In my logs I have lots of entrys like
(50 messages not shown)
dec/10/2007 16:05:09 system,error,critical login failure for user username from 222.112.170.217 via ssh
dec/10/2007 16:05:12 system,error,critical login failure for user username from 222.112.170.217 via ssh
dec/10/2007 16:05:16 system,error,critical login failure for user user from 222.112.170.217 via ssh
dec/10/2007 16:05:19 system,error,critical login failure for user root from 222.112.170.217 via ssh
dec/10/2007 16:05:22 system,error,critical login failure for user admin from 222.112.170.217 via ssh
dec/10/2007 16:05:26 system,error,critical login failure for user test from 222.112.170.217 via ssh
dec/10/2007 16:05:29 system,error,critical login failure for user root from 222.112.170.217 via ssh
dec/10/2007 16:05:32 system,error,critical login failure for user root from 222.112.170.217 via ssh

Is there a way to automaticly block this ip after 3-4 failed logins?



Thanks

you can use access-list - so when host connects for the first time, he gets in a starting list, if it connects another time, it get further, when it connects 4th or 5th time its ip address is added to block list and he is dropped for some time.

My recommendation is to block the ports for router access in the input chain and allow connection to these port only by your ip address (or range) - this will prevent possible router hacking.
The ports are: 21,22,23,80,8291 all tcp.

Access-lists can only be used with wireless interfaces...

My router has no wireless interfaces.

Public interface, DMZ interface and LAN interface (all wires)

On WAN i have static IP addresses and my log's are full of failed login attempts from the same IP address for hours....

I can't block remote access because i connect to the router the same way.

But regardless of where the attempts are comming from. Is there any way to prevent this?
Is there a way to add users IP to an address-list when he failes to logon? and count souch logins? If number of failed logins is greater than eg. 5 in the last minute, bloch the IP for 45 minutes?

I'm pretty new to scripting and some of the more advanced functions but i understand a good example!

Regards

Access-lists can only be used with wireless interfaces...

My router has no wireless interfaces.

Public interface, DMZ interface and LAN interface (all wires)

On WAN i have static IP addresses and my log's are full of failed login attempts from the same IP address for hours....

I can't block remote access because i connect to the router the same way.

But regardless of where the attempts are comming from. Is there any way to prevent this?
Is there a way to add users IP to an address-list when he failes to logon? and count souch logins? If number of failed logins is greater than eg. 5 in the last minute, bloch the IP for 45 minutes?

I'm pretty new to scripting and some of the more advanced functions but i understand a good example!

Regards

/ip firewall filter add chain=input src-address="YOURIPORSUBNET" action=accept
/ip firewall filter add chain=input action=drop

For mutiple input ip/subnets execute first rule as many times as you have ip/subnets that has to communicate with router directly.
Alternatively, you can use this:
/ip firewall filter add chain=input action=drop dst-port=21
/ip firewall filter add chain=input action=drop dst-port=22
/ip firewall filter add chain=input action=drop dst-port=23
/ip firewall filter add chain=input action=drop dst-port=80
/ip firewall filter add chain=input action=drop dst-port=8291
instead of the drop rule above to drop only "auth-type" services.

Putting ip addresses to access-list is still not secure enough (what is somebody guess you user/pass at first time?)

I think that it is less likely that someone will guess my username and password at first...

And forgive me, i forgot to say that i must be able to access the router over the internet. I am connected thru DSL so i can't create a rule to give me access based on the IP address.

If i was on a static ip, i wouldn't be asking here.
Is there a way to do this?

Example in wiki http://wiki.mikrotik.com/wiki/Bruteforc ... %26_SSH%29

The wiki has a great script - you could also just change the ssh port on your router...

i have pptp server enabled, so i can log in from wherever i need and some sites in whitelist, so i do not have to create pptp tunnel to access from these sites.

Hi !!
I,m IT Expert of Armoot System Company from Iran-Tehran .
i want to do it too !! but finally i find out that not possible !! only you can user another port on SSH & Telnet & WinBox & Web Console ... but attackers can find your personal port's with port scanner software example Nmap !! For DSL user's that not have static's IP Address ... i recommend to you that use Squid Proxy server With Linux CentOS if you don't have wireless on your Mikrotik !!

Changing access ports actually is a good practice.
Because these hack attempts are basically conducted automatically on standard ports.
There is no one trying to attack specifically your router by giving it full attention, it is just a script.
So if no open port is found by its internal logic, it will move on. No portscan, no alternate methods.
Usually, you are not special to them. Just an arbitrary system responding to a connect on port 22.

... turbulence in forum...
see next post %)

Hi !!
I,m IT Expert ... but finally i find out that not possible !!

Very fun... Generally I agree with you - everything can be hacked.
Question only in resources spent (time, money, equipment etc)

But if
0. Use non-standard ports.
1. Use VPN for access. To hack proper vpn much more harder then hack telnet or http protocol.
2. Use HTTPS - even if open port to hack it not so easy. Sure you must use proper certificates not just open port.
3. Use Whitelists
4. Use Port-knocking technique. For paranoiacs - with complex 3-4 stages logic %))
5. Add some intelligence to router by detecting brute-forces. In my block-list I have usually ~5000 blocked ips.
6. The same as previous but use external sources for blacklists. I saw such lists with auto updating scripts here in the forum.
PS.
7 don't use stickers with passwords on you monitor or something like that %)

and if use all 0+1+2+3+4+5+6 then instead to directly hack you router will be much easier hack system administrators with Rubber-hose cryptanalysis ( in Russian as терморектальный криптоанализ ) ...For usual office/home router it is enough 2-3 methods from listed above.

And don't use http, telnet, ssh for accessing your router globally (and sometimes - locally) at all.

Don't use https, WinBox without additional protections from listed above.

Put all Internet globally exposed services each in own DMZ zones. In such case if somebody hack your server it hack only this server without any additional access to router or internal network.

With WinBox straightness - difficult to say due to its proprietary protocol...
Yes, I know people tried reversed engineered it (for creation custom applications), it can be analysed but in 99.99% nobody will do it.

Specially for Expert - give full access to router via WiFis not good idea...