MikroTik

Community discussions
https://forum.mikrotik.com/

Adapt FTP brute force banning rules for LT2P/IPSEC

https://forum.mikrotik.com/viewtopic.php?t=181351

Page 1 of 1

Adapt FTP brute force banning rules for LT2P/IPSEC

Posted: Thu Dec 16, 2021 12:16 pm
by grumpazoid
I have seen on another post that someone was able to adapt the rules from https://wiki.mikrotik.com/wiki/Brutefor ... prevention

So far I have:
Code: Select all
add chain=input protocol=tcp dst-port=500 src-address-list=vpn_blacklist action=drop \
comment="drop ipsec brute forcers"

But I am stuck with adapting the next part
Code: Select all
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m

How do I know what the tcp output is for a failed IPSEC connection? I can see the failed connection in the log - it says "parsing packet failed, possible cause: wrong password"

Re: Adapt FTP brute force banning rules for LT2P/IPSEC  [SOLVED]

Posted: Thu Dec 16, 2021 3:52 pm
by grumpazoid
Ok Managed to solve this by adapting the second rule set in the Mikrotik Wiki.

On each IPSEC connection 2 packets are seen on port 500 so I've made use of the Nth rule to take this into account.
Also removed connection-state=new as this prevented seeing any packets after the first attempt.

These rules go before anything else on the input chain.

Code: Select all
/ip firewall filter
add action=drop chain=input comment="drop VPN brute forcers" dst-port=500 \
    protocol=udp src-address-list=VPN_blacklist
add action=add-src-to-address-list address-list=VPN_blacklist \
    address-list-timeout=4w2d chain=input connection-state="" dst-port=500 \
    nth=2,2 protocol=udp src-address-list=VPN_stage3
add action=add-src-to-address-list address-list=VPN_stage3 \
    address-list-timeout=1m chain=input connection-state="" dst-port=500 nth=\
    2,2 protocol=udp src-address-list=VPN_stage2
add action=add-src-to-address-list address-list=VPN_stage2 \
    address-list-timeout=1m chain=input connection-state="" dst-port=500 nth=\
    2,2 protocol=udp src-address-list=VPN_stage1
add action=add-src-to-address-list address-list=VPN_stage1 \
    address-list-timeout=1m chain=input connection-state="" dst-port=500 nth=\
    2,2 protocol=udp

Re: Adapt FTP brute force banning rules for LT2P/IPSEC

Posted: Fri Dec 17, 2021 8:22 pm
by inteq
The problem is if a user reconnects/disconnects too fast, it will end up in the blacklist also.

Re: Adapt FTP brute force banning rules for LT2P/IPSEC

Posted: Fri Dec 17, 2021 9:01 pm
by grumpazoid
That is True.
Maybe there is a way to detect only unsucessful logins? Would be glad to hear of any alternative solutions.

Re: Adapt FTP brute force banning rules for LT2P/IPSEC

Posted: Fri Dec 17, 2021 11:02 pm
by R1CH
Remember UDP is connectionless, the source address can be spoofed. Using this, anyone with knowledge of your blacklist can now force you to blacklist arbitrary IP addresses. If your legit VPN endpoint IPs are discovered your anti-brute-force is now a DoS vector.

Re: Adapt FTP brute force banning rules for LT2P/IPSEC

Posted: Mon Dec 20, 2021 11:50 am
by grumpazoid
Thanks. Seems I need a way to actually detect failed logins. I will keep searching.
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/