How To Configure BruteForce Login Prevention On A Mikrotik Router

Brute-force attacking is one of the most commonly used password cracking methods used by hackers. This attack is basically a ‘trial and error hack procedure were the attacker attempts to enter login credentials of devices such as a network router countless times until they gain access. This tutorial aims to provide a guide on how to configure bruteforce login prevention on a Mikrotik Router using the built in WINBOX command line interface and using winbox GUI only

Requirements

In order to complete this tutorial successfully the following items are required. Please ensure to have these items available before taking implimentation action on this tutorial :
1) 1 x Mikrotik Router
2) 1 x Desktop or laptop computer with Windows or MacOS installed
3) 1 x Winbox utility
4) 1 x RouterOS admin account access
5) 1 x Internet connection (optional)

Step One : Login To The Mikrotik Router And Configure Brute Force Login Prevention - Winbox CLI Method

1) Launch the Winbox desktop app and click on the “NEIGHBORS” tab to view available Mikrotik devices on you network. Double click on the IP ADDRESS of the router you would like to configure, this will populate the CONNECT TO input box. Enter the router username and password in the LOGIN and PASSWORD  fields and click on the CONNECT button.

2) Next click on the NEW TERMINAL button on the winbox dashboard. This will open a terminal window inside winbox
3) Type in the following commands one at a time and in the order shown. This will only allows only 10 FTP login incorrect answers per minute.You can also copy these commands and paste them directly into the terminal application in winbox
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \ comment=”drop ftp brute forcers”

add chain=output action=accept protocol=tcp content=”530 Login incorrect” dst-limit=1/1m,9,dst-address/1m

add chain=output action=add-dst-to-address-list protocol=tcp content=”530 Login incorrect” \ address-list=ftp_blacklist address-list-timeout=3h
4) Next configure brute force login prevention for attacks that are attempted through SSH by stopping an SSH brute forcer to be banned for 10 days after repetitive attempts. Type in the following commands one at a times and in the order shown below. You can also copy these commands and paste them directly into the terminal application in winbox
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \ comment=”drop ssh brute forcers” disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=10d comment=”” disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m comment=”” disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \ action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment=”” disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \ address-list=ssh_stage1 address-list-timeout=1m comment=”” disabled=no

5)

6)
7) AWESOME !  You have successfully configured bruteForce login prevention on a mikrotik router