Mikrotik Winbox Brute Force Mitigation

Published by Gizmo_RA2 on

Winbox Brute Force Mitigation

To protect the Router from brute force attacks using the winbox ports, we can record the IPs of hackers who fail to login.

This tutorial assumes your internet port is called WAN (if not, replace WAN with your interface name).
Please be aware order matters, this is why it’s done Stage 3 to Stage 1, otherwise it will stop at Stage 1 each time and not go any further.

First we check with pre routing if they are in the banned list, if they are, then we drop their packets before they are even routed:

/ip firewall raw
add action=drop chain=prerouting src-address-list=\
    "Winbox External Access Stage 3 BANNED"
add action=drop chain=output dst-address-list=\
    "Winbox External Access Stage 3 BANNED"

Then we check if they are already in Stage 2, if they are, add them to Stage 3:

add action=add-src-to-address-list address-list=\
    "Winbox External Access Stage 3 BANNED" address-list-timeout=2w chain=\
    input comment="Add people who access winbox from outside the network to st\
    age 3 BANNED list" connection-state=new dst-port=8291 in-interface=\
    WAN log=yes log-prefix="Winbox External Access Stage 3 BANNED" \
    protocol=tcp src-address-list="Winbox External Access Stage 2"

If they are not in Stage 2, then we check if they are in Stage 1, if so, we add them to Stage 2:

add action=add-src-to-address-list address-list=\
    "Winbox External Access Stage 2" address-list-timeout=1m chain=input \
    comment=\
    "Add people who access winbox from outside the network to stage 2 list" \
    connection-state=new dst-port=8291 in-interface=WAN \
    log-prefix="Winbox External Access Stage 2" protocol=tcp \
    src-address-list="Winbox External Access Stage 1"

If they are not known yet, we add them to Stage 1:

add action=add-src-to-address-list address-list=\
    "Winbox External Access Stage 1" address-list-timeout=4w2d chain=input \
    comment=\
    "Add people who access winbox from outside the network to stage 1 list" \
    dst-port=8291 in-interface=WAN log-prefix=\
    "Winbox External Access Stage 1" protocol=tcp src-address-list=!Whitelist