Mikrotik SSH Brute Force Mitigation
SSH Brute Force Mitigation
To protect the Router from brute force attacks using the SSH ports, we can record the IPs of hackers who fail to login.
This tutorial assumes your internet port is called WAN (if not, replace WAN with your interface name).
Please be aware order matters, this is why it’s done Stage 3 to Stage 1, otherwise it will stop at Stage 1 each time and not go any further.
First we check with pre routing if they are in the banned list, if they are, then we drop their packets before they are even routed:
/ip firewall raw
add action=drop chain=prerouting src-address-list=\
"SSH External Access Stage 3 BANNED"
add action=drop chain=output dst-address-list=\
"SSH External Access Stage 3 BANNED"
Then we check if they are already in Stage 2, if they are, add them to Stage 3:
add action=add-src-to-address-list address-list=\
"SSH External Access Stage 3 BANNED" address-list-timeout=2w chain=\
input comment="Add people who access SSH from outside the network to st\
age 3 BANNED list" connection-state=new dst-port=22 in-interface=\
WAN log=yes log-prefix="SSH External Access Stage 3 BANNED" \
protocol=tcp src-address-list="SSH External Access Stage 2"
If they are not in Stage 2, then we check if they are in Stage 1, if so, we add them to Stage 2:
add action=add-src-to-address-list address-list=\
"SSH External Access Stage 2" address-list-timeout=1m chain=input \
comment=\
"Add people who access SSH from outside the network to stage 2 list" \
connection-state=new dst-port=22 in-interface=WAN \
log-prefix="SSH External Access Stage 2" protocol=tcp \
src-address-list="SSH External Access Stage 1"
If they are not known yet, we add them to Stage 1:
add action=add-src-to-address-list address-list=\
"SSH External Access Stage 1" address-list-timeout=4w2d chain=input \
comment=\
"Add people who access SSH from outside the network to stage 1 list" \
dst-port=22 in-interface=WAN log-prefix=\
"SSH External Access Stage 1" protocol=tcp src-address-list=!Whitelist
