I am experiencing a rather annoying brute force attack on my WAN over the SSH TCP port.
To try to mitigate such a problem I've read this wiki page, second chapter about SSH.
It's not clear to me how those rules can discern from the various SSH handshake stages, especially with the order that's being shown there.
Could anyone provide me with some hint?
TIA.
Re: SSH bruteforce mitigation
These rules give any user 3 minutes to properly authenticate. After that, the IP address that is used will not be able to get a connection to the SSH service for 10 days.
While any computer can still try to connect to port 22 on your Mikrotik, the fact that you drop packets will take away the incentive to do so.
While any computer can still try to connect to port 22 on your Mikrotik, the fact that you drop packets will take away the incentive to do so.
Re: SSH bruteforce mitigation
So, If I understood correctly, those rules create a three cascaded timeouts. If you fail you go into the blacklist for 10 days (BTW, 10d is not accepted as input in webfig).These rules give any user 3 minutes to properly authenticate. After that, the IP address that is used will not be able to get a connection to the SSH service for 10 days.
While any computer can still try to connect to port 22 on your Mikrotik, the fact that you drop packets will take away the incentive to do so.
Why not simply create a single 3 minute waiting list?
Re: SSH bruteforce mitigation
Sorry, I didn't explain the rules correctly. The ruleset presented gives you 3 attempts in 3 minutes before you are blocked for 10 days.
If you create one rule that times out in 3 minutes, you get 1 attempt every 3 minutes. That way, you'll block yourself for 10 days if you accidentally mistype your password and fail to wait 3 minutes before trying again.
The logic is as follows:
You connect to your SSH server. This triggers your firewall to add the IP to [ssh_stage1]. If you mistype your password and try again within 1 minute, your next connection matches the rule above the final rule and you are added to [ssh_state2]. This continues until you match the first rule in the list
If you create one rule that times out in 3 minutes, you get 1 attempt every 3 minutes. That way, you'll block yourself for 10 days if you accidentally mistype your password and fail to wait 3 minutes before trying again.
The logic is as follows:
You connect to your SSH server. This triggers your firewall to add the IP to [ssh_stage1]. If you mistype your password and try again within 1 minute, your next connection matches the rule above the final rule and you are added to [ssh_state2]. This continues until you match the first rule in the list
Re: SSH bruteforce mitigation
Anyway, with those rules in place I don't see any address list being created.
Should I create them manually?
Should I create them manually?
Re: SSH bruteforce mitigation
You do not have to create the address-lists, they are created automatically by the rule. If no address-lists are being created, check in WinBox whether any traffic is hitting the last rule. If no traffic is making it to the last rule, you should figure out which rule is matching the traffic and either move the rules to a position above that rule or change/delete that rule.