Prevent Login Bruteforce Using Mikrotik

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZCgEcbz8fPUKN3bH63YYiZNezCU4xOp6Km60DOZAVl0-5nR7Ku_d0M-2Zzf2AdIBLjwchDfYHtyFS51SUsFB9CQkdLQ3-_3CMOOVGDAyE7V95JMkSWeUd4rtCJrwxxWZX9MSAqWt-dag/s400/brute_force-revo-brain.jpg

From my last post, I was writing about blocking the port scanning attack. So, I'm writting about brute force attack it self and how do we prevent it.

What is Brute Force Attack?

Brute Force attack does not attempt to decrypt any information, but continue to try a list of different passwords, words, or letter which is saved in a file called "dictionary". This dictionary contains thousands username and password possibilities and common used by people e.g. mypassword, 123321, 11oct1990, etc.

A more complex brute-force attack involves trying every key combination until the correct password is found. Due to the number of possible combinations of letters, numbers, and symbols, a brute force attack can take a long time to complete. The higher the type of encryption used (64-bit, 128-bit or 256-bit encryption), the longer it can take might be in years.

How do We Prevent it?

To help prevent dictionary brute-force attacks many systems only allow a user to make a mistake by entering their username or password three or four times. If the user exceeds these attempts, the system will either lock them out of the system or prevent any future attempts for a set amount of time.

Therefore, I'm writting about Brute Force Attack Prevention in Mikrotik because it allows us to create a configuration to block a user who make a mistake when enter their username and password.
This below picture as an example who attack my network using SSH brute force attack :

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyfOHdVcMy8XGxgVKMgzHVckvkDdfpD39nBH7MqRffbhbrjLiChHLGR-hks01rcJOOTDkfAc0HaW1CEfwJIF_ypImFGL4Xzzj-II9JJfsgMsvGSta4PlQzD3Tpqzxo7IDKXJ43roPH5mI/s400/brute-force-ssh-revo-brain.PNG

So, use this configuration to block the user who are trying to breach your network :

 /ip firewall filter  
 add chain=input protocol=tcp dst-port=21-23 src-address-list=blacklist-address action=drop comment="TELNET FTP SSH Bruteforce Filter"  
 add chain=input protocol=tcp dst-port=21-23 connection-state=new src-address-list=stage-3 action=add-src-to-address-list address-list=blacklist-address address-list-timeout=10d   
 add chain=input protocol=tcp dst-port=21-23 connection-state=new src-address-list=stage-2 action=add-src-to-address-list address-list=stage-3 address-list-timeout=1m   
 add chain=input protocol=tcp dst-port=21-23 connection-state=new src-address-list=stage-1 action=add-src-to-address-list address-list=stage-2 address-list-timeout=1m   
 add chain=input protocol=tcp dst-port=21-23 connection-state=new action=add-src-to-address-list address-list=stage-1 address-list-timeout=1m

Above configuration will give the user 3 attempts to login with correct username and password. If user inputs the wrong login account, they will be blacklisted until 1 minute. You may change blacklist time with change address-list-timeout=1m. You also can change or add another port number which are the critical / restricted port number in dst-port=21-23.

Then, this is my result :

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijdJmJ5e_cLmvO29mCys69-wXSX4NDJbTWCK1Ke0KjVVPic5MRLP_tWbz3WRDA9UTpflAiTpDNcD1UlGiuuUrLRQX1XGsXYhzwgMYAOh_5TVsCYRzAd64_5YMmQ5XkKleeOzE_T4kLgtQ/s400/blacklisted-revo-brain.PNG

Comments

nabeel28 May 2016 at 20:09
What about telnet attacks, actually some one trying to access my mikrotik router with different user names.

system,error,critical login failure for user admin from 177.247.167.176 via telnet

please help me.....

Learning media for computer programming and network security

Search This Blog

How to Install Anaconda and Create Python Environment