I wrote this a few years ago and called it 3 strikes. I used firewall jump. What I fell short on... Having the ability to remove an IP from the address list once you got in.
What would be really nice, is if winbox connections could be secured with RSA keys just like SSH can be. You're not going to brute force a 4096 Bit RSA key... Password authentication is just bad practices. You already have the ability to authenticate connections to your router with RSA keys via SSH, extend that to support logins as Winbox as well.
Opening 22 port on WAN is a bad practice, do not do that. Even with RSA SSH attacker can DOS your router just overloading cpu. So RSA will not help you.
@@alexn4976 Port is irrelevant, an advanced attacker will eventually discover the ssh server and begin attack on that port. Being that advanced or determined, they most likely will also have multiple IPs available. I believe I have seen that happen, I picked out a pattern of usernames in the attempts that suggested they were the same dictionary, no randomization.
@@netbootdisk I'm pretty sure it could be done using MikroTik's native scripting. Still, it's better to use VPNs those support Public Key Certificates for authentication, e.g. OpenVPN, and forget about all XXtp ones.
You can do one thing in many ways, result is the same. Btw fail2ban was only released in 2004, but MikroTik RouterOS has these capabilities since the late 90s
2 ปีที่แล้ว +1
Just some camera equipment…?! That's a probe lens which is not cheap! 😬
if you wanted to secure a device behind your Tik and wanted to make sure to not blacklist a legit user you could monitor if there was a connection open where more than the bytes need to authenticate yourself were exchanged!
Never, EVER allow ssh or any mgmt or unsecure protocol on the outside of your network unless it comes from hosts that YOU manage and know for sure are secure. Otherwise use a mgmt subnet.
That’s a given! But sometimes you must open it from a local network, in those situations, better use multiple layers of security (see our other recent videos about that)
@@mikrotik I don't see any reason why you would have to open it from to internal network unless you trust that network. That is why you have a mgmt network or mgmt hosts.
This video is an ad for paid training courses. :( I use this technique only to toy with the attackers (human or not) and only "blacklist" them to build lists of rogue IPs. Everyone should disable password authentication for SSH and use Public Key authentication instead.
@@mikrotik probably I've expected to learn something new in this video. I think it could be better, with more insight and recommendations, and also marked as "Basic" in the title. I hope you will make "advanced" videos about L2 routing protocols, policy-based routing tables, VLANs, advanced scripting, how and when to use advanced tools effectively, etc. About anything that requires setup of 3 or more MikroTik devices.
Poor man's fail2ban. Precede your last drop-all rule with a rule to add the src addr to a drop list. Deny that drop list from anything that you must have open, eg your secure VPN port(s).
The MT is not an edge router, it cannot handle such attacks. Dont waste your time. This is the job of your ISP and further up the food chain. Such configurations create bloatware on the config leading to config errors and difficulty troubleshooting. Focus on needed traffic! Drop all else. KISS
Shoutout to Druvis. Keep those videos coming, good stuff! 👍
May I buy the training materials only (e.g. that workbook)? Because I am interesting in learning not in certification
I wrote this a few years ago and called it 3 strikes. I used firewall jump. What I fell short on... Having the ability to remove an IP from the address list once you got in.
Very thanksful Eng Druivs for your explination, but a question to ask ..
what is the meaning of not secured in third connection rule..?
What would be really nice, is if winbox connections could be secured with RSA keys just like SSH can be. You're not going to brute force a 4096 Bit RSA key... Password authentication is just bad practices. You already have the ability to authenticate connections to your router with RSA keys via SSH, extend that to support logins as Winbox as well.
Opening 22 port on WAN is a bad practice, do not do that. Even with RSA SSH attacker can DOS your router just overloading cpu. So RSA will not help you.
@@alexn4976 Port is irrelevant, an advanced attacker will eventually discover the ssh server and begin attack on that port. Being that advanced or determined, they most likely will also have multiple IPs available. I believe I have seen that happen, I picked out a pattern of usernames in the attempts that suggested they were the same dictionary, no randomization.
@@stevebot Do not open SSH on WAN, use VPN. Or if you still have to you can protect router with PSD.
Any chance to add native support to CrowdSec community IPS? That will be awesome as well
For some reason it doesn't work when ssh is enabled from the outside only when it's on the local area network
What happens if the attack comes from bot farms? Tens or hundreds unique IPs each second. Memory overflow?
This is a bit of a hacky workaround. Surely it'd be better if you just added this this sort of functionality natively to RouterOS to begin with?
Even better would be to block SSH and mgmt from the outside by default.
@@ON3RVH Also should be built in bruteforce blocking for VPNs like l2tp/sstp etc
@@netbootdisk I'm pretty sure it could be done using MikroTik's native scripting. Still, it's better to use VPNs those support Public Key Certificates for authentication, e.g. OpenVPN, and forget about all XXtp ones.
Can these rules be used for Winbox port by simply adding it to the port list?
I was looking at the intro like: "Why is he holding a probe lens?"... *visible worry*
You're essentially recreating the wheel that fail2ban already created.
You can do one thing in many ways, result is the same. Btw fail2ban was only released in 2004, but MikroTik RouterOS has these capabilities since the late 90s
Just some camera equipment…?! That's a probe lens which is not cheap! 😬
Allow for online courses rather than the current course structure.
how can i block regaetton music
if you wanted to secure a device behind your Tik and wanted to make sure to not blacklist a legit user you could monitor if there was a connection open where more than the bytes need to authenticate yourself were exchanged!
How to protect Mikrotik from attacks on connections
explained in the video
@@mikrotik
Protection from IP depletion in Mikrotik
post the manual please
Never, EVER allow ssh or any mgmt or unsecure protocol on the outside of your network unless it comes from hosts that YOU manage and know for sure are secure. Otherwise use a mgmt subnet.
That’s a given! But sometimes you must open it from a local network, in those situations, better use multiple layers of security (see our other recent videos about that)
@@mikrotik I don't see any reason why you would have to open it from to internal network unless you trust that network. That is why you have a mgmt network or mgmt hosts.
Dru best!
This video is an ad for paid training courses. :(
I use this technique only to toy with the attackers (human or not) and only "blacklist" them to build lists of rogue IPs.
Everyone should disable password authentication for SSH and use Public Key authentication instead.
We have a video about that too, you must watch it as a series
@@mikrotik probably I've expected to learn something new in this video. I think it could be better, with more insight and recommendations, and also marked as "Basic" in the title. I hope you will make "advanced" videos about L2 routing protocols, policy-based routing tables, VLANs, advanced scripting, how and when to use advanced tools effectively, etc. About anything that requires setup of 3 or more MikroTik devices.
Poor man's fail2ban. Precede your last drop-all rule with a rule to add the src addr to a drop list. Deny that drop list from anything that you must have open, eg your secure VPN port(s).
Fail2Ban was created much later than this method but ok 🙂
The MT is not an edge router, it cannot handle such attacks. Dont waste your time. This is the job of your ISP and further up the food chain. Such configurations create bloatware on the config leading to config errors and difficulty troubleshooting. Focus on needed traffic! Drop all else. KISS