Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
N
N
Nicholas K.2021-07-06 09:53:05
System administration
Nicholas K., 2021-07-06 09:53:05

How to set up Fail2ban on Mikrotik?

I'm trying to set up conditional fail2ban on Mikrotik CCR-1016, based on the official documentation
https://wiki.mikrotik.com/wiki/Bruteforce_login_pr... :

1) add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

(помечаем любые попытки залогиниться в список ssh_stage1 на 1 минуту)

2) add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no

(вторую попытку подключения c ip заносим со списка ssh_stage1 в список ssh_stage2 также на 1 минуту)


3) add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no

(третью попытку подключения также заносим из ssh_stage2 в ssh_stage3 и также на 1 минуту)


4) add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no

(четвертая и последующие попытки должны отправляться в банлист на 10 дней)


5) add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no

(собственно, бан всех, кто в ssh_blacklist)


The problem is that even with an authorized connection via ssh, a picture emerges for me - an honest ip gets into all lists, incl. and to the ban list (yes, I don't have a standard port 22): I

60e3fce1532eb883859185.png

even added a fifth crutch rule, an analogue of the delay, but it's useless.

It seems that here it is necessary to somehow track the fact of a civil connection and skip further processing of packets according to the address lists, but what do you order to do if even copy-paste from the official documentation does not work. Tried updating the firmware, doesn't help.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
D
Denis Melnikov, 2021-07-06
@NikZX

So, make another list. white list and just add to the rules, if src adress is not in the white list, then we follow the rules.
Either the first rule checks for SSH and white list, then jump to the rest of the rules

add action=add-src-to-address-list address-list=blocked_honeypot address-list-timeout=1w1s chain=input connection-state=new in-interface=ether1 protocol=tcp src-address-list=!admin src-port=3389,22,8291
add action=drop chain=input src-address-list=blocked_honeypot

Report
A
Alexander Karabanov, 2021-07-06
@karabanov

Golden config for MikroTik
Presentation

Similar questions
I
Ivan Koreshkov2017-03-30 11:11:32
How to send sms with spaces? 3Reply
R
Raspberry12252021-03-19 23:04:20
Where can I get the windows services dependency tree? 1Reply
M
makrushertz2019-08-29 15:42:31
How to view the assignment of user rights to folders in AD? 4Reply
M
Michael2019-09-02 09:04:35
How to identify a process that gives a strong CPU load and the system as a whole? 2Reply
A
alexei90672772017-04-03 21:56:30
Remote desktop access? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question