侧边栏壁纸
博主头像
liveJQ博主等级

沒有乐趣,何来开始

  • 累计撰写 180 篇文章
  • 累计创建 68 个标签
  • 累计收到 2 条评论

MikroTik RouterOS 实现类似 Fail2Ban 的自动封禁机制

liveJQ
2024-10-23 / 0 评论 / 0 点赞 / 230 阅读 / 2,232 字

事件

最近莫名其妙多台关键设备遭到持续的 SSH 爆破,虽然改了端口和限制 IP 登录,但仍然在日志里面看到尝试登录的失败记录。

oct/23/2024 11:11:35 system,error,critical login failure for user xp from 172.105.77.135 via ssh
oct/23/2024 11:11:36 system,error,critical login failure for user yang from 172.105.77.135 via ssh
oct/23/2024 11:11:38 system,error,critical login failure for user yfu from 172.105.77.135 via ssh
oct/23/2024 11:11:39 system,error,critical login failure for user yjq from 172.105.77.135 via ssh
oct/23/2024 11:11:41 system,error,critical login failure for user yyx from 172.105.77.135 via ssh
oct/23/2024 11:11:42 system,error,critical login failure for user zhangzheng from 172.105.77.135 via ssh

最早是配置的仅 Winbox 登录,然后改默认登录端口,但是用户密码还是不止一次遭到了篡改,配置倒是没改什么,至今仍是一头雾水,改为 SSH 和限制 IP 登录之后算是消停了一会。

配置 ACL 放行策略

/ip firewall address-list add list=ACL address=10.0.0.0/8
/ip firewall address-list add list=ACL address=1.1.1.1

添加 SSH 封禁策略

这里设置只要来源 IP 不在 ACL 列表里面的尝试登录,登录次数都会被记录下来到单独的一张次数表,在 10 分钟内以此累加尝试登录次数到 5 次后,会直接将该来源 IP 加入到封禁 IP 列表。

/ip firewall filter
add chain=input protocol=tcp dst-port=22 src-address-list=!ACL connection-state=new action=add-src-to-address-list \
    address-list=ssh_stage1 address-list-timeout=10m comment="SSH stage 1 detection"
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_stage1 connection-state=new action=add-src-to-address-list \
    address-list=ssh_stage2 address-list-timeout=10m comment="SSH stage 2 detection"
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_stage2 connection-state=new action=add-src-to-address-list \
    address-list=ssh_stage3 address-list-timeout=10m comment="SSH stage 3 detection"
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_stage3 connection-state=new action=add-src-to-address-list \
    address-list=ssh_stage4 address-list-timeout=10m comment="SSH stage 4 detection"
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_stage4 connection-state=new action=add-src-to-address-list \
    address-list=ssh_stage5 address-list-timeout=10m comment="SSH stage 5 detection"
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_stage5 connection-state=new action=add-src-to-address-list \
    address-list=ssh_blacklist address-list-timeout=7d comment="Block SSH attackers"

该封禁列表的封禁时限是设置为 7 天,即在 7 天内,该来源 IP 的任何请求都将被直接丢弃。

/ip firewall filter
add chain=input src-address-list=ssh_blacklist action=drop comment="Drop SSH blacklist"
0

评论区