Wednesday, September 7, 2016

counter ftp brute force using mikrotik firewall rate limitation

we can use a feature in mikrotik firewall call connection-limit to single out the address that try to brute force to ftp server. but it also can be a false positive.

1- the following is add those ip that hit the connection limit of 21 onward to address list call brutelist and drop connection on those ip on the the brutelist

/ip firewall filter add chain=input action=drop src-address-list=brutelist
/ip firewall filter add chain=input action=add-src-to-address-list protocol=tcp address-list=brutelist address-list-timeout=1m dst-port=21 connection-limit=21,32

- snapshot the address that try to brute adding to brutelist

2- to test the effect of the rule you can use the script on the post below

for less false positive solution is using fail2ban, example of fail2ban on ssh

No comments:

Post a Comment