Minggu, 24 Maret 2013

Mengatasi system,error,critical login failure Mikrotik

Mengatasi system,error,critical login failure Mikrotik

Beberapa hari ini mikrotik di jaringan kami sering ada log merah yang tulisannya seperti berikut.
echo: system,error,critical login failure for user master from 67.225.209.238 via ssh
[admin@Sumo] >
echo: system,error,critical login failure for user apache from 67.225.209.238 via ssh
[admin@Sumo] >
echo: system,error,critical login failure for user root from 67.225.209.238 via ssh
[admin@Sumo] >
echo: system,error,critical login failure for user root from 67.225.209.238 via ssh
[admin@Sumo] >
echo: system,error,critical login failure for user root from 67.225.209.238 via ssh
[admin@Sumo] >
echo: system,error,critical login failure for user root from 67.225.209.238 via ssh
[admin@Sumo] >
echo: system,error,critical login failure for user root from 67.225.209.238 via ssh
[admin@Sumo] >
echo: system,error,critical login failure for user admin from 67.225.209.238 via ssh
[admin@Sumo] >
echo: system,error,critical login failure for user admin from 67.225.209.238 via ssh
[admin@Sumo] >
echo: system,error,critical login failure for user admin from 67.225.209.238 via ssh
[admin@Sumo] >
echo: system,error,critical login failure for user admin from 67.225.209.238 via ssh
kalau di cek IP adressnya ternyata dari luar negri. Namun setelah googling kesana kemari ternyata katanya log itu adalah log penyusup atau bisa di bilang ada yang coba hack mikrtoik kita. Dari forum mikrotik ternyata ada solusi ampuh untuk mengatasi hal ini. Berikut Rulenya yang bisa anda pasang di mikrotik anda untuk mengamankan mikrotik anda dari penyusup.
Ini adalah rule yang saya dapat dari forum mikrotik.

in /ip firewall filter

add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \
comment="drop ftp brute forcers"

add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m

add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \
address-list=ftp_blacklist address-list-timeout=3h

Setelah rule di atas tambahkan juga rule dibawah ini


in /ip firewall filter

add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

Setelah itu terakir tambahkan rule berikut.



add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute downstream" disabled=no


Sumber
http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention_%28FTP_%26_SSH%29

Tidak ada komentar:

Poskan Komentar