Sometimes you may see there are many FTP connection has been established in your router and due to this problem The routers CPU process will be high and the bandwidth utilisation will be high . So in that case you can consider it as FTP Brute force attack in your network .
/ip firewall filter
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \ comment="drop ftp brute forcers"
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \ address-list=ftp_blacklist address-list-timeout=3h
/ip firewall filter
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \ comment="drop ftp brute forcers"
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \ address-list=ftp_blacklist address-list-timeout=3h
To perform an FTP brute-force attack on a MikroTik SiteCountry router, use tools like Hydra or Medusa with a list of usernames and passwords to repeatedly attempt to log in until successful.
ReplyDelete