Page 1 of 1
To prevent password bruteforcing your FTP server
Posted: Wed Jul 04, 2007 6:33 pm
by Borage
Here is a few firewall rules to stop/slow down brute forcers from cracking passwords to your FTP server. In this example, the FTP server is the MikroTik router. To protect a FTP server behind MikroTik, you have to use the forward chain instead of the input & output chains.
The initial stage (stage 1) adds the IP address to the temporary address list ftp_stage1 (timeouts after 1 minute). And thereafter every login attempt within one minute trigger the next stages (stage2 - stage4) until it reaches the last stage (stage 5) that adds the IP address to the ftp_blacklist (timeouts after 1 week).
You have to change
in-interface to something else if
ether1 is not the network interface card (NIC) connected to the Internet.
This rule drops all listed brute forcers
/ ip firewall filter
add chain=input in-interface=ether1 protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \
comment="drop ftp brute forcers" disabled=no
/ ip firewall filter
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage4 action=add-dst-to-address-list \
address-list=ftp_blacklist address-list-timeout=1w comment="auto-firewall ftp - stage 5" disabled=no
/ ip firewall filter
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage3 action=add-dst-to-address-list \
address-list=ftp_stage4 address-list-timeout=1m comment="auto-firewall ftp - stage 4" disabled=no
/ ip firewall filter
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage2 action=add-dst-to-address-list \
address-list=ftp_stage3 address-list-timeout=1m comment="auto-firewall ftp - stage 3" disabled=no
/ ip firewall filter
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage1 action=add-dst-to-address-list \
address-list=ftp_stage2 address-list-timeout=1m comment="auto-firewall ftp - stage 2" disabled=no
/ ip firewall filter
add chain=input in-interface=ether1 protocol=tcp dst-port=21 action=add-src-to-address-list \
address-list=ftp_stage1 address-list-timeout=1m comment="auto-firewall ftp - stage 1" disabled=no
Re: To prevent password bruteforcing your FTP server
Posted: Wed Jul 04, 2007 10:55 pm
by skillful
You should put it in the wiki.
Re: To prevent password bruteforcing your FTP server
Posted: Thu Jul 05, 2007 3:07 am
by Borage
Maybe, if a native English speaker can correct all my grammar and spelling errors. I also would like some input if it is wise to create two new chains and jump target the traffic (I did that on my own router). I also have a similar solution to protect the SSH server in MikroTik RouterOS from bruteforcing attempts.
Re: To prevent password bruteforcing your FTP server
Posted: Wed Jul 11, 2007 8:41 am
by mrz
good
BUT there is much simple way to do this ( only two rules will be used):
/ ip firewall filter
add chain=input in-interface=ether1 protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop
/ ip firewall filter
add chain=output action=add-src-to-address-list protocol=tcp content=530 Login incorrect dst-limit=10/1m,0,dst-address/1m40s address-list=blacklist
Rule above allows only 10 login incorrect answers per minute
Re: To prevent password bruteforcing your FTP server
Posted: Wed Jul 11, 2007 9:39 am
by Borage
I tried, but the traffic gets blocked after the first login attempt.
Re: To prevent password bruteforcing your FTP server
Posted: Thu Jul 12, 2007 3:18 am
by epproach_lyle
nice script..
Re: To prevent password bruteforcing your FTP server
Posted: Mon Jul 23, 2007 4:08 pm
by mrz
I tried, but the traffic gets blocked after the first login attempt.
sorry my mistake:
/ ip firewall filter
add chain=input in-interface=ether1 protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop
# accept 10 incorrect logins per minute
/ ip firewall filter
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m
#add to blacklist
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" address-list=blacklist address-list-timeout=3h
This is working correctly. Tested
Re: To prevent password bruteforcing your FTP server
Posted: Fri Aug 17, 2007 11:53 am
by jorj
Tested and working.
Another way to protect you:
Make an account with ONLY ftp permission.
This should not compromise too much your server.
also, leave admin account with no rights at all, and make another with a name of your choice.
This should make it even harder for the attacker to get a valid pair username/password for access to your network.
Re: To prevent password bruteforcing your FTP server
Posted: Fri Aug 24, 2007 8:42 am
by mrz
hi, i'm asking a permission to use your script to be included in tutorial that i'm about to make...
Yes, you may use this script in your tutorial
Re: To prevent password bruteforcing your FTP server
Posted: Fri Apr 11, 2008 2:50 am
by Mactrekr
mrz,
I can't seem to get your script working at all, I've very carefully entered it, and verified it in winbox. I can still ssh into the box even after as many as 12 failed attempts. Any insight would be appreciated.
Mac
Re: To prevent password bruteforcing your FTP server
Posted: Fri Apr 11, 2008 7:47 am
by Mactrekr
Nevermind, got it working thanks!
Re: To prevent password bruteforcing your FTP server
Posted: Wed Jul 15, 2015 8:08 pm
by joie
I have just tried to implement this script and it is not working.
I used the script from the wiki which omitted the interface reference.
http://wiki.mikrotik.com/wiki/Bruteforc ... ion_%28FTP
Below is the script as I am running it.
add action=drop chain=forward comment="Drop FTP Brute Force" disabled=no \
dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=forward comment="" content="530 1326" disabled=no \
dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=forward comment="" content="530 1326" \
disabled=no protocol=tcp
The Mikrotik is not the FTP server so I have changed the chains from input/output to forward and updated the 530 Incorrect Login to match the response my server gives but it still doesn't work. I have tried adding the interface as well as using input/output instead of forward but it doesn't show as seeing any traffic.
Regards,
Joie
Re: To prevent password bruteforcing your FTP server
Posted: Mon Oct 26, 2015 1:10 pm
by mamadmade
Here is a few firewall rules to stop/slow down brute forcers from cracking passwords to your FTP server. In this example, the FTP server is the MikroTik router. To protect a FTP server behind MikroTik, you have to use the forward chain instead of the input & output chains.
The initial stage (stage 1) adds the IP address to the temporary address list ftp_stage1 (timeouts after 1 minute). And thereafter every login attempt within one minute trigger the next stages (stage2 - stage4) until it reaches the last stage (stage 5) that adds the IP address to the ftp_blacklist (timeouts after 1 week).
You have to change
in-interface to something else if
ether1 is not the network interface card (NIC) connected to the Internet.
This rule drops all listed brute forcers
/ ip firewall filter
add chain=input in-interface=ether1 protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \
comment="drop ftp brute forcers" disabled=no
/ ip firewall filter
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage4 action=add-dst-to-address-list \
address-list=ftp_blacklist address-list-timeout=1w comment="auto-firewall ftp - stage 5" disabled=no
/ ip firewall filter
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage3 action=add-dst-to-address-list \
address-list=ftp_stage4 address-list-timeout=1m comment="auto-firewall ftp - stage 4" disabled=no
/ ip firewall filter
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage2 action=add-dst-to-address-list \
address-list=ftp_stage3 address-list-timeout=1m comment="auto-firewall ftp - stage 3" disabled=no
/ ip firewall filter
add chain=output content="530 Login incorrect" dst-address-list=ftp_stage1 action=add-dst-to-address-list \
address-list=ftp_stage2 address-list-timeout=1m comment="auto-firewall ftp - stage 2" disabled=no
/ ip firewall filter
add chain=input in-interface=ether1 protocol=tcp dst-port=21 action=add-src-to-address-list \
address-list=ftp_stage1 address-list-timeout=1m comment="auto-firewall ftp - stage 1" disabled=no
Does anyone know how to make this rule result, sending by email? some kind of mail report from it. Thanks a lot for anyone who can help me.