RFC Login Brute Force Protection Chain

This entry was posted in Firewall MikroTik on by

The text file version is located here: RFC_Login_Brute_Force_Protection_Chain

#########################################################################################################
# Rick Frey Consulting Login Brute Force Protection Chain #
#########################################################################################################
# Author: Rick Frey #
# email: rickfrey1000@gmail.com #
# Username in MikroTik Forum is rickfrey #
#########################################################################################################
# License #
# This script has been created for use by the general public and may be used freely. #
#########################################################################################################
#########################################################################################################
# Features
# – Protects against multiple login attempts (4th attempt triggers the drop) within a 3 minute window.
# – Protects the SSH, Telnet, Winbox, and FTP services
#########################################################################################################

/ip firewall filter
add action=drop chain=input comment=”Drop anyone in the Black List (SSH)” src-address-list=”Black List (SSH)”
add action=drop chain=forward comment=”Drop anyone in the Black List (SSH)” src-address-list=”Black List (SSH)”
add action=drop chain=forward comment=”Drop anyone in the Black List (SSH)” dst-address-list=”Black List (SSH)”
add action=drop chain=input comment=”Drop anyone in the Black List (Telnet)” src-address-list=”Black List (Telnet)”
add action=drop chain=forward comment=”Drop anyone in the Black List (Telnet)” src-address-list=”Black List (Telnet)”
add action=drop chain=forward comment=”Drop anyone in the Black List (Telnet)” dst-address-list=”Black List (Telnet)”
add action=drop chain=input comment=”Drop anyone in the Black List (Winbox)” src-address-list=”Black List (Winbox)”
add action=drop chain=forward comment=”Drop anyone in the Black List (Winbox)” src-address-list=”Black List (Winbox)”
add action=drop chain=forward comment=”Drop anyone in the Black List (Winbox)” dst-address-list=”Black List (Winbox)”
add action=drop chain=input comment=”Drop anyone in the Black List (FTP)” src-address-list=”Black List (FTP)”
add action=drop chain=forward comment=”Drop anyone in the Black List (FTP)” src-address-list=”Black List (FTP)”
add action=drop chain=forward comment=”Drop anyone in the Black List (FTP)” dst-address-list=”Black List (FTP)”
add action=jump chain=input comment=”Jump to RFC SSH Chain” dst-port=22 jump-target=”RFC SSH Chain” protocol=tcp
add action=add-src-to-address-list address-list=”Black List (SSH)” address-list-timeout=4w2d chain=”RFC SSH Chain” comment=”Transfer repeated attempts from SSH Stage 3 to Black-List” \
connection-state=new dst-port=22 protocol=tcp src-address-list=”SSH Stage 3″
add action=add-src-to-address-list address-list=”SSH Stage 3″ address-list-timeout=1m chain=”RFC SSH Chain” comment=”Add succesive attempts to SSH Stage 3″ connection-state=new dst-port=22 \
protocol=tcp src-address-list=”SSH Stage 2″
add action=add-src-to-address-list address-list=”SSH Stage 2″ address-list-timeout=1m chain=”RFC SSH Chain” comment=”Add succesive attempts to SSH Stage 2″ connection-state=new dst-port=22 \
protocol=tcp src-address-list=”SSH Stage 1″
add action=add-src-to-address-list address-list=”SSH Stage 1″ address-list-timeout=1m chain=”RFC SSH Chain” comment=”Add intial attempt to SSH Stage 1 List” connection-state=new dst-port=22 \
protocol=tcp
add action=return chain=”RFC SSH Chain” comment=”Return From RFC SSH Chain”
add action=accept chain=output comment=”Section Break” disabled=yes
add action=jump chain=input comment=”Jump to RFC Telnet Chain” dst-port=23 jump-target=”RFC Telnet Chain” protocol=tcp
add action=add-src-to-address-list address-list=”Black List (Telnet)” address-list-timeout=4w2d chain=”RFC Telnet Chain” comment=”Transfer repeated attempts from Telnet Stage 3 to Black-List” \
connection-state=new dst-port=23 protocol=tcp src-address-list=”Telnet Stage 3″
add action=add-src-to-address-list address-list=”Telnet Stage 3″ address-list-timeout=1m chain=”RFC Telnet Chain” comment=”Add succesive attempts to Telnet Stage 3″ connection-state=new \
dst-port=23 protocol=tcp src-address-list=”Telnet Stage 2″
add action=add-src-to-address-list address-list=”Telnet Stage 2″ address-list-timeout=1m chain=”RFC Telnet Chain” comment=”Add succesive attempts to Telnet Stage 2″ connection-state=new \
dst-port=23 protocol=tcp src-address-list=”Telnet Stage 1″
add action=add-src-to-address-list address-list=”Telnet Stage 1″ address-list-timeout=1m chain=”RFC Telnet Chain” comment=”Add Intial attempt to Telnet Stage 1″ connection-state=new dst-port=\
23 protocol=tcp
add action=return chain=”RFC Telnet Chain” comment=”Return From RFC Telnet Chain”
add action=accept chain=output comment=”Section Break” disabled=yes
add action=jump chain=input comment=”Jump to RFC Winbox Chain” dst-port=8291 jump-target=”RFC Winbox Chain” protocol=tcp
add action=add-src-to-address-list address-list=”Black List (Winbox)” address-list-timeout=4w2d chain=”RFC Winbox Chain” comment=”Transfer repeated attempts from Winbox Stage 3 to Black-List” \
connection-state=new dst-port=8291 protocol=tcp src-address-list=”Winbox Stage 3″
add action=add-src-to-address-list address-list=”Winbox Stage 3″ address-list-timeout=1m chain=”RFC Winbox Chain” comment=”Add succesive attempts to Winbox Stage 3″ connection-state=new \
dst-port=8291 protocol=tcp src-address-list=”Winbox Stage 2″
add action=add-src-to-address-list address-list=”Winbox Stage 2″ address-list-timeout=1m chain=”RFC Winbox Chain” comment=”Add succesive attempts to Winbox Stage 2″ connection-state=new \
dst-port=8291 protocol=tcp src-address-list=”Winbox Stage 1″
add action=add-src-to-address-list address-list=”Winbox Stage 1″ address-list-timeout=1m chain=”RFC Winbox Chain” comment=”Add Intial attempt to Winbox Stage 1″ connection-state=new dst-port=\
8291 protocol=tcp
add action=return chain=”RFC Winbox Chain” comment=”Return From RFC Winbox Chain”
add action=accept chain=output comment=”Section Break” disabled=yes
add action=jump chain=input comment=”Jump to RFC FTP Chain” dst-port=21 jump-target=”RFC FTP Chain” protocol=tcp src-port=!21 tcp-flags=syn,!fin,!rst,!psh,!ack,!urg,!ece,!cwr
add action=add-src-to-address-list address-list=”Black List (FTP)” address-list-timeout=4w2d chain=”RFC FTP Chain” comment=”Transfer repeated attempts from FTP Stage 3 to Black-List” \
connection-state=new dst-port=21 nth=2,2 protocol=tcp src-address-list=”FTP Stage 3″ tcp-flags=syn
add action=add-src-to-address-list address-list=”FTP Stage 3″ address-list-timeout=1m chain=”RFC FTP Chain” comment=”Add succesive attempts to FTP Stage 3″ connection-state=new dst-port=21 \
nth=2,2 protocol=tcp src-address-list=”FTP Stage 2″ tcp-flags=syn
add action=add-src-to-address-list address-list=”FTP Stage 2″ address-list-timeout=1m chain=”RFC FTP Chain” comment=”Add succesive attempts to FTP Stage 2″ connection-state=new dst-port=21 \
nth=2,2 protocol=tcp src-address-list=”FTP Stage 1″ tcp-flags=syn
add action=add-src-to-address-list address-list=”FTP Stage 1″ address-list-timeout=1m chain=”RFC FTP Chain” comment=”Add Intial attempt to FTP Stage 1″ connection-state=new dst-port=21 nth=\
2,2 protocol=tcp tcp-flags=syn
add action=return chain=”RFC FTP Chain” comment=”Return From RFC FTP Chain”

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.