A Step By Step Guide On How To Configure BruteForce Login Prevention On A Mikrotik Router
Introduction
Brute-force attacking is one of the most commonly used password-cracking methods used by hackers. This attack is basically a ‘trial-and-error hack procedure where the attacker attempts to enter login credentials of devices such as a network router countless times until they gain access. Configuring BruteForce Login Prevention on a Mikrotik Router is an important task for network administrators to secure their network from malicious attacks. This guide will provide step-by-step instructions on how to set up a BruteForce Login Prevention system on a Mikrotik Router. It will cover topics such as setting up the firewall rules, configuring the authentication settings, and more.
What is BruteForce Login Prevention & How Does it Help Secure Your Network?
Requirements
In order to complete this tutorial successfully the following items are required. Please ensure to have these items available before taking implementation action on this tutorial:
1) 1 x Mikrotik Router.
2) 1 x Desktop or laptop computer with Windows or macOS installed
3) 1 x Winbox utility.
4) 1 x RouterOS admin account access.
5) 1 x Internet connection (optional).
Overview
1) Download the WinBox utility from the official download page
2) Open the WinBox app and log in to the router
3) Open the terminal and configure the firewall to block FTP and SSH brute-force attacks
4) Block all unnecessary IP services and configure authentication settings
5) Configure Fail2Ban to prevent brute-force attacks on the Web Admin interface
Step 1: Download the WinBox utility from the official download page
The first step in completing this setup is to download the WinBox utility from the official download page. Go to mikrotik.com and click the Software tab. Click the WinBox button and select WinBox 32-bit or WinBox 64-bit (depending on your system architecture). Note that the WinBox app is less than 10 MB in size.
Step 2: Open the WinBox app and log in to the router
3) Type in the following commands one at a time and in the order shown. This will only allows only 10 FTP login incorrect answers per minute.You can also copy these commands and paste them directly into the terminal application in winbox:
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \ comment="drop ftp brute forcers"
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \ address-list=ftp_blacklist address-list-timeout=3h
4) Next configure brute force login prevention for attacks that are attempted through SSH by stopping an SSH brute forcer to be banned for 10 days after repetitive attempts. Type in the following commands one at a times and in the order shown below. You can also copy these commands and paste them directly into the terminal application in winbox:
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \ comment="drop ssh brute forcers" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=10d comment="" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m comment="" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \ action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \ address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
5)
6)
