MikroTik

Community discussions
https://forum.mikrotik.com/

Script to add IP's to firewall blocklist (DROP)

https://forum.mikrotik.com/viewtopic.php?t=7985

Page 1 of 1

Script to add IP's to firewall blocklist (DROP)

Posted: Wed Apr 19, 2006 6:30 pm
by johnsk
Hi all,

does anyone have a script to block (DROP) a certain IP after 3 (or any number) of invalid SSH/FTP attempts? I added some IP's manually to the firewall (IP -> FIREWALL -> Filter rules -> ... -> Action DROP) but sometimes I don't have time to check out the log manually.

I am asking because lately my RB532's are under attack from quite a few IP's trying out combinations of user names/passwords and I don't have time to block every IP manually.

Can someone help?

Thank you in advance

john

Posted: Wed Apr 19, 2006 9:38 pm
by Gotmoh
Isnt easier to use address list contains only valid-admins ip whos have rights to access to your routerboard?

Posted: Wed Apr 19, 2006 9:49 pm
by changeip
Or just use strong passwords and allow them to keep getting dropped on their own. Or just change the SSH port if you are tired of seeing them.

Sam

Posted: Thu Apr 20, 2006 1:17 pm
by maroon
u can of course by adding some rules to ur input chain

with action trapit and action addto address list (let's say kind of IDS)
Code: Select all
 4   ;;; detect and drop port scan connections                                                                                               
     chain=input protocol=tcp psd=21,3s,3,1 action=drop                                                                                      
                                                                                                                                             
 5   ;;; suppress DoS attack                                                                                                                 
     chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list action=tarpit                                                
                                                                                                                                             
 6   ;;; detect DoS attack                                                                                                                   
     chain=input protocol=tcp connection-limit=10,32 action=add-src-to-address-list address-list=black_list address-list-timeout=1d

Re: Script to add IP's to firewall blocklist (DROP)

Posted: Sun Apr 30, 2006 7:10 am
by balimore
Hi all,

does anyone have a script to block (DROP) a certain IP after 3 (or any number) of invalid SSH/FTP attempts? I added some IP's manually to the firewall (IP -> FIREWALL -> Filter rules -> ... -> Action DROP) but sometimes I don't have time to check out the log manually.

I am asking because lately my RB532's are under attack from quite a few IP's trying out combinations of user names/passwords and I don't have time to block every IP manually.

Can someone help?

Thank you in advance

john
-------------------------------------------------------------------------------------

Hello All,

Just manage to submenu [/ip service] this's simple solution for protect your Router.

Peace all
Balimore DOT com

-------------------------------------------------------------------------------------
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/