Community discussions

MikroTik App
 
sonoracomm
just joined
Topic Author
Posts: 7
Joined: Mon Dec 03, 2012 12:38 am

Botnet - Brute Force Rules Help, Please

Tue Dec 09, 2014 11:07 pm

Hi,

Our primary router is under attack by a botnet. I see this sort of messages at the router console:

[admin@my-router] > /
echo: system,error,critical login failure for user ftpuser from 91.135.238.186 via ssh
[admin@my-router] > /
echo: system,error,critical login failure for user admin from 91.135.238.186 via ssh
[admin@my-router] > /
echo: system,error,critical login failure for user D-Link from 91.135.238.186 via ssh

Always in a series of three. Always the same usernames. Always from a new IP address.

My regular SSH brute-force rules don't kick in until four attempts and then only with a temporary ban.

Does anyone know how I could write rules to catch this attack and set a longer (or permanent) ban?

Thanks,

G
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Re: Botnet - Brute Force Rules Help, Please

Wed Dec 10, 2014 8:20 am

It's working correctly. If you would like to stop it immediately set the tarpit rule on the required tcp ports and drop on udp. But then you will not be able to log in as well. So you can implement port knocking. For longer time of blocking the ip just rise the address list timeout. Or regularly change dynamic records of address list to static.

How many records of attack attempts do you see per hour?
 
sonoracomm
just joined
Topic Author
Posts: 7
Joined: Mon Dec 03, 2012 12:38 am

Re: Botnet - Brute Force Rules Help, Please

Wed Dec 10, 2014 6:44 pm

Hi,

I don't understand "It's working correctly." But thank you for your response.

I estimate I'm getting about 200 attempts per hour with 3 attempts per (source, attacker) IP adddress and the same three usernames being attempted by all attackers.

Overnight, the usernames have changed to 'root', 'guest' and 'admin' but the attack continues.

I decided to modify my existing SSH brute force rules to trigger after only three attempts and to last for 10 days. I'm sure there will be a price to pay...

Any better ideas, anyone?

Thanks in advance,

G
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Re: Botnet - Brute Force Rules Help, Please

Wed Dec 10, 2014 9:26 pm

Skip one aging rule to have only two accepted attempts instead three. Add rules that drop all udp from listed ip addresses and tarpit the all tcp. Few hundreds per hour is nothing. Only thousands per second could mean something.

And correctly means as designed.
 
coylh
Member Candidate
Member Candidate
Posts: 159
Joined: Tue Jul 12, 2011 12:11 am

Re: Botnet - Brute Force Rules Help, Please

Thu Dec 11, 2014 6:23 am

Use ssh keys and ignore the login attempts.
 
User avatar
jp
Long time Member
Long time Member
Posts: 611
Joined: Wed Mar 02, 2005 5:06 am
Location: Maine
Contact:

Re: Botnet - Brute Force Rules Help, Please

Fri Dec 12, 2014 6:21 pm

Using keys doesn't stop attempts, just stops login error messages.

The ideal thing is not to expose management access to the whole Internet. Block everything with the input chain, then allow it from the netblocks/static IP/vpn IP you want to have such access. All this tarpitting stuff, while it works, is sort of rube goldbergish.

This is what I do.. If it's not in the netblocks address list, it is rejected. The address list has the internal netblock like 192.168.x.x and external netblocks or static IPs which I'd use for management access.
/ip firewall filter
add action=reject chain=input dst-port=21-23,80,8291 protocol=tcp src-address-list=!netblocks
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Re: Botnet - Brute Force Rules Help, Please

Fri Dec 12, 2014 9:09 pm

Tarpit is more effective than reject as it doesn't need to track the connection and what's better, consumes attacker resources so he cannot try again if he hits his limits.
Of course whitelisting is better than blacklisting, no doubt.
 
CsXen
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Wed Sep 10, 2014 8:31 pm
Location: Budapest - Hungary

Re: Botnet - Brute Force Rules Help, Please

Sat Dec 13, 2014 3:37 pm

Hi.
Simply move the SSH service to another port (like 122, 2022, 8022... :) ). This will stop most of botnet-robots.

Regards: Xen
 
sonoracomm
just joined
Topic Author
Posts: 7
Joined: Mon Dec 03, 2012 12:38 am

Re: Botnet - Brute Force Rules Help, Please

Tue Dec 16, 2014 10:50 pm

Thanks all for your input.

In our use case, we use our main Mikrotik router as a sort of 'honeypot' and we also block traffic to all downstream routers as well. So, in this case, we'd rather 'detect and block' rather than 'avoid'.

I'm a little afraid of using 'tarpit' as I've heard that uses local (my) router resources and that scares me a bit. I guess I need to learn more about 'tarpitting'. This is on a powerful CloudCore router.

In general, we do use alternate ports for SSH and, while that is only obfuscation, it gets rid of most of the automated tools/script kiddies.

Where I struggle most is with botnets...and they are getting smarter all the time.

What I did seemed to work pretty well...I just modified my regular SSH brute force rules so that they blocked after three attempts and blocked for a longer time period (10 days).

Thanks again for all input.

G
 
SystemErrorMessage
Member
Member
Posts: 390
Joined: Sat Dec 22, 2012 9:04 pm

Re: Botnet - Brute Force Rules Help, Please

Wed Dec 17, 2014 1:35 am

If your router is the gateway than simply tarpit/drop all incoming from WAN. If your router is in a core network like mine with double NATs and on multiple VLANs and networks than you should set up port knocking and deny access from all non authoritive IPs. For example i deny all access to input from my gateway but i also have a 3s rule for outgoing. I dont do any NAT.
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Re: Botnet - Brute Force Rules Help, Please

Wed Dec 17, 2014 2:43 pm

Simply said tarpit makes the attacker to believe the connection is opened but the track at your side is thrown away. Attacker keeps connection and your resources are not consumed further. If you drop he will try again and again.

Who is online

Users browsing this forum: gkoleff and 32 guests