Hi Guys,
I'm trying to drop incoming connections to my router, which are not listed in a address list, but for some reason the below rule isn't working.
What am I missing?
Any help would be greatly appreciated!
Firewall Filter:
0 ;;; Drop SSH connection from Non-RSA IP's
chain=input action=drop protocol=tcp src-address-list=!RSA-IP-BLOCKS src-port=22
Firewall Address Lists:
# LIST ADDRESS
0 RSA-IP-BLOCKS 41.0.0.0/11
1 RSA-IP-BLOCKS 41.48.0.0/13
2 RSA-IP-BLOCKS 41.56.0.0/16
3 RSA-IP-BLOCKS 41.57.0.0/18
4 RSA-IP-BLOCKS 41.57.112.0/22
5 RSA-IP-BLOCKS 41.57.128.0/18
6 RSA-IP-BLOCKS 41.61.0.0/16
7 RSA-IP-BLOCKS 41.63.64.0/18
8 RSA-IP-BLOCKS 41.66.64.0/18
9 RSA-IP-BLOCKS 41.66.128.0/18
10 RSA-IP-BLOCKS 41.71.0.0/17
11 RSA-IP-BLOCKS 41.72.128.0/19
12 RSA-IP-BLOCKS 41.73.32.0/19
13 RSA-IP-BLOCKS 41.74.96.0/20
14 RSA-IP-BLOCKS 41.74.144.0/20
15 RSA-IP-BLOCKS 41.74.176.0/20
16 RSA-IP-BLOCKS 41.74.192.0/20
17 RSA-IP-BLOCKS 41.74.224.0/20
18 RSA-IP-BLOCKS 41.75.96.0/20
19 RSA-IP-BLOCKS 41.75.128.0/20
20 RSA-IP-BLOCKS 41.75.224.0/20
[SNIP]
LOG:
09:59:43 system,error,critical login failure for user someuser from 78.47.79.193 via ssh
78.0.0.0 is definitely not a South African IP range.
Re: [Firewall] Drop rule from address-list not working.
maybe dst-port=22 ?
Re: [Firewall] Drop rule from address-list not working.
Strange, I orginally used dst-port and it didn't seem to work.... but after trying from a different international IP, now it works... Maybe I just wasn't paying attention.maybe dst-port=22 ?
Anyhow, It's working now.
If anyone knows of a better/optimized way to do the above, please let me know!
I originally had SSH blacklist rules (obtained from Mikrotik site) but after the recent spades of ssh attempts on my router from several different IP's, simple SSH blacklisting won't work as well.
Re: [Firewall] Drop rule from address-list not working.
For those who wish to filter SSH (or anything else) connections based on geographic IP addresses...
Here is the command:
/ip firewall filter add chain=input action=drop protocol=tcp src-address-list=!RSA-IP-BLOCKS in-interface=all-ppp dst-port=22
Be sure to name your address lists and WAN interface to something else.
The above rule will filter/drop inbound IP's, that are NOT in the address list.
To obtain the country IP address blocks, just to a Google search, but here is one of the many sites out there: http://ipinfodb.com/ip_country_block.php
To import the lists, there are several scripts on the Mikrotik site that can help, otherwise PM me.
Here is the command:
/ip firewall filter add chain=input action=drop protocol=tcp src-address-list=!RSA-IP-BLOCKS in-interface=all-ppp dst-port=22
Be sure to name your address lists and WAN interface to something else.
The above rule will filter/drop inbound IP's, that are NOT in the address list.
To obtain the country IP address blocks, just to a Google search, but here is one of the many sites out there: http://ipinfodb.com/ip_country_block.php
To import the lists, there are several scripts on the Mikrotik site that can help, otherwise PM me.
Re: [Firewall] Drop rule from address-list not working.
Another vendor that allows you to get plenty of information of an IP address is ipbase.com. You need an API key but there is a free plan with 150 requests per month.
Last edited by AndreasA on Tue Mar 28, 2023 12:23 pm, edited 1 time in total.