Wednesday, September 7, 2016

counter ftp brute force using mikrotik firewall rate limitation

we can use a feature in mikrotik firewall call connection-limit to single out the address that try to brute force to ftp server. but it also can be a false positive.


1- the following is add those ip that hit the connection limit of 21 onward to address list call brutelist and drop connection on those ip on the the brutelist

/ip firewall filter add chain=input action=drop src-address-list=brutelist
/ip firewall filter add chain=input action=add-src-to-address-list protocol=tcp address-list=brutelist address-list-timeout=1m dst-port=21 connection-limit=21,32


- snapshot the address that try to brute adding to brutelist


2- to test the effect of the rule you can use the script on the post below
http://www.atechnote.com/2016/09/brute-force-ftp-server-16-thread.html

****
for less false positive solution is using fail2ban, example of fail2ban on ssh
http://www.atechnote.com/2014/10/auto-block-ip-address-with-many-login.html


No comments:

Post a Comment