Page 1 of 1

SOMEONE TRYING TO HACK MY BOX

Posted: Mon Feb 08, 2010 3:48 pm
by dunga
Hello,
I have been seeing this user trying with many username trying to hack into my MT router. I want to know how to block this user and others because i cannot ascertain if the hack actiually gained access or not.

Here is what i see when i open a new terminal in my MT box.
feb/08/2010 13:37:21 system,error,critical login failure for user root from 93.115.7.2 via ssh
feb/08/2010 13:37:31 system,error,critical login failure for user root from 93.115.7.2 via ssh
feb/08/2010 13:37:39 system,error,critical login failure for user root from 93.115.7.2 via ssh
feb/08/2010 13:37:46 system,error,critical login failure for user root from 93.115.7.2 via ssh
feb/08/2010 13:37:55 system,error,critical login failure for user root from 93.115.7.2 via ssh
feb/08/2010 13:38:02 system,error,critical login failure for user root from 93.115.7.2 via ssh
feb/08/2010 13:38:08 system,error,critical login failure for user root from 93.115.7.2 via ssh
feb/08/2010 13:38:16 system,error,critical login failure for user root from 93.115.7.2 via ssh

This is very critical and need urgent attention.
Thanks as i wait your response

Re: SOMEONE TRYING TO HACK MY BOX

Posted: Mon Feb 08, 2010 3:49 pm
by normis
change the SSH port in system services menu. Also add firewall rule to block this IP address in the input chain.

or better yet, block SSH port from the internet interface.

there are tutorials:

http://wiki.mikrotik.com/wiki/Bruteforc ... prevention

Re: SOMEONE TRYING TO HACK MY BOX

Posted: Mon Feb 08, 2010 8:58 pm
by dunga
Thanks,
The link has two firewall rules, will i choose one or implement both of them.

Thanks for your timely intervention

Re: SOMEONE TRYING TO HACK MY BOX

Posted: Mon Feb 08, 2010 9:08 pm
by fewi
As the link describes the first configuration change is to protect FTP, the second one is to protect SSH.

Re: SOMEONE TRYING TO HACK MY BOX

Posted: Mon Feb 08, 2010 9:16 pm
by roadracer96
Accept new connections on 22 at a rate of 2/minute, then make the next rule add the source to an address list for 1 hour that is blocked before accepting established/related connections.

Works like a champ.

Re: SOMEONE TRYING TO HACK MY BOX

Posted: Mon Feb 08, 2010 10:13 pm
by Chupaka
also - do you really need an access from the outside? =)

Re: SOMEONE TRYING TO HACK MY BOX

Posted: Tue Feb 09, 2010 8:25 pm
by dunga
Thanks fewi for the explanations

I am confused more on what roadraces said, how do i make the rukle or add the rule as quoted below.
Accept new connections on 22 at a rate of 2/minute, then make the next rule add the source to an address list for 1 hour that is blocked before accepting established/related connections.

Works like a champ.
Expecting more response as i want to protect my MT

Re: SOMEONE TRYING TO HACK MY BOX

Posted: Tue Feb 09, 2010 9:03 pm
by roadracer96
This same chain is used on multiple servers behind the MT, so the rate is 10/minute. You would want to adjust it for in-interface, etc, etc. I have nested chains, so it already knows it.

Block anything in that address list from ALL services, period. (Test to make sure it works. Dont want you to DOS yourself)
add action=jump chain=forward comment="***Drop Allow2block***" disabled=no in-interface=ether1 jump-target=drop src-address-list=allow2block


Make sure it is placed before established/related connections. This will sever any connections already made when it is added to the address-list
add action=accept chain=forward comment="***Accept Established/Related***" connection-state=established disabled=no
add action=accept chain=forward comment="" connection-state=related disabled=no
add action=accept chain=input comment="" connection-state=established disabled=no
add action=accept chain=input comment="" connection-state=related disabled=no

......All your regular rules...

This puts in in an address list for 1 day that gets completely blocked from everything behind the MT. I dont care about the riff-raff. They dont need to use my shit.
add action=jump chain=ca-in comment="" connection-state=new disabled=no dst-port=22 jump-target=allow2blocklist protocol=tcp
add action=accept chain=allow2blocklist comment=";;;;;;ALLOW 2 BLOCK" disabled=no
add action=accept chain=allow2blocklist comment="" disabled=no limit=10/1m,20
add action=add-src-to-address-list address-list=allow2block address-list-timeout=1d chain=allow2blocklist comment="" disabled=no
add action=jump chain=allow2blocklist comment="" disabled=no jump-target=drop
add action=log chain=drop comment="" disabled=no log-prefix=""
add action=drop chain=drop comment="" disabled=no

Re: SOMEONE TRYING TO HACK MY BOX

Posted: Wed Feb 10, 2010 4:27 pm
by dunga
Thanks all, it worked like a charm, after chkecking my MT box, i did not see those ip addresses again meaning they are just blocked from accessing the router.

Many thanks to all that responded to this urgent problem i had.

Re: SOMEONE TRYING TO HACK MY BOX

Posted: Fri Feb 12, 2010 7:46 pm
by dunga
Sorry about my previous response, i am still noticing some different ip address trying to hack my MT again.
feb/12/2010 10:22:32 system,error,critical login failure for user root from 77.6
8.56.181 via ssh
feb/12/2010 10:22:38 system,error,critical login failure for user root from 77.6
8.56.181 via ssh
feb/12/2010 10:22:45 system,error,critical login failure for user root from 77.6
8.56.181 via ssh
feb/12/2010 11:49:34 system,error,critical login failure for user root from 124.
42.6.71 via ssh
feb/12/2010 11:49:42 system,error,critical login failure for user root from 124.
42.6.71 via ssh
feb/12/2010 11:49:49 system,error,critical login failure for user root from 124.
42.6.71 via ssh
feb/12/2010 12:35:46 system,error,critical login failure for user root from 61.1
39.33.207 via ssh

I have started having some problem with my network of late. I have a router fo one of my hotspot users, but he cannot browse the net or get connected with the router but hen he connects directly to his computer he gets connected. i ant to ask if there is something that is blocking the router from not getting ip address automatically but when i ue the pc it gets or acquires i[ address.

here is my filter rules,
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Tcp Connection Limit
chain=forward protocol=tcp tcp-flags=syn connection-limit=41,32
action=drop

1 ;;; Drop TCP Blaster Worm 135 - 139
chain=forward protocol=tcp dst-port=135-139 action=drop

2 ;;; Drop Messenger Worm UDP ports 135 - 139
chain=forward protocol=udp dst-port=135-139 action=drop

3 ;;; Allow Rate-limited ICMP
chain=input protocol=icmp limit=50,5 action=accept

4 ;;; Drop Blaster Worm TCP port 445
chain=forward protocol=tcp dst-port=445 action=drop

5 ;;; Drop Blaster Worm UDP port 445
chain=forward protocol=udp dst-port=445 action=drop

6 ;;; Drop TCP Worm 1433-1434
chain=forward protocol=tcp dst-port=1433-1434 action=drop

7 ;;; Drop UDP Worm Port 1433-1434
chain=forward protocol=udp dst-port=1433-1434 action=drop

8 ;;; Drop Tcp Worm port 4444
chain=forward protocol=tcp dst-port=4444 action=drop

9 ;;; Drop Udp Worm port 4444
chain=forward protocol=udp dst-port=4444 action=drop

10 ;;; Drop TCP MyDoom worm port 3127 -3128
chain=forward protocol=tcp dst-port=3127-3128 action=drop

11 ;;; Drop UDP MyDoom worm port 3127-3128
chain=forward protocol=udp dst-port=3127-3128 action=drop

12 ;;; Drop tcp worm Backdoor OptixPro port 3410
chain=forward protocol=tcp dst-port=3410 action=drop

13 ;;; Drop UDP Backdoor OptixPro port 3410
chain=forward protocol=udp dst-port=3410 action=drop

14 ;;; Drop Seaser worm tcp port 5554
chain=forward protocol=tcp dst-port=5554 action=drop

15 ;;; Drop Sasser Worm Udp port 5554
chain=forward protocol=udp dst-port=5554 action=drop

16 ;;; Block P2P
chain=forward p2p=fasttrack action=drop

17 ;;; Drop P2P TCP Port 6346
chain=forward protocol=tcp dst-port=6346-6347 action=drop

18 ;;; Block P2P UDP Port 6346-6347
chain=forward protocol=udp dst-port=6346-6347 action=drop

19 ;;; Port Scanners to List
chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list
address-list=port scanners address-list-timeout=2w

20 ;;; NMAP FIN Stealth scan
chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list=port scanners
address-list-timeout=2w

21 ;;; SYN/FIN scan
chain=input protocol=tcp tcp-flags=fin,syn
action=add-src-to-address-list address-list=port scanners
address-list-timeout=2w

22 ;;; SYN/RST scan
chain=input protocol=tcp tcp-flags=syn,rst
action=add-src-to-address-list address-list=port scanners
address-list-timeout=2w

23 ;;; FIN/PSH/URG scan
chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
action=add-src-to-address-list address-list=port scanners
address-list-timeout=2w

24 ;;; ALL/ALL scan
chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
action=add-src-to-address-list address-list=port scanners
address-list-timeout=2w

25 ;;; NMAP NULL scan
chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list=port scanners
address-list-timeout=2w

26 ;;; dropping port scanners
chain=input src-address-list=port scanners action=drop

27 ;;; ________
chain=forward protocol=tcp dst-port=593 action=drop

28 ;;; ________
chain=forward protocol=tcp dst-port=1024-1030 action=drop

29 ;;; Drop MyDoom
chain=forward protocol=tcp dst-port=1080 action=drop

30 ;;; ________
chain=forward protocol=tcp dst-port=1214 action=drop

31 ;;; ndm requester
chain=forward protocol=tcp dst-port=1363 action=drop

32 ;;; ndm server
chain=forward protocol=tcp dst-port=1364 action=drop

33 ;;; Drop TCP Port 1368 screen cast Worm
chain=forward protocol=tcp dst-port=1368 action=drop

34 ;;; Drop TCP Port 1373 hromgrafx Trojan Worm
chain=forward protocol=tcp dst-port=1373 action=drop

35 ;;; Drop TCP cichlid Port 1377
chain=forward protocol=tcp dst-port=1377 action=drop

36 ;;; Drop TCp Port 2745 Bagle forward Trojan Worm
chain=forward protocol=tcp dst-port=2745 action=drop

37 ;;; Drop TCP Port Dumaru.Y Trojan Worm
chain=forward protocol=tcp dst-port=2283 action=drop

38 ;;; Drop TCP Port 2535 Beagle Worm
chain=forward protocol=tcp dst-port=2535 action=drop

39 ;;; Drop Beagle.C-K Worm
chain=forward protocol=tcp dst-port=2745 action=drop

40 ;;; Unknown Worm TCP Port 4444
chain=forward protocol=tcp dst-port=4444 action=drop

41 ;;; Unknown Worm Udp Port 4444
chain=forward protocol=udp dst-port=4444 action=drop

42 ;;; Drop Beagle.B Tcp Worm Port 8866
chain=forward protocol=tcp dst-port=8866 action=drop

43 ;;; Drop Dabber.A-B Worm Port 9898
chain=forward protocol=tcp dst-port=9898 action=drop

44 ;;; Drop Dumaru.Y Worm port 10000
chain=forward protocol=tcp dst-port=10000 action=drop

45 ;;; Drop MyDoom.B
chain=forward protocol=tcp dst-port=10080 action=drop

46 ;;; Drop NetBus Worm
chain=forward protocol=tcp dst-port=12345 action=drop

47 ;;; Drop Kuang2 Worm
chain=forward protocol=tcp dst-port=17300 action=drop

48 ;;; Drop SubSeven Worm
chain=forward protocol=tcp dst-port=27374 action=drop

49 ;;; Drop PhatBot, Agobot, Gaobot Port
chain=forward protocol=tcp dst-port=65506 action=drop

50 ;;; Drop ftp brute forcers
chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist
action=drop

51 ;;; Aceept The ftp brute forcers rule
chain=output protocol=tcp content=530 Login incorrect
dst-limit=1/1m,9,dst-address/1m action=accept

52 ;;; Bann The incorrect login after 3Hrs
chain=output protocol=tcp content=530 Login incorrect
action=add-dst-to-address-list address-list=ftp_blacklist
address-list-timeout=3h

53 ;;; Drop SSH brute forcers
chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist
action=drop

54 chain=input protocol=tcp dst-port=22 connection-state=new
src-address-list=ssh_stage3 action=add-src-to-address-list
address-list=ssh_blacklist address-list-timeout=1w3d

55 chain=input protocol=tcp dst-port=22 connection-state=new
src-address-list=ssh_stage2 action=add-src-to-address-list
address-list=ssh_stage3 address-list-timeout=1m

56 chain=input protocol=tcp dst-port=22 connection-state=new
src-address-list=ssh_stage1 action=add-src-to-address-list
address-list=ssh_stage2 address-list-timeout=1m

57 chain=input protocol=tcp dst-port=22 connection-state=new
action=add-src-to-address-list address-list=ssh_stage1
address-list-timeout=1m

Re: SOMEONE TRYING TO HACK MY BOX

Posted: Sat Feb 13, 2010 4:37 am
by lamno
just change your SSH Port..

eg. 22 to 212 or else..

Re: SOMEONE TRYING TO HACK MY BOX

Posted: Sat Feb 13, 2010 5:10 pm
by Chupaka
also - do you really need an access from the outside? =)

Re: SOMEONE TRYING TO HACK MY BOX

Posted: Sat Feb 13, 2010 7:59 pm
by dunga
also - do you really need an access from the outside? =)
yes for the answer.

Re: SOMEONE TRYING TO HACK MY BOX

Posted: Thu Mar 01, 2012 7:29 pm
by bokie
How about limiting the SYN/ACK/PSH/FIN flags per seconds/per dst (attacker)/per tcp 20-23 (this case)?


Usually automated brute force scripts send a SYN packet every 5 seconds. After that the victim would send back 4 packets to the attacker, ending with a ACK/FIN flag. If we can control those 4 packets from the victim, and have a limit of, say, 16 packets/25 seconds, the dst automatically is added to bruteforce list, and one can block the list with output chain.

Seems like a better solution (in a way), but is it possible to apply it? I tried it, but it will kick anyone who tries to connect on port 20-23, on first try.

Greetings

Re: SOMEONE TRYING TO HACK MY BOX

Posted: Thu Mar 01, 2012 11:21 pm
by Aug
This works for me. Mine is bridged. Ether1 facing Wan. Change to suit your needs.
addresses are created dynamically in address list.
"NoBlock" in 2nd to last line added because something I didn't want blocked got blocked.
/ip firewall filter
add action=drop chain=forward comment="drop ssh brute forcers" disabled=no \
    dst-port=22 in-bridge-port=ether1 protocol=tcp src-address-list=\
    ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=6h chain=forward comment="" connection-state=new \
    disabled=no dst-port=22 in-bridge-port=ether1 protocol=tcp \
    src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=forward comment="" connection-state=new \
    disabled=no dst-port=22 in-bridge-port=ether1 protocol=tcp \
    src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=forward comment="" connection-state=new \
    disabled=no dst-port=22 in-bridge-port=ether1 protocol=tcp \
    src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=forward comment="" connection-state=new \
    disabled=no dst-port=22 in-bridge-port=ether1 protocol=tcp \
    src-address-list=!NoBlock
add action=drop chain=forward comment="drop ssh brute downstream" disabled=no \
    dst-port=22 in-bridge-port=ether2 protocol=tcp src-address-list=\
    ssh_blacklist

Re: SOMEONE TRYING TO HACK MY BOX

Posted: Fri Mar 02, 2012 1:36 pm
by bokie
Why making rules for every single port (in this case ssh), when same rules can be applied to different ports ?

/ip fi ma
add action=mark-connection chain=prerouting disabled=no dst-port=20-23,110,143,113,69,156,5901,375-425,5631-5632 new-connection-mark=directcon passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=prerouting disabled=no dst-port=3996-3999,3389,5900 new-connection-mark=directcon passthrough=no protocol=tcp src-port=1024-65535

/ip fi fi
add action=drop chain=input comment="drop blacklist" connection-mark=directcon disabled=no src-address-list=blacklist
add action=add-src-to-address-list address-list=blacklist address-list-timeout=2d chain=input connection-mark=directcon disabled=no src-address-list=directcon_stage2
add action=add-src-to-address-list address-list=directcon_stage2 address-list-timeout=30s chain=input connection-mark=directcon disabled=no src-address-list=directcon_stage1
add action=add-src-to-address-list address-list=directcon_stage1 address-list-timeout=30s chain=input connection-mark=directcon disabled=no src-address-list=!management
add action=drop chain=forward comment="drop blacklist downstream" disabled=no protocol=tcp src-address-list=blacklist

This works for me. Mine is bridged. Ether1 facing Wan. Change to suit your needs.
addresses are created dynamically in address list.
"NoBlock" in 2nd to last line added because something I didn't want blocked got blocked.
/ip firewall filter
add action=drop chain=forward comment="drop ssh brute forcers" disabled=no \
    dst-port=22 in-bridge-port=ether1 protocol=tcp src-address-list=\
    ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=6h chain=forward comment="" connection-state=new \
    disabled=no dst-port=22 in-bridge-port=ether1 protocol=tcp \
    src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=forward comment="" connection-state=new \
    disabled=no dst-port=22 in-bridge-port=ether1 protocol=tcp \
    src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=forward comment="" connection-state=new \
    disabled=no dst-port=22 in-bridge-port=ether1 protocol=tcp \
    src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=forward comment="" connection-state=new \
    disabled=no dst-port=22 in-bridge-port=ether1 protocol=tcp \
    src-address-list=!NoBlock
add action=drop chain=forward comment="drop ssh brute downstream" disabled=no \
    dst-port=22 in-bridge-port=ether2 protocol=tcp src-address-list=\
    ssh_blacklist

Re: SOMEONE TRYING TO HACK MY BOX

Posted: Fri Mar 09, 2012 1:31 pm
by prawira
as alternative, you can use "PORT KNOCKING'
see tiktube or wiki for more explanation.

we use it as well to protect all of our client routers, so only certain people who know 'how to knock' that allow to enter.

Paul