[SOLVED]Failed logins via SSH even though i have drop all...
If you installed RouterOS just now, and don't know where to start - ask here!

4 posts   •   Page 1 of 1
daromer
just joined
 
Posts: 3
Joined: Mon Feb 27, 2012 4:15 pm

[SOLVED]Failed logins via SSH even though i have drop all...

by daromer » Mon Feb 27, 2012 4:23 pm

Lets see if i can explain this.

Firewall rules (Incomming port 1. WAN port):
1. allow SSH TCP port 22 from ip xxx.yyy.aaa.bbb
2. Deny all incomming

I also got the basic rules for accept for state established and related. Nothing else is allowed on incomming on this machine.

Service list for ssh is allow all.

So far so good. When i test from several external ips nothing happen. I cant get in. Thats expected right.
I can get in from ip xxx.yyy.aaa.bbb and that is ok aswell.

BUT.

Every now and then i can see this in logs:
09:16:18 system,error,critical login failure for user root from aaa.bbb.ccc.ddd via ssh
09:16:22 system,error,critical login failure for user root from aaa.bbb.ccc.ddd via ssh
09:16:26 system,error,critical login failure for user root from aaa.bbb.ccc.ddd via ssh

How the heck can someone get in at all?

Does Ip service list sometimes go before firewall rules and sometimes not? What have i missed? The router itself is fresh installed and this happens.


edit: Some info about the system:
RB750 running at v5.13
Last edited by daromer on Tue Feb 28, 2012 12:31 pm, edited 2 times in total.

User avatar
nickshore
Member
Member
 
Posts: 335
Joined: Thu Mar 03, 2005 5:14 pm
Location: Suffolk, UK.

Re: Failed logins via SSH even though i have drop all...

by nickshore » Mon Feb 27, 2012 5:00 pm

can you export your input chain rules ?
Nick Shore MTCNA MTCWE MTCRE MTCINE MTCTCE
LinITX.com - MultiThread Consultants
Get your MikroTik RBs and Training: http://linitx.com/brand/mikrotik
Official UK MikroTik Distributor
IRC chan: #routerboard on irc.z.je (IPv4 and IPv6)

daromer
just joined
 
Posts: 3
Joined: Mon Feb 27, 2012 4:15 pm

Re: Failed logins via SSH even though i have drop all...

by daromer » Mon Feb 27, 2012 5:14 pm

Sure:

Code: Select all
[user@MikroTik] /ip firewall filter> print chain=input
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; Loggning h▒r
     chain=input action=log protocol=tcp in-interface=ether1-gateway dst-port=22 log-prefix="Input Dropped:"

 1 X ;;; ICMP
     chain=input action=accept protocol=icmp limit=0,5 dst-limit=0,5,dst-address/1m40s

 2   ;;; Mikrotik WEB
     chain=input action=accept protocol=tcp src-address=workip in-interface=ether1-gateway dst-port=8291

 3   ;;; Micke
     chain=input action=accept protocol=tcp src-address=<home> dst-port=8291

 4   ;;; Micke
     chain=input action=accept protocol=tcp src-address=<home> dst-port=22

 5   chain=input action=accept protocol=tcp src-address=<work> in-interface=ether1-gateway dst-port=80

 6   chain=input action=accept protocol=tcp src-address=<work> in-interface=ether1-gateway dst-port=22

 7   ;;; PPTP VPN Jobbet
     chain=input action=accept protocol=tcp src-address=<home>/24 dst-port=1723

 8   ;;; OpenVPN
     chain=input action=accept protocol=tcp src-address=<server>/24 dst-port=1194

 9   ;;; default configuration established
     chain=input action=accept connection-state=established in-interface=ether1-gateway

10   ;;; default configuration Related
     chain=input action=accept connection-state=related in-interface=ether1-gateway

11   ;;; default configuration
     chain=input action=drop in-interface=ether1-gateway



Hmm. can it be #4 doing this? I dont understand how though. Comming from inside somehow? Cant imagine that if so.

daromer
just joined
 
Posts: 3
Joined: Mon Feb 27, 2012 4:15 pm

Re: Failed logins via SSH even though i have drop all...

by daromer » Tue Feb 28, 2012 12:31 pm

Problem is now solved. I had totaly forgot that i had another vlan active with one 2nd external address. :? :lol:

4 posts   •   Page 1 of 1

Who is online

Users browsing this forum: Bing [Bot] and 18 guests

It is currently Fri Nov 21, 2014 5:09 am