MIKROTIK.
Brute-Force.

12.V.2022 

Program na testovanie hrubej sily. Pôvodný zdroj. Stiahnutá web stránka.

Program brutus-aet2-darknet stiahni tu. Program sa neinštaluje. Heslo na rozpakovanie „darknet123“.

 

18.V.2022 – odskúšané, funguje.

Bruteforce login prevention

https://wiki.mikrotik.com/wiki/Bruteforce_login_prevention

Jump to navigation Jump to search

To stop SSH/FTP attacks on your router, follow this advice.

This configuration allows only 10 FTP login incorrect answers per minute

Stiahni vo formáte TXT , ODT, RAR, PDF.

 
ip firewall filter add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop comment="1_FTP* drop ftp brute forcers"
ip firewall filter add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m comment="2_FTP* drop ftp brute forcers"
ip firewall filter add chain=output action=add-dst-to-address-list protocol=tcp content= "530 Login incorrect" address-list=ftp_blacklist address-list-timeout=3h comment="3_FTP* drop ftp brute forcers"


This will prevent a SSH brute forcer to be banned for 10 days after repetitive attempts. Change the timeouts as necessary.

Stiahni vo formáte TXT , ODT, RAR, PDF.

 
ip firewall filter add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="1_SSH* drop ssh brute forcers" disabled=no
ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=10d comment="2_SSH* drop ssh brute forcers " disabled=no
ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m comment="3_SSH* drop ssh brute forcers" disabled=no
ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="4_SSH* drop ssh brute forcers " disabled=no
ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m comment="5_SSH* drop ssh brute forcers" disabled=no

If you want to block downstream access as well, you need to block the with the forward chain:

ip firewall filter add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="drop ssh brute downstream" disabled=no

To view the contents of your Blacklist, go to "/ip firewall address-list" and type "print" to see the contents.

 

29.IV.2022 – funkčnosť neistá, odskúšaj!

Celá časť 

****************************************************************************************_____________ZAČIATOK_________________*************************************************************************

Stiahni vo formáte TXT , ODT, RAR, PDF.

Príklad na port č.80 (http). ODT. HTML.

 

/ip firewall filter add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop comment="Drop FTP brute forcers" disabled=no
 
/ip firewall filter add chain=input protocol=tcp connection-state=established action=accept comment="Allow packets belonging to existing connections" disabled=no
/ip firewall filter add chain=input connection-state=related action=accept comment="Allow packets related to existing connections" disabled=no
 
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=safe action=accept comment="Allow SSH safe hosts" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="Drop SSH brute forcers" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=10d comment="SSH brute forcers blacklisting" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m comment="SSH brute forcers the third stage" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="SSH brute forcers the second stage" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m comment="SSH brute forcers the first stage" disabled=no
 
/ip firewall filter add chain=input protocol=tcp dst-port=8291 connection-state=new src-address-list=safe action=accept comment="Allow WinBox safe hosts" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=8291 src-address-list=wb_blacklist action=drop comment="Drop WinBox brute forcers" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=8291 connection-state=new src-address-list=wb_stage3 action=add-src-to-address-list address-list=wb_blacklist address-list-timeout=10d comment="WinBox brute forcers blacklisting" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=8291 connection-state=new src-address-list=wb_stage2 action=add-src-to-address-list address-list=wb_stage3 address-list-timeout=1m comment="WinBox brute forcers the third stage" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=8291 connection-state=new src-address-list=wb_stage1 action=add-src-to-address-list address-list=wb_stage2 address-list-timeout=1m comment="WinBox brute forcers the second stage" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=8291 connection-state=new action=add-src-to-address-list address-list=wb_stage1 address-list-timeout=1m comment="WinBox brute forcers the first stage" disabled=no
 
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new action=accept comment="Allow SSH" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=8291 connection-state=new action=accept comment="Allow WinBox" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=20-21 connection-state=new action=accept comment="Allow FTP" disabled=no
 
/ip firewall filter add chain=input protocol=tcp dst-port=1337 action=add-src-to-address-list address-list=knock address-list-timeout=15s comment="Port knocking the first stage" disabled=no 
/ip firewall filter add chain=input protocol=tcp dst-port=7331 src-address-list=knock action= add-src-to-address-list address-list=safe address-list-timeout=15m comment="Port knocking whitelisting" disabled=no
 
/ip firewall filter add chain=input action=drop comment="Drop everything else"
 
/ip firewall filter add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m comment="Allow only 10 FTP login incorrect answers per minute" disabled=no
/ip firewall filter add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" address-list=ftp_blacklist address-list-timeout=3h comment="FTP brute forcers blacklisting" disabled=no
 
 

****************************************************************************************_____________KONIEC_________________*************************************************************************