MIKROTIK - Bruteforce SSH Firewall Rules: Difference between revisions

SSH BRUTEFORCE PREVENTION MIKROTIK
(Aka Fail2ban)

SSH IP Whitelist

Create the whitelist and add RFC1918 addresses :

/ip/firewall/address-list/add list=LIST_SSH_WHITELIST address=10.0.0.0/8 comment="RFC1918_extended"
/ip/firewall/address-list/add list=LIST_SSH_WHITELIST address=100.64.0.0/10 comment="RFC1918_extended"
/ip/firewall/address-list/add list=LIST_SSH_WHITELIST address=172.16.0.0/12 comment="RFC1918_extended"
/ip/firewall/address-list/add list=LIST_SSH_WHITELIST address=192.168.0.0/16 comment="RFC1918_extended"

Add the administrators IP :

/ip/firewall/address-list/add list=LIST_SSH_WHITELIST address=W.X.Y.Z comment="admin@example.org"
...

SSH Firewall Rules For Port 2222

/ip/firewall/filter/add action=add-src-to-address-list address-list=BRUTEFORCE_BLACKLIST address-list-timeout=1d chain=input comment="Blacklist" connection-state=new dst-port=2222 protocol=tcp src-address-list=LIST_ALL_SSH_CONNECTIONS3,!LIST_SSH_WHITELIST

/ip/firewall/filter/add action=add-src-to-address-list address-list=connection3 address-list-timeout=1h chain=input comment="Third attempt" connection-state=new dst-port=2222 protocol=tcp src-address-list=LIST_ALL_SSH_CONNECTIONS2,!LIST_SSH_WHITELIST

/ip/firewall/filter/add action=add-src-to-address-list address-list=connection2 address-list-timeout=15m chain=input comment="Second attempt" connection-state=new dst-port=2222 protocol=tcp src-address-list=LIST_ALL_SSH_CONNECTIONS1,!LIST_SSH_WHITELIST

/ip/firewall/filter/add action=add-src-to-address-list address-list=connection1 address-list-timeout=1m chain=input comment="First attempt" connection-state=new dst-port=2222 protocol=tcp  src-address-list=!LIST_SSH_WHITELIST

/ip/firewall/filter/add action=accept chain=input dst-port=2222 protocol=tcp src-address-list=!BRUTEFORCE_BLACKLIST

Usefull Links

BRUTEFORCE PREVENTION :

• https://help.mikrotik.com/docs/display/ROS/Bruteforce+prevention