+ Responder ao Tópico



  1. #1

    Padrão Prevenindo brute force login

    Bem pessoal,
    Venho trazer esta forma de prevenção de brute força por ftp e ssh. Cada um pode alterar a sua maneira.


    Para o ftp, aqui permite 10 login, apos erro ele bloqueia:

    /ip firewall filter
    add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop comment="Barrar brute forca para ftp"
    add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m
    add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" address-list=ftp_blacklist address-list-timeout=3h
    Para o ssh, também 10 login:

    /ip firewall filter

    add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="barrar brute force para ssh" disabled=no
    add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=10d comment="" disabled=no
    add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m comment="" disabled=no
    add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
    add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
    Se você quiser bloquear o downstream, precisa bloquear a chain forward:

    add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
    comment="drop ssh brute forcers" disabled=no

    add chain=input protocol=tcp dst-port=22 connection-state=new \
    src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=10d comment="" disabled=no

    add chain=input protocol=tcp dst-port=22 connection-state=new \
    src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m comment="" disabled=no

    add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
    add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

    É isto ae.

  2. #2

    Padrão

    Ou pode usar o denyhosts, é muito bom.



  3. #3

  4. #4
    xargs -n 1 kill -9 Avatar de sergio
    Ingresso
    Jan 2004
    Localização
    Capital do Triângulo
    Posts
    5.202
    Posts de Blog
    9

    Padrão

    Citação Postado originalmente por cesarkallas Ver Post
    Ou pode usar o denyhosts, é muito bom.

    DenyHosts só em Linux "puro sangue". O script postado é para Mikrotik.



  5. #5