2

Masters,

I need help, how to config our router to block RDP brute force attacks

I would like to set our router to only allow RDP connection from a specified country (our specified IP ranges), plus i need to set up router to block (take ips to black list) and drop brute force attepmst to specified port numbers.

I try to set this with changeing the ftp port to rdp port.

http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention_%28FTP_%26_SSH

Any suggestion tnx.

H

Current configuration:

I try to configure the router via Winbox.

I set some NAT rules (from dyndns to local address, rdp port)

In the filter rules tab:

enter image description here

  • I'm not sure this configuration should do the trick?! Is the content text "530 login incorrect" is fit for RDP connection to? Because in the tutorial used for filtering FTP connection.
  • How to set router to allow RDP attempts from specified IP ranges?

Thank you

// New config

enter image description here

holian
  • 227
  • 1
  • 8
  • 14
  • The linked config should accomplish what you're trying to do. Can you explain what's not working, and provide your current configuration? – Shane Madden Oct 27 '13 at 07:13
  • I added some modification, please check – holian Oct 27 '13 at 07:31
  • Added answer. You have to use the SSH version not the FTP version, since as you noticed, the 530 login incorrect is not going to match RDP sessions – Regan Oct 27 '13 at 07:34

1 Answers1

6

The FTP config is actually looking into the FTP data to see the 530 code. You'll want to adapt the SSH config not the FTP config. Try this:

add chain=forward protocol=tcp dst-port=3389 src-address-list=rdp_blacklist action=drop \
comment="drop rdp brute forcers" disabled=no

add chain=forward protocol=tcp dst-port=3389 connection-state=new \
src-address-list=rdp_stage3 action=add-src-to-address-list address-list=rdp_blacklist \
address-list-timeout=10d comment="" disabled=no

add chain=forward protocol=tcp dst-port=3389 connection-state=new \
src-address-list=rdp_stage2 action=add-src-to-address-list address-list=rdp_stage3 \
address-list-timeout=1m comment="" disabled=no

add chain=forward protocol=tcp dst-port=3389 connection-state=new src-address-list=rdp_stage1 \
action=add-src-to-address-list address-list=rdp_stage2 address-list-timeout=1m comment="" disabled=no

add chain=forward protocol=tcp dst-port=3389 connection-state=new action=add-src-to-address-list \
address-list=rdp_stage1 address-list-timeout=1m comment="" disabled=no

What this config actually does, is for each incoming attempt it adds the IP address to a list. The first time it gets added to stage1, then if the IP is still in stage1 (after a minute) and another attempt is made, it gets added to stage2, and after it does this two more times it is added to the rdp_blacklist list where it actually gets blocked for 10 days.

If you want it to be more or less aggressive you can change the list timeouts, or even add more lists if you so desire.

You can add a list of these to allow specific IP ranges only:

add chain=forward dst-port=3389 src-address=192.168.0.0/24 action=accept
add chain=forward dst-port=3389 src-address=10.10.0.1/32 action=accept
add chain=forward dst-port=3389 action=drop

Just add as many of the src-address lines you need ahead of the final drop line. If you have a LOT of ranges, you can create an address-list and reference that using this:

add chain=forward dst-port=3389 src-address-list=rdp_acceptlist action=accept
add chain=forward dst-port=3389 action=drop

And then add your addresses to the rdp_acceptlist

To add to the rdp_acceptlist use the following command:

/ip firewall address-list add list=rdp_acceptlist address=192.168.0.0/24
Regan
  • 1,011
  • 1
  • 7
  • 15
  • In winbox, may i have to create the rdp_blacklist or will be created automatically? – holian Oct 27 '13 at 07:42
  • The rdp_blacklist will get created once the first address is added to the list once an address makes it through all the stages. I added more to answer your question about having an accept list for your ranges, that list you will have to create using the command at the bottom, or using the graphical interface – Regan Oct 27 '13 at 07:46
  • Regan! Many many many thank you for your help! i try it now! Will back to accept your solution! – holian Oct 27 '13 at 08:08
  • I try to test the black list thing, but it seems not working. The stage and black list not created, but i made 10 fake login attemtpt in one minute. I edited my post with the new config. Please check – holian Oct 27 '13 at 08:32
  • Can you explain more on how your network is setup? More specifically, are you protecting a nat'ed server? And is the external port also 3389? Also, you are verifying from a remote host/outside firewall host, correct? Also try `/ip firewall address-list add list=rdp_blacklist address=your.test.ip.address/32` and make sure it blocks the connection, if not then something else is amiss. – Regan Oct 27 '13 at 08:41
  • I added my ip address to rdp_blacklist (in winbox \ Address list tab ) but i can connect to our server. – holian Oct 27 '13 at 08:50
  • We have an server 2003. And i have a nat rule. mycompany.dyndns.org:3389 to localserverip:3389 Do you need any other information? – holian Oct 27 '13 at 08:53
  • If i change the "drop RDP brute force" filter chain=input to chain=forward, than the test works well. If my ip in the list, i can't connect. What is the different input - forward? – holian Oct 27 '13 at 09:11
  • ok, change all of the chain=input to chain=forward, and see if that makes it work correctly. Input may be for to-router only while forward should be what the router is forwarding through it. Some implementations work slightly different with nat, so my bad there. – Regan Oct 27 '13 at 09:23
  • Works like a charme! I will change the default RDP port, and make the ip filter, i think will be enough protection! Thank you Jedi! – holian Oct 27 '13 at 09:56
  • Could you help me modify this with a whitelist? The rdp_acceptlist / whitlist think you wrote not working. I need the rdp_stage thing too, but if the IP address in the whitelist, than need to not put to the blacklist if user try connect too fast. – holian Nov 08 '13 at 15:00