Firewall tarpit action

Is it possible to tarpit a connection attempt in the firewall? Meaning keeping the connection open as long as possible. Slowing those damn SSH bots down.

Are there any additional info or example?

Mikrotik’s RouterOS has tarpit as a firewall action, from Manual:IP/Firewall/Filter - MikroTik Wiki

tarpit - captures and holds TCP connections (replies with SYN/ACK to the inbound TCP SYN packet)

On my previous Mikrotik router I used it on port 22, to slow down bots scanning and trying brute force SSH logins.

I currently use GitHub - skeeto/endlessh: SSH tarpit that slowly sends an endless banner, but I’d like to handle it in the router.

It looks like mechanism “synproxy”
Create a feature request at phabricator.

To prevent brutforce you can change ssh port and add firewall rules, something like:

set firewall name FRWL-IN rule 30 action 'drop'
set firewall name FRWL-IN rule 30 destination port '2222'
set firewall name FRWL-IN rule 30 protocol 'tcp'
set firewall name FRWL-IN rule 30 recent count '3'
set firewall name FRWL-IN rule 30 recent time '300'
set firewall name FRWL-IN rule 30 state new 'enable'
1 Like