Skip to content Skip to sidebar Skip to footer

Securing routers MikroTik from Bruteforce attacks


Article

Securing routers from Bruteforce attacks


Maintaining the security of the Router is one of the obligations that must be done by the network admin. The router can be like a house, the router is an area of privacy that can not be accessed by anyone.

Before configuring the Router to the Internet, it is recommended to provide security first to the Router. We've talked about the first steps to keeping the Router, ranging from changing the default username and password of the Router, closing unused Services, and disable Neighbour discovery. Details of step 10 How to Secure a MikroTik Router can be found in our Article entitled First Steps to Maintaining Router Security.

The Articles this time, we will give you a little trick to prevent Brute Force Login on MikroTik. Brute Force Login is a method of attacking a system by trying all possible Passwords.


When the Router has a Public IP we will usually find a view like the following:


Securing routers from Bruteforce attacks Securing routers MikroTik from Bruteforce attacks Securing MikroTik From Bruteforce Securing MikroTik Securing MikroTik Routers Securing Mtk


In terms of users of course the log information will be very annoying because the log will record all activities that occur on the router, including the client trying to login to the Router. Then from the Router side of course will also overload the resources of the Router when there are many clients who want to access the Router (Bruteforce).

The step we can take to secure the Router from Bruteforce attacks is to close unused services or it can also mark the attacker's IP address later in the drop. This article about closing unused services has been discussed in the following article: First Steps to Maintaining Router Security. To mark the IP address of the attacker later in the drop, then we can take advantage of the firewall feature on the Router.


Securing FTP from Bruteforce attacks

First case, we will try to secure the Router from Bruteforce FTP attack. You can follow these steps:

/ip firewall filter
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop
comment="drop ftp brute forcers"
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" address-list=ftp_blacklist address-list-timeout=3h

With the above configuration, then when a user who tries to login FTP to the router more than 10 times fails, then the IP Address of that user will be dropped for 3 hours. The configuration can be as convenient as you need.


SSH Configuration

In the second case, we will try to secure the Router from bruteforce SSH attack. You can follow the steps below:

/ip firewall filter
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop
comment="drop ftp brute forcers"
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect"
address-list=ftp_blacklist address-list-timeout=3h

 

With the above configuration, when a client tries to remote the Router via SSH and fails to log in for more than 3 times, the attacker's IP address will be dropped for 10 Days. The configuration can be customized to your needs.


Source: https://wiki.mikrotik.com/wiki/Bruteforce_login_prevention

Dani31
Dani31 2012 pertamakali Melakukan Blongging dani31 great web for support dani31 About Me About Me dani31