Block Brute Force on Microsoft RDP using Mikrotik Router

This is a good way to block Brute Force attackers on prot 3389 MS-RDP.

  1. The new RDP connection is added to rdp_stage1  address list for 5 mins
  2. The second time it connects adds it to rdp_stage2 address list for 5 mins
  3. The thrird time adds it to rdp_stage3 address list for 5 mins
  4. The fourth time the attacker ends up to Blocked address list  for 10 Days.

/ip firewall filter
add action=reject chain=forward log-prefix=”Blocked – ” reject-with=icmp-network-unreachable src-address-list=Blocked

add action=add-src-to-address-list address-list=Blocked address-list-timeout=1w3d chain=forward connection-state=new dst-port=3389 log=yes log-prefix=”RDP BRUTEFORCE – ” protocol=tcp src-address-list=rdp_stage3

add action=add-src-to-address-list address-list=rdp_stage3 address-list-timeout=5m chain=forward connection-state=new dst-port=3389 protocol=tcp src-address-list=rdp_stage2

add action=add-src-to-address-list address-list=rdp_stage2 address-list-timeout=5m chain=forward connection-state=new dst-port=3389 protocol=tcp src-address-list=rdp_stage1

add action=add-src-to-address-list address-list=rdp_stage1 address-list-timeout=5m chain=forward connection-state=new dst-port=3389 protocol=tcp

Hope you liked it.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.