MikroTik Fail2Ban (Blocking Brute Force Attacks)

Several options to protect against BruteForce attacks on MikroTik devices (MikroTik Fail2Ban), for Winbox, Web or SSH connections using MikroTik Firewall. Simple blocking of the attacker’s IP address after the first incorrect password attempt or blocking of the IP address after several password attempts. Tested on RouterOS 7 version.

Select the Fail2Ban option depending on the login method used, it is not necessary to use all available login methods on the MikroTik device (I only use Winbox ).

In this article, I use Jump chains in MikroTik Firewall because they are less CPU intensive, and the blocking method used in the article is easy to adapt and extend.

MikroTik Fail2Ban - Blocking Brute Force Attacks: SSH, Web, Winbox. (MHelp.pro)
An example MikroTik Firewall rules to protect against brute force attacks on SSH, Web and Winbox connections.

✏️ Attention: Since a BruteForce attack on a device can come from an internal trusted network (it is very important to find out about this in time), according to the specified rules, all attacking IP addresses are entered in the BlackList.

Other languages:

Fail2Ban Winbox (MikroTik Winbox Brute Force Protection)

Protecting MikroTik from a brute force attack when connecting via Winbox (IP address) using MikroTik Firewall. For each incorrect password attempt via Winbox, MikroTik sends back the plain text “invalid user name or password“.

Information:

  • Chain: output
  • Protocol: 6 (tcp)
  • Src. Port: 8291
  • Content: invalid user name or password

1 attempt

Blocking after one wrong password attempt:

/ip firewall filter add action=add-dst-to-address-list address-list=BlackList address-list-timeout=10m chain=output comment="F2B Winbox: Login Failure -> BlackList" content="invalid user name or password" protocol=tcp src-port=8291

3 attempts

Blocking the destination IP address after three incorrect password attempts.

Description:

  • If the packet matches the conditions, packet processing is sent to the Fail2Ban-Destination-IP chain;
  • If the destination IP address is already in the LoginFailure02 list, the destination IP address is added to the BlackList for 10 minutes;
  • If the destination IP address is already in the LoginFailure01 list, the destination IP address is added to the LoginFailure02 list for 2 minutes;
  • the destination IP address is added to the LoginFailure01 list, for 1 minute.

Rules:

/ip firewall filter add action=jump chain=output comment="F2B Winbox: Jump to Fail2Ban-Destination-IP chain" content="invalid user name or password" jump-target=Fail2Ban-Destination-IP protocol=tcp src-port=8291
/ip firewall filter add action=add-dst-to-address-list address-list=BlackList address-list-timeout=10m chain=Fail2Ban-Destination-IP comment="3 Attempt --> BlackList" dst-address-list=LoginFailure02
/ip firewall filter add action=add-dst-to-address-list address-list=LoginFailure02 address-list-timeout=2m chain=Fail2Ban-Destination-IP comment="2 Attempt --> LoginFailure02" dst-address-list=LoginFailure01
/ip firewall filter add action=add-dst-to-address-list address-list=LoginFailure01 address-list-timeout=1m chain=Fail2Ban-Destination-IP comment="1 Attempt --> LoginFailure01"

Fail2Ban Web (MikroTik Web Brute Force Protection)

Protecting MikroTik from password Brute Force when connecting via the Web interface using MikroTik Firewall. On an invalid access attempt, MikroTik sends a response message containing the plain text “Error 403“.

80 is the default port of the MikroTik Web interface, I recommend changing it. In the example, a non-standard port is specified – 90. In the article “MikroTik Protection (basic device security setting)” – 80 TCP port is used as a trap to block the port scanner.

Information:

  • Chain: output
  • Protocol: 6 (tcp)
  • Scr. Port: Web port (example: 90)
  • Content: Error 403

1 attempt

Blocking after one wrong password attempt:

/ip firewall filter add action=add-dst-to-address-list address-list=BlackList address-list-timeout=10m chain=output comment="F2B Web: Login Failure -> BlackList" connection-state=established content="Error 403" protocol=tcp src-port=90

3 attempts

Blocking the destination IP address after three incorrect password attempts.

Description:

  • If the packet matches the conditions, packet processing is sent to the Fail2Ban-Destination-IP chain;
  • If the destination IP address is already in the LoginFailure02 list, the destination IP address is added to the BlackList for 10 minutes;
  • If the destination IP address is already in the LoginFailure01 list, the destination IP address is added to the LoginFailure02 list for 2 minutes;
  • the destination IP address is added to the LoginFailure01 list, for 1 minute.

Rules:

/ip firewall filter add action=jump chain=output comment="F2B Web: Jump to Fail2Ban-Destination-IP chain" connection-state=established content="Error 403" jump-target=Fail2Ban-Destination-IP protocol=tcp src-port=90
/ip firewall filter add action=add-dst-to-address-list address-list=BlackList address-list-timeout=10m chain=Fail2Ban-Destination-IP comment="3 Attempt --> BlackList" dst-address-list=LoginFailure02
/ip firewall filter add action=add-dst-to-address-list address-list=LoginFailure02 address-list-timeout=2m chain=Fail2Ban-Destination-IP comment="2 Attempt --> LoginFailure02" dst-address-list=LoginFailure01
/ip firewall filter add action=add-dst-to-address-list address-list=LoginFailure01 address-list-timeout=1m chain=Fail2Ban-Destination-IP comment="1 Attempt --> LoginFailure01"

Fail2Ban SSH (MikroTik SSH Brute Force Protection)

Protecting MikroTik (Fail2Ban) from Brute Force attacks on SSH connection using MikroTik Firewall. To request a password via SSH, the MikroTik device sends a new packet of 304 bytes to the destination address, we track the number of packets sent to a specific IP address.

✏️ Blocking BruteForce attacks using connection status New is not reliable (I often see this recommendation on the Internet). The New status is assigned to a connection when connected to a device, but the number of possible password attempts depends on the program. By entering the user’s login, an attacker can enter from 3 to 7 different password options before the connection is terminated.

PuTTY drops SSH connection after 7 bad password attempts
7 attempts to guess SSH password in PuTTY before disconnecting

Information:

  • Chain: input
  • Protocol: 6 (tcp)
  • Dst. Port: 22
  • Connection State: estabished
  • Packet Size: 304
  • TCP Flags: psh, ack

1 attempt

Blocking after one wrong password attempt:

/ip firewall filter add action=add-src-to-address-list address-list=BlackList address-list-timeout=10m chain=input comment="F2B SSH: Login Failure -> BlackList" connection-state=established dst-port=22 packet-size=304 protocol=tcp

3 attempts

Blocking the source IP address after three incorrect password attempts.

Description:

  • If the packet matches the conditions, packet processing is sent to the Fail2Ban-Source-IP chain;
  • If the source IP address is in the LoginFailure02 list, the source IP address is added to the BlackList, for 10 minutes;
  • If the source IP address is in the LoginFailure01 list, the source IP address is added to the LoginFailure02 list for 2 minutes;
  • the source IP address is added to the LoginFailure01 list, for 1 minute.

Rules:

/ip firewall filter add action=jump chain=input comment="F2B SSH: Jump to Fail2Ban-Source-IP chain" connection-state=established dst-port=22 jump-target=Fail2Ban-Source-IP packet-size=304 protocol=tcp
/ip firewall filter add action=add-src-to-address-list address-list=BlackList address-list-timeout=10m chain=Fail2Ban-Source-IP comment="3 Attempt --> BlackList" src-address-list=LoginFailure02
/ip firewall filter add action=add-src-to-address-list address-list=LoginFailure02 address-list-timeout=2m chain=Fail2Ban-Source-IP comment="2 Attempt --> LoginFailure02" src-address-list=LoginFailure01
/ip firewall filter add action=add-src-to-address-list address-list=LoginFailure01 address-list-timeout=1m chain=Fail2Ban-Source-IP comment="1 Attempt --> LoginFailure01"

BlackList

We block all data from IP addresses from the BlackList list. We place the rule in the Firewall Raw chain.

/ip firewall raw
add action=drop chain=prerouting comment="Drop all" src-address-list=BlackList

🟢 How to configure protection against BruteForce attacks (MikroTIk Fail2Ban) on a MikroTik device using MikroTik Firewall was discussed in this articleI hope you can set up FailToBan protection for Winbox, Web and SSH connections from Brute Force. However, if you encounter any problems while setting up, feel free to write in the comments. I will try to help.

Leave a Reply

Your email address will not be published. Required fields are marked *

Adblock
detector