Hello Everyone,

I am new working with Mikrotik and in this forum. I have a Mikrotik Administering the network as a firewall, QoS, NAT, DHCP, etc. and I need to prevent bruteforce attacks for MySQL and MSSQL servers. I tried something like this:

/ip firewall filter
add chain=forward protocol=tcp dst-port=3306 connection-state=new action=add-dst-to-address-list address-list=MySQL-stage1
add chain=forward protocol=tcp dst-port=3306 connection-state=new src-address-list=MySQL-stage1 action=add-dst-to-address-list address-list=MySQL-stage2
add chain=forward protocol=tcp dst-port=3306 connection-state=new src-address-list=MySQL-stage2 action=add-dst-to-address-list address-list=MySQL-stage3
add chain=forward protocol=tcp dst-port=3306 connection-state=new src-address-list=MySQL-stage3 action=add-dst-to-address-list address-list=MySQL-Blacklist
add chain=forward protocol=tcp dst-port=3306 connection-state=new src-address-list=MySQL-Blacklist action=drop

It works passing connections through stages but, even if I put the correct user and password my IP gets blacklisted. I think there must be a way to verify invalid login adding a characteristic to the rules, but I do not know what could it be.

I have done similar rules for SSH bruteforce attacks and RDP attacks and it works fine.

Thanks for your help.

Router is not the right place for this. It would have to inspect connections, understand the protocol and find failed login attempts. You'd need L7 filters and even if it's possible to find the right patterns (I don't know), it's resource-intensive stuff.

If it seems to work for SSH or RDP, it's only because when you connect and log in, typically the connection stays open for a longer time and you don't reconnect several times. But try to open several connections quickly after each other and you'll be blocked too.

For any SQL, I'd say it's completely unusable. Have e.g. typical webserver with php and unless you use persistent database connections, you'll get new ones all the time. And even with persistent ones, restart webserver, several php cgi processes will start at the same time, connect to database ... and you're blocked again.

oohh I see. So there is not a way to prevent this with mikrotik automatically. Maybe I can use schedules and blacklists.

Thanks

Personally I'd rather have a whitelist of allowed addresses, if possible. If it's open for everyone, I wouldn't fear bruteforcers too much. Network has some minimum latency, so it's natural limit, you can't try million passwords every second. So with strong passwords, they could try for a century and won't get in. But if it would happen that some exploitable vulnerability would be discovered in database, then just one connection could be enough.

Hi! I'm use fail2ban and script. Script add in mikrotik bloked address list. for which to open the database server to the world ?

Hi Sayrax,

The database is open to the world for remote access to a company management software. It's a Windows Server, fail2ban works with windows?

Not clear why this is necessary.

Either a professional or security conscious technical individual would only ever be either using network segments like VLANs (non-Internet) or a single firewall point of entry on a dedicated edge device (Internet). So, these types of attacks would be all but impossible to occur to production server in the first place.

The rest is taken care of by logging and usual security practices

In your case, you should be using a VPS or VPN, though if you had to you could use a strong SSH implementation with key-based authentication instead (this latter setup is the only one where fail2ban or similar would make sense).

If you really need to release directly Mysql. I would recommend the use of certificates, and write a script. Who will look into the events. And with a large number of authorizations, send a mikrotik to the block list. Ideal: to exclude direct access and use VPN.

p.s. : If you need hardcore. Install cyg-win. and try to compile fail2ban)