Masters,
I need help, how to config our router to block RDP brute force attacks
I would like to set our router to only allow RDP connection from a specified country (our specified IP ranges), plus i need to set up router to block (take ips to black list) and drop brute force attepmst to specified port numbers.
I try to set this with changeing the ftp port to rdp port.
http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention_%28FTP_%26_SSH
Any suggestion tnx.
H
Current configuration:
I try to configure the router via Winbox.
I set some NAT rules (from dyndns to local address, rdp port)
In the filter rules tab:
- I'm not sure this configuration should do the trick?! Is the content text "530 login incorrect" is fit for RDP connection to? Because in the tutorial used for filtering FTP connection.
- How to set router to allow RDP attempts from specified IP ranges?
Thank you
// New config
Best Answer
The FTP config is actually looking into the FTP data to see the 530 code. You'll want to adapt the SSH config not the FTP config. Try this:
What this config actually does, is for each incoming attempt it adds the IP address to a list. The first time it gets added to stage1, then if the IP is still in stage1 (after a minute) and another attempt is made, it gets added to stage2, and after it does this two more times it is added to the rdp_blacklist list where it actually gets blocked for 10 days.
If you want it to be more or less aggressive you can change the list timeouts, or even add more lists if you so desire.
You can add a list of these to allow specific IP ranges only:
Just add as many of the src-address lines you need ahead of the final drop line. If you have a LOT of ranges, you can create an address-list and reference that using this:
And then add your addresses to the rdp_acceptlist
To add to the rdp_acceptlist use the following command: