Community discussions

MikroTik App
  4. RouterOS
  5. General

Adapt FTP brute force banning rules for LT2P/IPSEC  [SOLVED]

Post Reply
 
User avatar
grumpazoid
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Tue Nov 19, 2019 1:32 pm

Adapt FTP brute force banning rules for LT2P/IPSEC

Thu Dec 16, 2021 12:16 pm

I have seen on another post that someone was able to adapt the rules from https://wiki.mikrotik.com/wiki/Brutefor ... prevention

So far I have:
Code: Select all
add chain=input protocol=tcp dst-port=500 src-address-list=vpn_blacklist action=drop \
comment="drop ipsec brute forcers"

But I am stuck with adapting the next part
Code: Select all
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m

How do I know what the tcp output is for a failed IPSEC connection? I can see the failed connection in the log - it says "parsing packet failed, possible cause: wrong password"
Top
 
User avatar
grumpazoid
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Tue Nov 19, 2019 1:32 pm

Re: Adapt FTP brute force banning rules for LT2P/IPSEC  [SOLVED]

Thu Dec 16, 2021 3:52 pm

Ok Managed to solve this by adapting the second rule set in the Mikrotik Wiki.

On each IPSEC connection 2 packets are seen on port 500 so I've made use of the Nth rule to take this into account.
Also removed connection-state=new as this prevented seeing any packets after the first attempt.

These rules go before anything else on the input chain.

Code: Select all
/ip firewall filter
add action=drop chain=input comment="drop VPN brute forcers" dst-port=500 \
    protocol=udp src-address-list=VPN_blacklist
add action=add-src-to-address-list address-list=VPN_blacklist \
    address-list-timeout=4w2d chain=input connection-state="" dst-port=500 \
    nth=2,2 protocol=udp src-address-list=VPN_stage3
add action=add-src-to-address-list address-list=VPN_stage3 \
    address-list-timeout=1m chain=input connection-state="" dst-port=500 nth=\
    2,2 protocol=udp src-address-list=VPN_stage2
add action=add-src-to-address-list address-list=VPN_stage2 \
    address-list-timeout=1m chain=input connection-state="" dst-port=500 nth=\
    2,2 protocol=udp src-address-list=VPN_stage1
add action=add-src-to-address-list address-list=VPN_stage1 \
    address-list-timeout=1m chain=input connection-state="" dst-port=500 nth=\
    2,2 protocol=udp
Top
 
User avatar
inteq
Member
Member
Posts: 429
Joined: Wed Feb 25, 2015 8:15 pm
Location: Romania

Re: Adapt FTP brute force banning rules for LT2P/IPSEC

Fri Dec 17, 2021 8:22 pm

The problem is if a user reconnects/disconnects too fast, it will end up in the blacklist also.
Top
 
User avatar
grumpazoid
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Tue Nov 19, 2019 1:32 pm

Re: Adapt FTP brute force banning rules for LT2P/IPSEC

Fri Dec 17, 2021 9:01 pm

That is True.
Maybe there is a way to detect only unsucessful logins? Would be glad to hear of any alternative solutions.
Top
 
R1CH
Forum Guru
Forum Guru
Posts: 1108
Joined: Sun Oct 01, 2006 11:44 pm

Re: Adapt FTP brute force banning rules for LT2P/IPSEC

Fri Dec 17, 2021 11:02 pm

Remember UDP is connectionless, the source address can be spoofed. Using this, anyone with knowledge of your blacklist can now force you to blacklist arbitrary IP addresses. If your legit VPN endpoint IPs are discovered your anti-brute-force is now a DoS vector.
Top
 
User avatar
grumpazoid
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Tue Nov 19, 2019 1:32 pm

Re: Adapt FTP brute force banning rules for LT2P/IPSEC

Mon Dec 20, 2021 11:50 am

Thanks. Seems I need a way to actually detect failed logins. I will keep searching.
Top
Post Reply
  4. RouterOS
  5. General