В данный момент 2 провайдера подключено (ether1-wan и ether2-wan).
В Firewall -> NAT настроено что некое множество портов, а именно:
22-30, 45-50,99-111 снаружи NAT'ом направляются внутрь на локальный IP с портом 22,
например внешний IP=XXX.XXX.XXX.XXX:45 -> IP=192.168.40.200:22
Как решить проблему что кто то перебирает пароли? (только порты уже изменять нельзя)
Доступ снаружи сотрудникам также нельзя закрывать (чтобы можно было работать с дома).
Задача в целом: прекратить перебор пароля по SSH или свести его к например 3м попыткам, потом бан сутки, потом снова 3 попытки бан на 3 дня, потом 3 попытки снова бан на 7 дней, потом 3 попытки и бан на 30 дней.
нашёл первый вариант (так называемый honeypot) не совсем уверен что он поможет:
Код: Выделить всё
/ip firewall filter
Код: Выделить всё
add action=add-src-to-address-list address-list="Honeypot Hacker" \
address-list-timeout=30d0h0m chain=input comment="block honeypot ssh" \
connection-state=new dst port=22,23,24,25,26,27,28,29,30,45,46,47,48,49,50,99,100,101,102,103,104,105,106,107,108,109,110,111 in-interface=\
ether1-wan protocol=tcp
Код: Выделить всё
add action=add-src-to-address-list address-list="Honeypot Hacker" \
address-list-timeout=30d0h0m chain=input comment="block honeypot ssh rdp winbox BN" \
connection-state=new dst-port=22,23,24,25,26,27,28,29,30,45,46,47,48,49,50,99,100,101,102,103,104,105,106,107,108,109,110,111 in-interface=\
in-interface=ether2-wan protocol=tcp
Код: Выделить всё
/ip firewall filter
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=15m chain=forward comment=ssh_to_blacklist \
connection-state=new dst-port=22,23,24,25,26,27,28,29,30,45,46,47,48,49,50,99,100,101,102,103,104,105,106,107,108,109,110,111 protocol=ssh src-address-list=\
ssh_stage12
add action=add-src-to-address-list address-list=ssh_stage12 \
address-list-timeout=4m chain=forward connection-state=new dst-port=22,23,24,25,26,27,28,29,30,45,46,47,48,49,50,99,100,101,102,103,104,105,106,107,108,109,110,111 \
protocol=tcp src-address-list=ssh_stage11
add action=add-src-to-address-list address-list=ssh_stage11 \
address-list-timeout=4m chain=forward connection-state=new dst-port=22,23,24,25,26,27,28,29,30,45,46,47,48,49,50,99,100,101,102,103,104,105,106,107,108,109,110,111 \
protocol=tcp src-address-list=ssh_stage10
add action=add-src-to-address-list address-list=ssh_stage10 \
address-list-timeout=4m chain=forward connection-state=new dst-port=22,23,24,25,26,27,28,29,30,45,46,47,48,49,50,99,100,101,102,103,104,105,106,107,108,109,110,111 \
protocol=tcp src-address-list=ssh_stage9
add action=add-src-to-address-list address-list=ssh_stage9 \
address-list-timeout=4m chain=forward connection-state=new dst-port=22,23,24,25,26,27,28,29,30,45,46,47,48,49,50,99,100,101,102,103,104,105,106,107,108,109,110,111 \
protocol=tcp src-address-list=ssh_stage8
add action=add-src-to-address-list address-list=ssh_stage8 \
address-list-timeout=4m chain=forward connection-state=new dst-port=22,23,24,25,26,27,28,29,30,45,46,47,48,49,50,99,100,101,102,103,104,105,106,107,108,109,110,111 \
protocol=tcp src-address-list=ssh_stage4
add action=add-src-to-address-list address-list=ssh_stage7 \
address-list-timeout=4m chain=forward connection-state=new dst-port=22,23,24,25,26,27,28,29,30,45,46,47,48,49,50,99,100,101,102,103,104,105,106,107,108,109,110,111 \
protocol=tcp src-address-list=ssh_stage6
add action=add-src-to-address-list address-list=ssh_stage6 \
address-list-timeout=4m chain=forward connection-state=new dst-port=22,23,24,25,26,27,28,29,30,45,46,47,48,49,50,99,100,101,102,103,104,105,106,107,108,109,110,111 \
protocol=tcp src-address-list=ssh_stage5
add action=add-src-to-address-list address-list=ssh_stage5 \
address-list-timeout=2m chain=forward connection-state=new dst-port=22,23,24,25,26,27,28,29,30,45,46,47,48,49,50,99,100,101,102,103,104,105,106,107,108,109,110,111 \
protocol=tcp src-address-list=ssh_stage4
add action=add-src-to-address-list address-list=ssh_stage4 \
address-list-timeout=2m chain=forward connection-state=new dst-port=22,23,24,25,26,27,28,29,30,45,46,47,48,49,50,99,100,101,102,103,104,105,106,107,108,109,110,111 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=2m chain=forward connection-state=new dst-port=22,23,24,25,26,27,28,29,30,45,46,47,48,49,50,99,100,101,102,103,104,105,106,107,108,109,110,111 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=2m chain=forward connection-state=new dst-port=22,23,24,25,26,27,28,29,30,45,46,47,48,49,50,99,100,101,102,103,104,105,106,107,108,109,110,111 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=2m chain=forward connection-state=new dst-port=22,23,24,25,26,27,28,29,30,45,46,47,48,49,50,99,100,101,102,103,104,105,106,107,108,109,110,111 \
protocol=tcp
/ip firewall raw
add action=drop chain=prerouting in-interface=ether1-wan src-address-list=\
add action=drop chain=prerouting in-interface=ether2-wan src-address-list=\
ssh_blacklist