Prevent PPPoE from doing brute force
Posted: Mon Mar 19, 2018 8:26 pm
Hello everyone,
I tried to find out more about it but couldn't find much information. I have a CCR1036-8G-2S+ that I use for my PPPoE clients. Everything works fine, but I'm having some security issues with some of my clients lately. I think that a couple of my PPPoE clients are infected and are now part of some botnet. The IP addresses keep doing SSH brute force logins to random IP's 24h a day. I have already informed those clients, but I was wondering if there is a firewall rule that I could implement that wouldn't compromise traffic but would stop my clients of using brute force against other MK's around the globe.
Thanks in advance and sorry for my english.
PS: Here are my configs:
I tried to find out more about it but couldn't find much information. I have a CCR1036-8G-2S+ that I use for my PPPoE clients. Everything works fine, but I'm having some security issues with some of my clients lately. I think that a couple of my PPPoE clients are infected and are now part of some botnet. The IP addresses keep doing SSH brute force logins to random IP's 24h a day. I have already informed those clients, but I was wondering if there is a firewall rule that I could implement that wouldn't compromise traffic but would stop my clients of using brute force against other MK's around the globe.
Thanks in advance and sorry for my english.
PS: Here are my configs:
Code: Select all
# mar/19/2018 15:17:45 by RouterOS 6.39.1
# software id = M9EZ-CWEV
#
/ip firewall address-list
add address=8.8.8.8 comment=Google list=DNS_Confiavel
add address=8.8.4.4 comment=Google list=DNS_Confiavel
add address=179.103.31.7 comment="NIP BR" list=DNS_Confiavel
add address=200.205.125.57 comment=Telefonica list=DNS_Confiavel
add address=200.205.125.58 comment=Telefonica disabled=yes list=DNS_Confiavel
add address=189.38.95.95 comment="IPV6 Internet Ltda." disabled=yes list=\
DNS_Confiavel
add address=X.X.X.X/20 comment="IPV6 Internet Ltda." disabled=yes list=\
DNS_Confiavel
add address=192.168.1.2 comment=pedreira disabled=yes list=DNS_Confiavel
/ip firewall filter
add action=accept chain=forward comment="NAT ARRIS C3" disabled=yes \
src-address=10.35.0.0/23
add action=accept chain=forward disabled=yes dst-address=10.35.0.0/23
add action=accept chain=forward comment="NAT BSR 1000" src-address=\
10.37.0.0/23
add action=accept chain=forward dst-address=10.37.0.0/23
add action=accept chain=forward comment="NAT UBR2 CARAGUA" src-address=\
10.40.0.0/16
add action=accept chain=forward dst-address=10.40.0.0/16
add action=accept chain=forward comment="NAT UBR1 CARAGUA" src-address=\
10.41.0.0/23
add action=accept chain=forward dst-address=10.41.0.0/23
add action=accept chain=forward comment="NAT UBR3 CARAGUA" src-address=\
10.44.0.0/16
add action=accept chain=forward dst-address=10.44.0.0/16
add action=accept chain=forward comment=";;;;" src-address=X.X.X.X/30
add action=accept chain=input src-address=X.X.X.X/30
add action=accept chain=forward dst-address=X.X.X.X/30
add action=accept chain=input dst-address=X.X.X.X/30
add action=accept chain=input comment=\
"Libera Pacotes Relacionados e Estabelecidos" connection-state=\
established
add action=accept chain=input connection-state=related
add action=accept chain=forward comment=\
"Libera Pacotes Relacionados e Estabelecidos no Forward" \
connection-state=established
add action=jump chain=input comment=seguranca disabled=yes jump-target=\
seguranca
add action=drop chain=seguranca connection-state=invalid disabled=yes
add action=jump chain=input comment="############################## PROTECAO C\
ONTRA VIRUS E PORTAS COMUNS ################################" disabled=\
yes jump-target=virus
add action=jump chain=forward disabled=yes jump-target=virus
add action=drop chain=input disabled=yes protocol=udp
add action=drop chain=virus disabled=yes protocol=tcp src-port=135-139
add action=drop chain=virus disabled=yes protocol=udp src-port=135-139
add action=drop chain=virus disabled=yes dst-port=135-139 protocol=tcp
add action=drop chain=virus disabled=yes dst-port=135-139 protocol=udp
add action=drop chain=forward disabled=yes dst-address=236.220.127.189 \
protocol=tcp src-address=236.220.127.189
add action=drop chain=forward disabled=yes dst-address=128.30.52.37 protocol=\
tcp src-address=128.30.52.37
add action=drop chain=forward disabled=yes dst-address=64.78.30.206 protocol=\
tcp src-address=64.78.30.206
add action=drop chain=forward disabled=yes dst-address=X.X.X.X \
protocol=tcp src-address=X.X.X.X
add action=drop chain=forward disabled=yes dst-address=X.X.X.X \
protocol=tcp
add action=drop chain=forward disabled=yes dst-address=X.X.X.X protocol=\
tcp
add action=drop chain=forward comment="Resolu\E7\E3o CGI.br/RES/2009/002/P" \
disabled=yes dst-port=25 protocol=udp
add action=drop chain=forward comment="Resolu\E7\E3o CGI.br/RES/2009/002/P" \
disabled=yes dst-port=25 protocol=tcp
add action=drop chain=input comment="DNS - Bloqueio Inputs Externos" \
disabled=yes dst-port=53 protocol=udp src-address-list=!Redes_Infortel
add action=accept chain=forward comment=\
"Bloqueio de Ataque UDP(67) - Porta de DHCP" disabled=yes dst-port=22 \
in-interface-list=all out-interface-list=all protocol=tcp
add action=drop chain=forward comment="Bloqueia DDOS - Rede: 190.115.16.0/20" \
disabled=yes src-address=190.115.16.0/20 src-address-list=!Redes_Infortel
add action=accept chain=input comment="DNS - Libera Inputs Internos" \
disabled=yes dst-port=53 protocol=udp src-address-list=Redes_Infortel
add action=drop chain=forward comment="Bloqueia DDOS - Rede: 82.98.128.0/18" \
disabled=yes src-address=82.98.128.0/18 src-address-list=!Redes_Infortel
add action=drop chain=input comment="Bloqueia Input - China Telecom" \
disabled=yes src-address-list=BloqAtaque
add action=drop chain=forward comment="DNS ataque" disabled=yes \
dst-address-list=!DNS_Confiavel dst-port=53 protocol=udp
add action=drop chain=forward comment="DNS ataque" disabled=yes dst-port=53 \
protocol=udp src-address-list=!DNS_Confiavel
add action=drop chain=forward comment=DDoS dst-port=1900 protocol=udp \
src-port=1900
/ip firewall nat
add action=src-nat chain=srcnat comment="CMTS NAT UBR 3 CARAGUA" src-address=\
10.44.0.0/16 to-addresses=X.X.X.X
add action=src-nat chain=srcnat comment="REGRA - CMTS" src-address=\
172.18.1.0/28 to-addresses=X.X.X.X
add action=src-nat chain=srcnat comment="CMTS ARRIS C3" disabled=yes \
src-address=10.35.0.0/23 to-addresses=X.X.X.X
add action=src-nat chain=srcnat comment="CMTS NAT UBR2 CARAGUA" src-address=\
10.40.0.0/16 to-addresses=X.X.X.X
add action=src-nat chain=srcnat comment="CMTS NAT UBR1 CARAGUA" src-address=\
10.41.0.0/16 to-addresses=X.X.X.X
add action=src-nat chain=srcnat comment="CMTS UBR 2 UBATUBA" disabled=yes \
src-address=10.38.0.0/21 to-addresses=X.X.X.X
add action=masquerade chain=srcnat comment="REGRA - CLIENTE" disabled=yes \
out-interface="bridge1 ASSINANTES HFC" src-address=192.168.0.0/24 \
to-addresses=X.X.X.X
add action=dst-nat chain=dstnat comment=VNC dst-address=X.X.X.X dst-port=\
49768 protocol=tcp to-addresses=X.X.X.X to-ports=49768
add action=dst-nat chain=dstnat comment=VNC dst-address=X.X.X.X dst-port=\
49771 protocol=tcp to-addresses=X.X.X.X to-ports=49771
add action=dst-nat chain=dstnat comment=VNC dst-address=X.X.X.X dst-port=\
49790 protocol=tcp to-addresses=X.X.X.X to-ports=49790
add action=dst-nat chain=dstnat comment=DIGITAL dst-address=X.X.X.X \
dst-port=49770 protocol=tcp to-addresses=X.X.X.X to-ports=49770
add action=dst-nat chain=dstnat comment=DIGITAL dst-address=X.X.X.X \
dst-port=6060 protocol=tcp to-addresses=172.18.1.5 to-ports=6060
add action=dst-nat chain=dstnat comment="DIGITAL SQL" dst-address=X.X.X.X \
dst-port=1433 protocol=tcp to-addresses=X.X.X.X to-ports=1433
add action=masquerade chain=srcnat comment="CONDOMINIO COSTA NOVA" \
src-address=X.X.X.X