Skip to content
MikroTik RouterOS Docs

Bruteforce Prevention

Bruteforce Prevention

Section titled “Bruteforce Prevention”

Bruteforce attacks represent one of the most common threats to network infrastructure. Attackers systematically attempt to guess passwords by trying multiple combinations against login services like SSH, Winbox, Telnet, and FTP. MikroTik RouterOS provides multiple mechanisms to detect, mitigate, and block these attacks, protecting your router from unauthorized access.

Overview

Section titled “Overview”

A bruteforce attack relies on automated tools that systematically try username and password combinations until finding valid credentials. These attacks are particularly dangerous because:

  • Automated Speed: Modern tools can try thousands of passwords per second
  • Persistence: Attackers continue for days or weeks
  • Credential Stuffing: Attackers use leaked credential lists from other breaches
  • Default Credentials: Many devices still use default passwords

Common Attack Targets

Section titled “Common Attack Targets”
ServiceDefault PortRisk Level
SSH22High
Winbox8291High
Telnet23Critical
FTP21High
API (HTTP/HTTPS)80/443Medium

Protection Strategy

Section titled “Protection Strategy”

Effective bruteforce protection in RouterOS employs multiple complementary techniques:

  • Connection Rate Limiting: Restricting new connections per source
  • Failed Attempt Tracking: Monitoring login failures using address lists
  • Automatic Blocking: Scripts that dynamically block attackers
  • Service Hardening: Reducing attack surface through configuration

Connection Rate Limiting

Section titled “Connection Rate Limiting”

The first line of defense limits how many new connections an IP can establish to management ports. This approach prevents automated tools from overwhelming the router with connection attempts.

Basic Connection Limit

Section titled “Basic Connection Limit”

Limit concurrent connections to SSH (port 22):

/ip firewall filter
add chain=input protocol=tcp dst-port=22 connection-state=new action=jump jump-target=protect-ssh
add chain=protect-ssh connection-limit=3,32 action=drop
add chain=protect-ssh connection-state=new action=accept

This configuration:

  1. Redirects new TCP connections to port 22 to a dedicated chain
  2. Drops connections if more than 3 connections exist per source IP (32 is the address count)
  3. Accepts connections that pass the limit check

Multiple Service Protection

Section titled “Multiple Service Protection”

Protect multiple management services simultaneously:

/ip firewall filter
add chain=input protocol=tcp dst-port=22,23,21,8291 connection-state=new action=jump jump-target=protect-mgmt


add chain=protect-mgmt connection-limit=3,32 action=drop
add chain=protect-mgmt connection-state=new action=accept

Understanding connection-limit Syntax

Section titled “Understanding connection-limit Syntax”

The connection-limit parameter follows this format: count,mask

ParameterDescriptionExample Value
countMaximum connections to allow3
maskBits to use for address grouping (32 = per IP)32

Failed Attempt Detection

Section titled “Failed Attempt Detection”

Track failed login attempts using address lists. This approach requires analyzing logs or using the /log subsystem to identify authentication failures.

Creating Address Lists

Section titled “Creating Address Lists”

Create dedicated address lists to track attackers:

Address lists are created automatically when the first entry is added. Use descriptive names to distinguish attack sources:

  • ssh-bruteforce — SSH attack sources
  • mgmt-bruteforce — All management service attackers

Manual Detection and Blocking

Section titled “Manual Detection and Blocking”

Monitor logs for failed login attempts:

/log print where message~"failed"

Typical failed login patterns in logs:

  • ssh: invalid user - SSH username enumeration
  • login failure - General authentication failure
  • winbox: user - Winbox login attempt

Manually block identified attackers:

/ip firewall address-list
add list=ssh-bruteforce address=203.0.113.50 comment="Attacker - SSH bruteforce"
add list=ssh-bruteforce address=198.51.100.0/24 comment="Attackers from subnet"

Drop Traffic from Blocked Addresses

Section titled “Drop Traffic from Blocked Addresses”

Add firewall rules to drop traffic from blacklisted IPs:

/ip firewall filter
add chain=input src-address-list=ssh-bruteforce action=drop comment="Block SSH bruteforce attackers"
add chain=input src-address-list=mgmt-bruteforce action=drop comment="Block all management attackers"

Automatic Blocking Script

Section titled “Automatic Blocking Script”

Automate the detection and blocking process using RouterOS scripting. This script scans logs for failed authentication attempts and adds offending IPs to address lists.

Bruteforce Detection Script

Section titled “Bruteforce Detection Script”
/system script add name=block-bruteforce source={
    :local count 5
    :local timeout 1d
    :local listName "ssh-bruteforce"


    :foreach i in=[/log find message~"failed" && message~"ssh"] do={
        :local logMsg [/log get $i message]
        :do {
            :local extractIP [:pick $logMsg ([:find $logMsg "from "]+5) ([:find $logMsg " port"])]
            :if ([:len $extractIP] > 0) do={
                :if ([:typeof [:find $extractIP "."]] = "nil") do={
                    :set $extractIP [:pick $extractIP 0 ([:find $extractIP ":"])]
                }
                :if ([/ip firewall address-list find list=$listName address=$extractIP] = "") do={
                    /ip firewall address-list add list=$listName address=$extractIP timeout=$timeout comment="Auto-blocked SSH bruteforce"
                    :log info "Blocked bruteforce attacker: $extractIP"
                }
            }
        } on-error={}
    }
}

This script:

  1. Searches logs for failed SSH login attempts
  2. Extracts source IP addresses from log messages
  3. Adds new IPs to the address list with 1-day timeout
  4. Skips IPs already on the blocklist

Scheduling the Script

Section titled “Scheduling the Script”

Run the detection script periodically:

/system scheduler add name=bruteforce-check on-event=block-bruteforce interval=1m

This runs the detection every minute, providing near-real-time blocking.

Winbox Bruteforce Protection

Section titled “Winbox Bruteforce Protection”

Winbox is a common target for bruteforce attacks. Protect it specifically:

Connection Limit for Winbox

Section titled “Connection Limit for Winbox”
/ip firewall filter
add chain=input protocol=tcp dst-port=8291 connection-state=new action=jump jump-target=protect-winbox
add chain=protect-winbox connection-limit=2,32 action=drop
add chain=protect-winbox connection-state=new action=accept

Winbox Attack Detection Script

Section titled “Winbox Attack Detection Script”
/system script add name=block-winbox-bruteforce source={
    :local timeout 1d
    :local listName "winbox-bruteforce"


    :foreach i in=[/log find message~"winbox" && message~"failed"] do={
        :local logMsg [/log get $i message]
        :do {
            :local extractIP [:pick $logMsg ([:find $logMsg "from "]+5) ([:find $logMsg " port"])]
            :if ([:len $extractIP] > 0) do={
                :if ([:typeof [:find $extractIP "."]] = "nil") do={
                    :set $extractIP [:pick $extractIP 0 ([:find $extractIP ":"])]
                }
                :if ([:len $extractIP] > 0) do={
                    :if ([:typeof [:find $extractIP "."]] != "nil") do={
                        :if ([/ip firewall address-list find list=$listName address=$extractIP] = "") do={
                            /ip firewall address-list add list=$listName address=$extractIP timeout=$timeout comment="Auto-blocked Winbox bruteforce"
                            :log info "Blocked Winbox attacker: $extractIP"
                        }
                    }
                }
            }
        } on-error={}
    }
}

Complete Bruteforce Prevention Configuration

Section titled “Complete Bruteforce Prevention Configuration”

Combine all techniques into a comprehensive protection setup:

# SSH protection - connection limiting
/ip firewall filter
add chain=input protocol=tcp dst-port=22 connection-state=new action=jump jump-target=protect-ssh
add chain=protect-ssh connection-limit=3,32 action=add-src-to-address-list address-list=ssh-bruteforce address-list-timeout=1d
add chain=protect-ssh connection-state=new action=accept
add chain=input src-address-list=ssh-bruteforce action=drop


# Winbox protection - connection limiting
/ip firewall filter
add chain=input protocol=tcp dst-port=8291 connection-state=new action=jump jump-target=protect-winbox
add chain=protect-winbox connection-limit=2,32 action=add-src-to-address-list address-list=winbox-bruteforce address-list-timeout=1d
add chain=protect-winbox connection-state=new action=accept
add chain=input src-address-list=winbox-bruteforce action=drop


# Telnet protection (recommended to disable)
/ip firewall filter
add chain=input protocol=tcp dst-port=23 action=drop comment="Disable Telnet - security risk"


# Block all management services from blacklisted IPs
/ip firewall filter
add chain=input src-address-list=mgmt-bruteforce action=drop

Service Hardening

Section titled “Service Hardening”

Beyond firewall rules, harden the services themselves:

Disable Unnecessary Services

Section titled “Disable Unnecessary Services”
# Disable Telnet (sends passwords in cleartext)
/ip service disable telnet


# Disable FTP
/ip service disable ftp


# Limit API access
/ip service set api address=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16

Change Default Ports

Section titled “Change Default Ports”

Reduce automated attacks by using non-standard ports:

# Change SSH to non-standard port
/ip service set ssh port=2222


# Change Winbox to non-standard port
/ip service set winbox port=8292

Use SSH Keys

Section titled “Use SSH Keys”

Replace password authentication with SSH keys:

/user ssh-keys import public-key-file=id_rsa.pub user=admin
/user set admin disabled=yes

Monitoring and Maintenance

Section titled “Monitoring and Maintenance”

View Blocked IPs

Section titled “View Blocked IPs”
/ip firewall address-list print where list~"bruteforce"

View Connection States

Section titled “View Connection States”
/ip firewall connection print

Check Active Connections to Management Ports

Section titled “Check Active Connections to Management Ports”
/ip firewall connection print where protocol=tcp dst-port=22,8291,23

View Firewall Stats

Section titled “View Firewall Stats”
/ip firewall filter print stats

Manual Unblock

Section titled “Manual Unblock”

Remove an IP from the blocklist:

/ip firewall address-list remove [find list=ssh-bruteforce address="203.0.113.50"]

Troubleshooting

Section titled “Troubleshooting”

Legitimate Users Blocked

Section titled “Legitimate Users Blocked”
  1. Check if user’s IP is in address list
  2. Increase connection limit thresholds
  3. Add trusted IPs to whitelist
  4. Reduce detection sensitivity
/ip firewall address-list
add list=trusted comment="Trusted IPs - never block" address=10.0.0.100

No Detection Triggering

Section titled “No Detection Triggering”
  1. Verify script is running: /system scheduler print
  2. Check logs contain failed attempts: /log print
  3. Test script manually: /system script run block-bruteforce
  4. Verify address list exists

High CPU During Attack

Section titled “High CPU During Attack”
  1. Ensure RAW prerouting rules drop blocked IPs early
  2. Use connection-limit in input chain before connection tracking
  3. Consider hardware-level filtering

Best Practices

Section titled “Best Practices”

Defense in Depth

Section titled “Defense in Depth”
  1. Firewall Rules: Connection limiting and address lists
  2. Service Hardening: Disable unnecessary services, change ports
  3. Strong Authentication: SSH keys, complex passwords
  4. Access Restrictions: Limit management to specific IPs
  5. Monitoring: Regular log review and alert scripts

Regular Maintenance

Section titled “Regular Maintenance”
  • Review blocked IP lists weekly
  • Analyze attack patterns monthly
  • Update blocking thresholds based on traffic
  • Test backup access methods regularly

Documentation

Section titled “Documentation”
  • Document normal login patterns
  • Record blocked IPs and reasons
  • Maintain runbooks for incident response
  • Track attack trends over time
Section titled “Related Commands”
  • /ip firewall filter - Configure firewall filter rules
  • /ip firewall address-list - Manage address lists
  • /ip firewall raw - Configure RAW prerouting rules
  • /system script - Configure automation scripts
  • /system scheduler - Schedule script execution
  • /connection tracking - Monitor connection states
  • /log - View system logs
Section titled “Related Resources”