Skip to content

Instantly share code, notes, and snippets.

@pawekz

pawekz/MikroTik-stuffz.md

Forked from shakahl/MikroTik-stuffz.md
Created March 3, 2024 10:12
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save pawekz/068865d74b8da99607aa0cbd72f19a86 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save pawekz/068865d74b8da99607aa0cbd72f19a86 to your computer and use it in GitHub Desktop.
Download ZIP
MikroTik stuffz
Raw
MikroTik-stuffz.md

MikroTik stuffz

Links

Scripts

Security and Firewall

Related MikroTik wiki

Brute force prevention

Official stuff

Source: https://wiki.mikrotik.com/wiki/Bruteforce_login_prevention

To stop SSH/FTP attacks on your router, follow this advice.

This configuration allows only 10 FTP login incorrect answers per minute

in /ip firewall filter

add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \
comment="drop ftp brute forcers"

add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m

add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \
address-list=ftp_blacklist address-list-timeout=3h

This will prevent a SSH brute forcer to be banned for 10 days after repetitive attempts. Change the timeouts as necessary.

in /ip firewall filter

add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

If you want to block downstream access as well, you need to block the with the forward chain:

add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute downstream" disabled=no

To view the contents of your Blacklist, go to "/ip firewall address-list" and type "print" to see the contents.

Community-made scripts

Source https://forum.mikrotik.com/viewtopic.php?t=18288#p86723

SSH blocker

/ip firewall filter
add chain=input protocol=tcp dst-port=22 src-address-list=black_list action=drop \
comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=black_list address-list-timeout=1d \
comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m \
comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m \
comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m comment="" \
disabled=no

FTP blocker

/ip firewall filter
add chain=input protocol=tcp dst-port=21 src-address-list=black_list action=drop \
comment="drop ftp brute forcers" disabled=no
add chain=input protocol=tcp dst-port=21 connection-state=new \
src-address-list=ftp_stage3 action=add-src-to-address-list address-list=black_list address-list-timeout=1d \
comment="" disabled=no
add chain=input protocol=tcp dst-port=21 connection-state=new \
src-address-list=ftp_stage2 action=add-src-to-address-list address-list=ftp_stage3 address-list-timeout=1m \
comment="" disabled=no
add chain=input protocol=tcp dst-port=21 connection-state=new \
src-address-list=ftp_stage1 action=add-src-to-address-list address-list=ftp_stage2 address-list-timeout=1m \
comment="" disabled=no
add chain=input protocol=tcp dst-port=21 connection-state=new \
action=add-src-to-address-list address-list=ftp_stage1 address-list-timeout=1m comment="" \
disabled=no

Telnet blocker

/ip firewall filter
add chain=input protocol=tcp dst-port=23 src-address-list=black_list action=drop \
comment="drop telnet brute forcers" disabled=no
add chain=input protocol=tcp dst-port=23 connection-state=new \
src-address-list=telnet_stage3 action=add-src-to-address-list address-list=black_list address-list-timeout=1d \
comment="" disabled=no
add chain=input protocol=tcp dst-port=23 connection-state=new \
src-address-list=telnet_stage2 action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=1m \
comment="" disabled=no
add chain=input protocol=tcp dst-port=23 connection-state=new \
src-address-list=telnet_stage1 action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m \
comment="" disabled=no
add chain=input protocol=tcp dst-port=23 connection-state=new \
action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m comment="" \
disabled=no

Script for adding IP addresses to a firewall list

Source: https://wiki.mikrotik.com/wiki/Using_Fetch_and_Scripting_to_add_IP_Address_Lists Using Fetch and Scripting to add IP Address Lists.

Note: This only works with files under 4096 characters in size due to the variable size limit in v3 hopefully they will re-introduce the LUA system in v4 shortly so we can make this work with any size list.

If not I will be investigating an alternate solution for breaking files up into readable chunks.

The code

## Generic IP address list input
## Based on a script written by Sam Norris, ChangeIP.com 2008
## Edited by Andrew Cox, AccessPlus.com.au 2008
:if ( [/file get [/file find name=ipaddress.txt] size] > 0 ) do={
  # Remove exisiting addresses from the current Address list
  /ip firewall address-list remove [/ip firewall address-list find list=MY-IP-LIST]

  :global content [/file get [/file find name=ipaddress.txt] contents] ;
  :global contentLen [ :len $content ] ;

  :global lineEnd 0;
  :global line "";
  :global lastEnd 0;

  :do {
    :set lineEnd [:find $content "\n" $lastEnd ] ;
    :set line [:pick $content $lastEnd $lineEnd] ;
    :set lastEnd ( $lineEnd + 1 ) ;

    # If the line doesn't start with a hash then process and add to the list
    :if ( [:pick $line 0 1] != "#" ) do={

      :local entry [:pick $line 0 $lineEnd ]
      :if ( [:len $entry ] > 0 ) do={
        /ip firewall address-list add list=MY-IP-LIST address=$entry
      }
    }
  } while ($lineEnd < $contentLen)
}

How to use

This will grab IP entries for a simple list in the format

#This is a comment
#Blah blah blah
1.1.1.1
2.2.2.0/24
3.3.3.3
4.4.4.128/26

Just substitute the address-list and filename you want to pull from (for anyone else who wants to use it with their own generated lists)

You can use this hand-in-hand with a fetch script to retrive the list from a remote site then process it.

Code for fetching

/tool fetch address=server.somewhere.tld host=server.somewhere.tld mode=http src-path=folder/anotherfolder/ipaddress.txt
:delay 10
# Replace with whatever name you have called the processing script
/system script run add-ip-addresses
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment