How Autoblock IP address
Hello, I needed a tutorial on how to do IP address blocking in the mikrotik that after 5 unsuccessful attempts to bad login in to the mikrotik will get to a list of forbidden addresses and then these addresses will be rejected.
Last edited by bach1 on Fri Mar 02, 2018 3:11 pm, edited 1 time in total.
Re: How Autoblock IP address
I think you first need a tutorial on how to post understandable questions.
See signature.
See signature.
Re: How Autoblock IP address
That is not exactly a fair response (unless of course this is a homework assignment and the OP is asking someone to do his/her work for him/her).
The issue I have is what LOGIN, to a server behind the mikrotik, or the mikrotik itself??
If its to the mikrotik, why are people trying to login to it in the first place and secondly why is the interface accessible to a whole bunch of people?
The issue I have is what LOGIN, to a server behind the mikrotik, or the mikrotik itself??
If its to the mikrotik, why are people trying to login to it in the first place and secondly why is the interface accessible to a whole bunch of people?
Re: How Autoblock IP address
I think the OP is asking for a log analyzer like Fail2Ban, SSHGuard or BlackListd for MikroTiks. No, you can't set it up on the router. If you really want, you can redirect the log to a Linux box and run the log analyzer there. Then you could define an action to add the offending IP to an address list on the router and use it in a firewall rule. Quite a hassle.
Typically you would use static firewall rules or VLANs to restrict administration to a small number of trusted IP addresses like @anav suggested.
Typically you would use static firewall rules or VLANs to restrict administration to a small number of trusted IP addresses like @anav suggested.
Re: How Autoblock IP address
The user has edited the question after I made that reply, I did not quote it so you cannot see the gibberish that was there before.That is not exactly a fair response (unless of course this is a homework assignment and the OP is asking someone to do his/her work for him/her).
Re: How Autoblock IP address
My apologies pelchi, if I had been on these forums longer I would have known better. 
For example I dont know if Forum GURU is a self made title or one that is bestowed upon a member for expertise or other purposes...........
For example I dont know if Forum GURU is a self made title or one that is bestowed upon a member for expertise or other purposes...........
-
-
tippenring
Member
- Posts: 304
- Joined:
- Location: St Louis MO
- Contact:
Re: How Autoblock IP address
As Companion posts, that is how I used to accomplish the same thing. It began to become unwieldy when I wanted other rules to apply the same blacklist rules, so I reorganized it as a sort of subroutine.
The input chain rule "calls" the blacklist subroutine on any new connection to port 22 in this case.
What I like about this method is I can apply it to forward rules as well, such as if I want to rate limit the number of new connections to an RDP server, web server, mail server, or anything else, without duplicating the series of blacklist rules each time.
Adjust the timers as desired.
Code: Select all
add action=jump chain=input comment="Blacklist IP trying to hit 22" connection-state=new dst-port=22 in-interface=ether1 jump-target=blacklist protocol=tcp src-address-list=!whitelist.mgmt
add action=add-src-to-address-list address-list=blacklist address-list-timeout=1w chain=blacklist comment="Refresh blacklist timer" connection-state="" src-address-list=blacklist
add action=drop chain=blacklist comment="Drop blacklisted sources" connection-state="" src-address-list=blacklist
add action=add-src-to-address-list address-list=blacklist address-list-timeout=1w chain=blacklist comment="Blacklist processing" src-address-list=pre-blacklist4
add action=add-src-to-address-list address-list=pre-blacklist4 address-list-timeout=1m chain=blacklist src-address-list=pre-blacklist3
add action=add-src-to-address-list address-list=pre-blacklist3 address-list-timeout=1m chain=blacklist src-address-list=pre-blacklist2
add action=add-src-to-address-list address-list=pre-blacklist2 address-list-timeout=1m chain=blacklist src-address-list=pre-blacklist1
add action=add-src-to-address-list address-list=pre-blacklist1 address-list-timeout=1m chain=blacklist log=yes log-prefix="pre-bl1: "
add action=return chain=blacklist
What I like about this method is I can apply it to forward rules as well, such as if I want to rate limit the number of new connections to an RDP server, web server, mail server, or anything else, without duplicating the series of blacklist rules each time.
Adjust the timers as desired.
Re: How Autoblock IP address
Are you talking about the login attempts from the local LAN, or from the internet? If it si the first one, very easy. You know what IP that person has (example: 192.168.88.14). You can even maybe know what computer name it is.
Go to manager and complain. Let him sort it out.
If it is the internet thing: Forget it. The list can be SOOOOO long.... since the "hackers" use rotating (dynamic) IP addresses. Millions and millions IP's will be there. How fast was the Mikrotik you are using?
If you are "attacked" then talk to the ISP. If you see from time to time failed login attempts... that are just automatic portscans and automated logins.... Not something to worry about it the password is strong. Not like "summer 478", but "Hj7%#nF548)_ ".
Go to manager and complain. Let him sort it out.
If it is the internet thing: Forget it. The list can be SOOOOO long.... since the "hackers" use rotating (dynamic) IP addresses. Millions and millions IP's will be there. How fast was the Mikrotik you are using?
If you are "attacked" then talk to the ISP. If you see from time to time failed login attempts... that are just automatic portscans and automated logins.... Not something to worry about it the password is strong. Not like "summer 478", but "Hj7%#nF548)_ ".