the forward chain instead of the input & output chains.

The initial stage (stage 1) adds the IP address to the temporary address list ftp_stage1 (timeouts after 1 minute). And thereafter every login attempt within one minute trigger the next stages (stage2 - stage4) until it reaches the last stage (stage 5) that adds the IP address to the ftp_blacklist (timeouts after 1 week).

You have to change in-interface to something else if ether1 is not the network interface card (NIC) connected to the Internet.

This rule drops all listed brute forcers
Code: Select all
/ ip firewall filter 
add chain=input in-interface=ether1 protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \
    comment="drop ftp brute forcers" disabled=no
This rule adds brute forcers to the blacklist (fourth login attempt within a minute)
Code: Select all
/ ip firewall filter 
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage4 action=add-dst-to-address-list \
    address-list=ftp_blacklist address-list-timeout=1w comment="auto-firewall ftp - stage 5" disabled=no
Third login attempt (within a minute)
Code: Select all
/ ip firewall filter 
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage3 action=add-dst-to-address-list \
    address-list=ftp_stage4 address-list-timeout=1m comment="auto-firewall ftp - stage 4" disabled=no
Second login attempt (within a minute)
Code: Select all
/ ip firewall filter 
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage2 action=add-dst-to-address-list \
    address-list=ftp_stage3 address-list-timeout=1m comment="auto-firewall ftp - stage 3" disabled=no
First login attempt (within a minute)
Code: Select all
/ ip firewall filter 
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage1 action=add-dst-to-address-list \
    address-list=ftp_stage2 address-list-timeout=1m comment="auto-firewall ftp - stage 2" disabled=no
Initial stage
Code: Select all
/ ip firewall filter 
add chain=input in-interface=ether1 protocol=tcp dst-port=21 action=add-src-to-address-list \
    address-list=ftp_stage1 address-list-timeout=1m comment="auto-firewall ftp - stage 1" disabled=no

Does anyone know how to make this rule result, sending by email? some kind of mail report from it. Thanks a lot for anyone who can help me.

To prevent password bruteforcing your FTP server

To prevent password bruteforcing your FTP server

Re: To prevent password bruteforcing your FTP server

Re: To prevent password bruteforcing your FTP server

Re: To prevent password bruteforcing your FTP server

Re: To prevent password bruteforcing your FTP server

Re: To prevent password bruteforcing your FTP server

Re: To prevent password bruteforcing your FTP server

Re: To prevent password bruteforcing your FTP server

Re: To prevent password bruteforcing your FTP server

Re: To prevent password bruteforcing your FTP server

Re: To prevent password bruteforcing your FTP server

Re: To prevent password bruteforcing your FTP server

Re: To prevent password bruteforcing your FTP server