Router – Prevent RDP logon brute force in mikrotik router via winbox

mikrotikrdprouter

Masters,

I need help, how to config our router to block RDP brute force attacks

I would like to set our router to only allow RDP connection from a specified country (our specified IP ranges), plus i need to set up router to block (take ips to black list) and drop brute force attepmst to specified port numbers.

I try to set this with changeing the ftp port to rdp port.

http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention_%28FTP_%26_SSH

Any suggestion tnx.

Current configuration:

I try to configure the router via Winbox.

I set some NAT rules (from dyndns to local address, rdp port)

In the filter rules tab:

enter image description here

I'm not sure this configuration should do the trick?! Is the content text "530 login incorrect" is fit for RDP connection to? Because in the tutorial used for filtering FTP connection.
How to set router to allow RDP attempts from specified IP ranges?

Thank you

// New config

enter image description here

Best Answer

The FTP config is actually looking into the FTP data to see the 530 code. You'll want to adapt the SSH config not the FTP config. Try this:

add chain=forward protocol=tcp dst-port=3389 src-address-list=rdp_blacklist action=drop \
comment="drop rdp brute forcers" disabled=no

add chain=forward protocol=tcp dst-port=3389 connection-state=new \
src-address-list=rdp_stage3 action=add-src-to-address-list address-list=rdp_blacklist \
address-list-timeout=10d comment="" disabled=no

add chain=forward protocol=tcp dst-port=3389 connection-state=new \
src-address-list=rdp_stage2 action=add-src-to-address-list address-list=rdp_stage3 \
address-list-timeout=1m comment="" disabled=no

add chain=forward protocol=tcp dst-port=3389 connection-state=new src-address-list=rdp_stage1 \
action=add-src-to-address-list address-list=rdp_stage2 address-list-timeout=1m comment="" disabled=no

add chain=forward protocol=tcp dst-port=3389 connection-state=new action=add-src-to-address-list \
address-list=rdp_stage1 address-list-timeout=1m comment="" disabled=no

What this config actually does, is for each incoming attempt it adds the IP address to a list. The first time it gets added to stage1, then if the IP is still in stage1 (after a minute) and another attempt is made, it gets added to stage2, and after it does this two more times it is added to the rdp_blacklist list where it actually gets blocked for 10 days.

If you want it to be more or less aggressive you can change the list timeouts, or even add more lists if you so desire.

You can add a list of these to allow specific IP ranges only:

add chain=forward dst-port=3389 src-address=192.168.0.0/24 action=accept
add chain=forward dst-port=3389 src-address=10.10.0.1/32 action=accept
add chain=forward dst-port=3389 action=drop

Just add as many of the src-address lines you need ahead of the final drop line. If you have a LOT of ranges, you can create an address-list and reference that using this:

add chain=forward dst-port=3389 src-address-list=rdp_acceptlist action=accept
add chain=forward dst-port=3389 action=drop

And then add your addresses to the rdp_acceptlist

To add to the rdp_acceptlist use the following command:

/ip firewall address-list add list=rdp_acceptlist address=192.168.0.0/24

Best Answer

Related Solutions

Firewall – Use MikroTik Bridge as a Public IP Firewall for Public Hosted Servers

Router – Setting HTTPS Proxy in Winbox for MikroTik

Related Topic