October 14, 2012

Blocking SSH Brute Force Attacks in MikroTik RouterOS

Mikrotik makes some great networking equipment for both business, and home uses. I've used Mikrotik routers both while consulting and for my own personal and business use. I use SSH to manage my Mikrotik devices and wanted to be able to detect and block any Brute Force SSH login attempts. Here is a quick and easy way to do exactly that:

First Things First

If you haven't done this already, try changing the port SSH is running on to something other than the default. When logged in through SSH or Telnet you can edit the SSH port with:



/ip service edit ssh value-name=port

After changing the port to something other than 22 hit Ctrl+o to save your change.

Using Firewall Filters

Firewall rules are read from the top down, meaning if a connection matches a rule it won't look any further. This is why the following rules seem like they are backwards.

Navigate to: /ip firewall filter If you are using a non-standard SSH port, change 22 in the examples below to whatever port you are using.



add chain=input \
protocol=tcp \
dst-port=22 \
src-address-list=ssh_blacklist \
action=drop \
comment="Drop SSH connection from IP addresses in ssh_blacklist address list" \
disabled=no

This rule will drop any SSH connections that come from IP addresses in the "sshblacklist" address list._



add chain=input \
protocol=tcp \
dst-port=22 \
connection-state=new \
src-address-list=ssh_attempt_3 \
action=add-src-to-address-list \
address-list=ssh_blacklist \
address-list-timeout=2w \
comment="Blocked IP address that attempted multiple SSH connections" \
disabled=no

This rule will add any IP address that attempts 4 SSH connections (either successfully or not) within the set time limit to the "sshblacklist" address list._



add chain=input \
protocol=tcp \
dst-port=22 \
connection-state=new \
src-address-list=ssh_attempt_2 \
action=add-src-to-address-list \
address-list=ssh_attempt_3 \
address-list-timeout=1m \
comment="IP address that attempted to create 3 SSH connections" \
disabled=no

This rule will add any IP address that attempts 3 SSH connections (either successfully or not) within the set time limit to the "sshattempt3" address list.



add chain=input \
protocol=tcp \
dst-port=22 \
connection-state=new \
src-address-list=ssh_attempt_1 \
action=add-src-to-address-list \
address-list=ssh_attempt_2 \
address-list-timeout=1m \
comment="IP address that attempted to create 2 SSH connections" \
disabled=no

This rule will add any IP address that attempts 2 SSH connections (either successfully or not) within the set time limit to the "sshattempt2" address list.



add chain=input \
protocol=tcp \
dst-port=22 \
connection-state=new \
action=add-src-to-address-list \
address-list=ssh_attempt_1 \
address-list-timeout=1m \
comment="IP address that attempted to create an SSH connections" \
disabled=no

This rule will add any IP address that attempts an SSH connection (either successfully or not) within the set time limit to the "sshattempt1" address list.

Summary - What does it do?

What these five Firewall Filter rules do is detect everytime someone tries to connect to the Mikrotik SSH server (it doesn't matter if they succed in logging in or not).

1. The first time an attempt to login occurs the IP address where the attempt comes from is added to the "sshattempt1" address list for 1 minute.

2. If a second attempt to login to SSH occurs from the same IP address while it is still in "sshattempt1" than the IP address will be added to the "sshattempt2" address list for 1 minute.

3. If a third attempt to login to SSH occurs from the same IP address while it is still in "sshattempt2" than the IP address will be added to the "sshattempt3" address list for 1 minute.

4. If a fourth attempt to login to SSH occurs from the same IP address while it is still in "sshattempt3" than the IP address will be added to the "ssh_blacklist" address list and all further attempts will be blocked for the next 2 weeks by the first filter rule we added.

You can modify the address=list-timeout value to change the amount of time that IP addresses stay in each address list to suit your specific needs.

Inspiration for this post came from this Mikrotik Wiki article

Tags: Mikrotik Networking RouterOS Firewall