Brute force is when someone tries, sometimes long and hard, to guess our password for anything using brute force. In Linux, fail2ban is successfully used to protect against this. There is no such pleasure in Mikrotik, so we will have the pleasure of creating protection against brutforce with our own hands.

Full command listing, which you probably saw in the official wiki (http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention):

add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=10d comment=" " disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m comment=" " disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment=" " disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

And there are many places on the Internet where this set is available. I'll just explain a little bit what it does.

The idea is this: we give three legitimate attempts within a short time to connect via ssh (22/tcp, if you have a different port, use your own). On the fourth attempt, we ban you for 10 days. We have the right. So, step by step.

1. When establishing a new connection (connection-state=new) with port 22/tcp, we remember the source IP and place it in the “ssh_stage1” list for 1 minute:

add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

2. If during this minute this “someone” (and we remember him in “ssh_stage1”) once again wants to establish a new connection with 22/tcp, we will add him to the list “ssh_stage2”, and also for 1 minute:

add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment=" " disabled=no

3. If during this minute this “someone” (now he is in “ssh_stage2”) again wants to connect to 22/tcp, we add him to the list “ssh_stage3” (yes, you guessed it, again for 1 minute):

add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m comment=" " disabled=no

4. If he is persistent, then well, we will add him to our “black list” “ssh_blacklist” for 10 days, because it doesn’t matter.

add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=10d comment=" " disabled=no

5. And with this command we ban everyone from the “ssh_blacklist” list without a shadow of a doubt (note that the rule is inactive by default):

add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="drop ssh brute forcers" disabled=yes

In reality, when I made such a circuit and tried to connect from Linux consoles to the external ip of my mikrotik, already on the second attempt (and not on the 3rd or 4th) the “attacker” ip was included in the “ssh_blacklist” list. I don’t use ssh to Mikrotik, so in my case it’s not fatal, but if you actually connect remotely like that, then At first it might be a good idea not to enable the ban rule (disabled=yes). Let them get on the list, no questions asked. Estimate in practice how many times you need to connect in a row before getting on the ban list. After checks, activate the ban rule according to the list "ssh_blacklist"! I apologize that the commands are long, but the parser eats the backslash, so it ends up in one line.

However, you should not think that only Mikrotik has security problems; Ubiquiti also has them, not to mention brands such as TP-Link, etc. It’s a completely different matter that not all vulnerabilities are publicly available, and not all companies quickly fix problems.

RouterOS 6.35.8 – Denial Of Service

A vulnerability in the network stack of MikroTik Version 6.38.5 released 2017-03-09 could allow an unauthenticated remote attacker to exhaust all available CPU via a flood of TCP RST packets, preventing the affected router from accepting new TCP connections.

If you want to learn how to set up MikroTik, we suggest you go through. More detailed information You can find it at the end of this publication.

The essence of the ROS 6.38.5 vulnerability comes down to the possibility of remotely loading the router with TCP RST packets (flood), which entails CPU resource utilization up to 100% and makes it impossible to further receive packets, causing a denial of service (DoS).

> system resource monitor cpu-used: 100% cpu-used-per-cpu: 100% free-memory: 8480KiB

The attack is carried out on port 8291, which is used by Winbox. Moreover, the exploit itself is publicly available, the situation is aggravated by the fact that its implementation does not require authentication, i.e. even know the login.

Methods of protection

As a temporary measure, you can change the Winbox port from 8291 to a non-standard one. This can be done in the section under IP – Services. Disadvantage this method is that it does not protect against port scanning in any way. By the way, in Mikrotik there is no protection against port scanning at all in the basic Firewall rules. If you come across an experienced user, changing the port will not stop him in any way.

The most effective protection will be using Firewall rules, by limiting access to the Winbox port only for the administrator's IP. This can be done using the rule:

Ip firewall filter add chain=input action=accept protocol=tcp src-address=ADMIN_IP dst-port=8291 comment=Allow_Winbox

Where ADMIN_IP must be replaced with your IP. At the same time, do not forget to deny access to Winbox to all other IPs.

For users using Mikrotik routers at home, there is nothing to worry about, because the basic firewall rules prohibit access to Winbox from the WAN (Internet). But for the big ones corporate networks or providers, the problem is much more serious, because the actions of a pest can lead to network failure.

Until the vulnerability is fixed, there is nothing left to do but wait for the release of an update for RouterOS.

Updated status as of 04/04/2014

The discussion of this vulnerability continues on the official mikrotik forum.

User un1x0d conducted an exploit test on the RB751, hEX lite and CHR (8x Xeon), as a result, all three devices were loaded to 100%, which led to the failure of all network services. Moreover, as un1x0d noted, the vulnerability does not depend on the port and works with other ports.

User McSlash checked the vulnerability on RB951, RB2011, hAp Lite and CCR1036 - in all cases the exploit worked. No firewall rules help. Mikrotik support has not yet acknowledged the vulnerability. We continue to monitor developments.

Video course “Setting up MikroTik equipment” (analogous to MTCNA)

Are you learning to work with MikroTik? I recommend the video course "". The course covers all topics from the official curriculum MTCNA and many additional material. The course combines a theoretical part and practice - setting up a router according to technical specifications. Consultations on course assignments are conducted by its author, Dmitry Skoromnov. Suitable for first acquaintance with MikroTik equipment, and for systematizing knowledge for experienced specialists.

Routers from the manufacturer Mikrotik are becoming increasingly popular due to their attractive price and rich functionality. Perhaps, in the SOHO segment, Mikrotik is the leader. Today we want to talk about useful configuration options that will help strengthen resistance to external attacks and ensure stable operation for your office Mikrotik.

Mikrotik protection

1. Changing the administrator login and password

Let's start with the primary protection of our router - creating a hack-resistant administrator login and password. By default, Mikrotik uses login admin and an empty password. Let's fix this: connect via Winbox to our router and go to the settings section System → Users. We see the user admin which is configured by default:

Let's add a new user who will have more stringent hacking details (login/password). To do this, click on the “+” icon in the upper left corner:

Please note that in the Group field you must select full to grant administrative privileges to the user. After the settings have been made, delete the user admin and from now on we use only the new user to connect to the administration interface.

2. Service ports

The Mikrotik router has “hardwired” some services whose ports are accessible from the public Internet. Potentially, this is a vulnerability for your network circuit. Therefore, we suggest going to the settings section IP → Services:

If you access Mikrotik only via Winbox, then we suggest you disable all services except winbox And ssh(leave ssh just in case), namely:

• api-ssl
• www-ssl

To turn off, click the red "x" icon. Since we left SSH access to the server, let's “secure” it by changing the port from 22 to 6022. To do this, double-click on the SSH service port and specify the setting in the window that opens:

Click Apply And OK.

3. Protection against brute force (brute force)

On the official Mikrotik website there are recommendations on how to protect your router from password brute force via FTP and SSH access. In the previous step, we closed FTP access, so if you strictly follow these instructions, then use only the code to protect against SSH attacks. Otherwise, copy both. So, open the router management terminal. To do this, in the right navigation menu, click New Terminal. Sequentially copy the code below into the router console:

/ip firewall filter #Block FTP attacks add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \ comment="drop ftp brute forcers" add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \ address- list=ftp_blacklist address-list-timeout=3h #Block attacks via SSH add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \ comment="drop ssh brute forcers" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=10d comment= "" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \ address-list -timeout=1m comment="" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \ action=add-src-to-address-list address-list =ssh_stage2 address-list-timeout=1m comment="" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \ address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

Creating a Configuration Backup

In case of failure or accident of the router, you need to have its config on hand for quick recovery. It’s extremely simple to do: open the terminal by clicking in the navigation menu New Terminal and specify the following command:

Export file=backup2020-02-10_01:01:22

The file can be found by clicking on the section in the navigation menu Files. Download it to your PC by right-clicking and selecting Download

Blocking access to the site

IN work time employees must work. Therefore, let's block access to entertainment resources such as Youtube, Facebook and Vkontakte. To do this, go to the section IP → Firewall. Click on the tab Layer 7 Protocol and then click on the “+” icon in the upper left corner:

We give a name to our rule, which will operate at level 7 of the OSI model, and in the Regexp section we add:

^.+(youtube.com|facebook.com|vk.com).*$

Click OK and go to the tab Filter Rules and click the “+” icon:

In the Chain section, select Forward. In the same window, go to the tab Advanced and in the Layer 7 Protocol field select the blocking rule we created:

Go to the tab Action, and there select Action = Drop:

When the settings are complete, click Apply And OK.

Was this article useful to you?

Please tell me why?

We are sorry that the article was not useful for you: (Please, if it is not difficult, indicate why? We will be very grateful for a detailed answer. Thank you for helping us become better!

Mikrotik - router, router, access point.

How to set up Mikrotik? How to protect Mikrotik from enemy intrusions from outside?
Initial setup of Mikrotik router (router). Initial Mikrotik protection.

To protect your Mikrotik router you need to:
1. Change the administrator password.
2. Disable unnecessary, unused services.
3. Enable NAT
4. Configure the Firewall - organize filtering and packet passage.

P.S. after the command setup, R, - the router will erase all settings, but not passwords, you can connect to it via WinBox via IP - 192.168.88.1

Settings from the console:
name admin, password empty.
If you forget your password, the only thing that will save you is a complete reset - reinstalling the router!
Changing the password:
>user edit admin password
The editor opens, enter New Password. To save and exit, press Ctrl+o (control and the letter o at the same time)
You can add a new user, just in case:
>use add name=mkt password=12345 group=full

Let's see what interfaces there are:
>interface print


0 X ;;; WAN
ether1 ether 1500 1600 1600
1 X ;;; LAN
ether2 ether 1500 1600 1600

Activate the ones you need:
>interface enable 0
>interface enable 1
>interface print
Flags: D — dynamic, X — disabled, R — running, S — slave
# NAME TYPE MTU L2MTU MAX-L2MTU
0 R ;;; WAN
ether1 ether 1500 1600 1600
1 R ;;; LAN
ether2 ether 1500 1600 1600

Let's look at the IP:
> ip address print
For example, take the following parameters:
Provider (Internet) - 195.196.10.50
GW (gateway) - 195.196.10.49
DNS server - 195.196.11.10, 195.196.12,10
Local network (internal) - 192.168.18.0/24
Add an IP provider:
>ip address add address=195.196.10.10/30 interface=ether1
Add local:
>ip address add address=192.168.18.0/24 interface=ether2
Let's see what happened:
> ip address print
Add a Provo gateway:
> ip route add gateway=195.196.10.49
Let's look:
> ip route print

Add the DNS of the Internet provider:
> ip dns set servers=195.196.11.10,195.196.12,10 allow-remote-request=yes

Enable NAT (masquerade):
> ip firewall nat add chain=srcnat action=masquerade out-interface=ether1
After these settings, the internal network will have Internet access.

Configure Firewall, i.e. it is necessary to organize packet filtering (input chains), and naturally, so that after protection your network can work - to organize the passage of packets - these are forward chains:

P.S First, go through WinBox - IP -> Firewall -> Service Port - disable everything Disable, leave what is necessary, namely in our case pptp (VPN server), and if you want to use the built-in FTP - ftp

Adding rules:
ip firewall filter add chain=input connection-state=invalid action=drop comment="Drop Invalid connections"
ip firewall filter add chain=input connection-state=established action=accept comment=”Allow Established connections”
ip firewall filter add chain=input protocol=udp action=accept comment="Allow UDP"
ip firewall filter add chain=input protocol=icmp action=accept comment="Allow ICMP"
ip firewall filter add chain=input src-address=192.168.0.0/24 action=accept comment=”Allow access from local network”
The following two rules - if you want to set up access through your Mikrotik, to your internal network via VPN (pptp server)
The first one opens port 1723, the second one allows protocol 47 (GRE).
ip firewall filter add chain=input action=accept protocol=tcp dst-port=1723 comment=”Allow access to VPN”
ip firewall filter add chain=input action=accept protocol=gre comment=”If you have a VPN (pptp server)”
The following rule allows you to connect to your Mikrotik via WinBox (default port 8291)
P.S Naturally, you need to configure the “IP Service LIST” IP -> Services -> IP Service List, click on the winbox line, the data editing window will open -> change the IP to the one from which you will connect, the same must be done with SSH and WWW , disable all other services - disable. (ip_address_allow - your IP)
ip firewall filter add chain=input action=accept protocol=tcp src-address=ip_address_allow dst-port=8291 comment=”Allow access over WinBox”
ip firewall filter add chain=input action=accept protocol=tcp src-address=ip_address_allow dst-port=22 comment="Allow access over SSH"
ip firewall filter add chain=input action=accept protocol=tcp src-address=ip_address_allow dst-port=80 comment="Allow access over WWW"
If you want to use the built-in FTP:
ip firewall filter add chain=input action=accept protocol=tcp src-address=ip_address_allow dst-port=21 comment=”Allow access to FTP”
We chop everything else:
ip firewall filter add chain=input action=drop comment="Drop reject all other"

To protect your network, you need to inspect all traffic passing through
router and block unwanted ones.

ip firewall filter add chain=forward protocol=tcp connection-state=invalid action=drop comment=”Drop invalid connections”
ip firewall filter add chain=forward connection-state=established action=accept comment=”Allow already established connections”
ip firewall filter add chain=forward connection-state=related action=accept comment=”Allow related connections”
Just in case, we allow the passage of the GRE protocol:
ip firewall filter add chain=forward protocol=gre action=accept comment="Allow GRE"
if you have VPN server, to start RDP (remote desktop), allow passage to port 3389.
ip firewall filter add chain=forward protocol=tcp dst-port=3389 action=accept comment=”Allow 3389″

We block IP addresses of internal networks.
ip firewall filter add chain=forward src-address=0.0.0.0/8 action=drop
ip firewall filter add chain=forward dst-address=0.0.0.0/8 action=drop
ip firewall filter add chain=forward src-address=127.0.0.0/8 action=drop
ip firewall filter add chain=forward dst-address=127.0.0.0/8 action=drop
ip firewall filter add chain=forward src-address=224.0.0.0/3 action=drop
ip firewall filter add chain=forward dst-address=224.0.0.0/3 action=drop

Or:
ip firewall filter add chain forward protocol=udp action=accept comment="Allow UDP"
ip firewall filter add chain forward protocol=icmp action=accept comment="Allow ICMP Ping"
Or:
For icmp, udp and tcp traffic, we will create chains where we will drop unwanted packets:
Let's create a transition to new chains
ip firewall filter add chain=forward protocol=tcp action=jump jump-target=tcp
ip firewall filter add chain=forward protocol=udp action=jump jump-target=udp
ip firewall filter add chain=forward protocol=icmp action=jump jump-target=icmp

Let's create tcp rules for the tcp chain and deny some ports:
ip firewall filter add chain=tcp protocol=tcp dst-port=69 action=drop comment=”Deny TFTP”
ip firewall filter add chain=tcp protocol=tcp dst-port=111 action=drop comment=”Deny RPC portmapper”
ip firewall filter add chain=tcp protocol=tcp dst-port=135 action=drop comment=”Deny RPC portmapper”
ip firewall filter add chain=tcp protocol=tcp dst-port=137-139 action=drop comment=”Deny NBT”
ip firewall filter add chain=tcp protocol=tcp dst-port=445 action=drop comment=”Deny Cifs”
ip firewall filter add chain=tcp protocol=tcp dst-port=2049 action=drop comment=”Deny NFS”
ip firewall filter add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment=”Deny NetBus”
ip firewall filter add chain=tcp protocol=tcp dst-port=20034 action=drop comment=”Deny NetBus”
ip firewall filter add chain=tcp protocol=tcp dst-port=3133 action=drop comment=”Deny BackOriffice”
ip firewall filter add chain=tcp protocol=tcp dst-port=67-68 action=drop comment=”Deny DHCP”

Let's disable udp ports for the udp chain:
ip firewall filter add chain=udp protocol=udp dst-port=69 action=drop comment=”Deny TFTP”
ip firewall filter add chain=udp protocol=udp dst-port=111 action=drop comment=”Deny PRC portmapper”
ip firewall filter add chain=udp protocol=udp dst-port=135 action=drop comment=”Deny PRC portmapper”
ip firewall filter add chain=udp protocol=udp dst-port=137-139 action=drop comment=”Deny NBT”
ip firewall filter add chain=udp protocol=udp dst-port=2049 action=drop comment=”Deny NFS”
ip firewall filter add chain=udp protocol=udp dst-port=3133 action=drop comment=”Deny BackOriffice”

Let's allow only the necessary icmp codes for the icmp chain:
ip firewall filter add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment=»Drop invalid connections»
ip firewall filter add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment=”Dllow established connections”
ip firewall filter add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment=»Allow already established connections»
ip firewall filter add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment=”Allow source quench”
ip firewall filter add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment=”Allow echo request”
ip firewall filter add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="Allow time exceed"
ip firewall filter add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment=”Allow parameter bad”
ip firewall filter add chain=icmp action=drop comment=»deny all other types»