MT router under attack?

kvan64 · Sun Oct 07, 2007 12:38 am

Hi, for the last few days, every time I open a new terminal, I see a list of critical login failures of non-existed user-names. Sometimes it appears that there are thousands of those messages (not shown). Am I under some kind of attack? What should I do?
Look below:

MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 3.0rc6 (c) 1999-2007 http://www.mikrotik.com/

(3124 messages not shown)
oct/07/2007 06:23:51 system,error,critical login failure for user httpd from 213
.21.208.164 via ssh
oct/07/2007 06:23:55 system,error,critical login failure for user pop from 213.2
1.208.164 via ssh
oct/07/2007 06:24:00 system,error,critical login failure for user nobody from 21
3.21.208.164 via ssh
oct/07/2007 06:24:03 system,error,critical login failure for user root from 213.
21.208.164 via ssh
oct/07/2007 06:24:12 system,error,critical login failure for user backup from 21
3.21.208.164 via ssh
oct/07/2007 06:24:17 system,error,critical login failure for user info from 213.
21.208.164 via ssh
oct/07/2007 06:24:20 system,error,critical login failure for user shop from 213.
21.208.164 via ssh
oct/07/2007 06:24:24 system,error,critical login failure for user sales from 213
.21.208.164 via ssh
Terminal vt102 detected, using multiline input mode
[admin@MikroTik] >

Viroslash · Sun Oct 07, 2007 1:49 am

Bruteforce login prevention (FTP and SSH)
From MikroTik Wiki

allows only 10 FTP login incorrect answers per minute

/ip firewall filter

add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop

add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m

add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \
address-list=ftp_blacklist address-list-timeout=3h

This will prevent a SSH brute forcer to be banned for 10 days after repetitive attempts. Change the timeouts as necessary.

/ip firewall filter

add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

steveloomis · Sun Oct 07, 2007 2:24 am

Simple to fix. In winbox, got to IP tab, then services. Disable all unnecessary services, like HTTP, FTP, Telnet etc, maybe change the port number to non-standard ports. I have done this repeatedly on many of our MT routers and stopped the attempts to log in...

kvan64 · Sun Oct 07, 2007 7:31 am

Thanks guys, I have added these firewall rules. Hope that It works.

kvan64 · Sun Oct 07, 2007 3:04 pm

Viroslash,
I am so glad to see that the bad guy got banned just after three attempts this arvo. I also see his ip address in the blacklist. I was just wondering if I could display a message if black-listed ip addresses attempt to login again? That would be cool.

Viroslash · Sun Oct 07, 2007 8:05 pm

With this rule you can know who is this trying to login. Put it in previous to the others.

/ip firewall filter
add chain=input protocol=tcp dst-port=20-23 action=add-src-to-address-list address-list=trying_to_login address-list-timeout=1d comment="remote_logins" disabled=no

Repla · Wed Aug 06, 2008 1:45 am

How they come to know that I just installed a new copy of RouterOS?

Do they search all internet? or my server sends some packets or they learn it from forums???

0ldman · Wed Aug 06, 2008 5:26 am

Usually just a random port scan. The local cable company was being hammered, and my subnet is just a few digits different, mine was hammered shortly after.

kameelperdza · Thu Sep 13, 2012 11:13 am

What i have done is to change critical under logging from echo to disk.
It helps me to keep track on how many times one ip address tries.

Hotz1 · Thu Sep 13, 2012 4:35 pm

If you want to log every subsequent login attempt from a blacklisted address, put this above the "action=drop" rule:

/ip firewall filter
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=log log-prefix=SSH-blacklisted comment="log blacklisted ssh brute forcers" disabled=no

kameelperdza · Thu Sep 13, 2012 5:16 pm

If you want to log every subsequent login attempt from a blacklisted address, put this above the "action=drop" rule:
Code: Select all
/ip firewall filter
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=log log-prefix=SSH-blacklisted comment="log blacklisted ssh brute forcers" disabled=no

i have also tried similar rule, but it gives me too much information that i dont need. I just want to see the ip address and how many attemps there was.

This is what i wil usually see with the rule you mentioned

Sep/13/2012 16:08:37 route,ospf,debug ssh_blacklist (input): RECV: Hello <- 172.16.0.1 on ether2 (172.16.0.200)
Sep/13/2012 16:08:37 route,ospf,debug,raw ssh_blacklist (input): PACKET:
Sep/13/2012 16:08:37 route,ospf,debug,raw ssh_blacklist (input):     45 C0 00 54 20 97 00 00 01 59 0B E4 AC 10 00 01
Sep/13/2012 16:08:37 route,ospf,debug,raw ssh_blacklist (input):     E0 00 00 05 02 01 00 30 0A 00 00 01 AC 10 00 00
Sep/13/2012 16:08:37 route,ospf,debug,raw ssh_blacklist (input):     00 00 00 02 00 00 01 10 00 00 0B 77 FF FF FF 00
Sep/13/2012 16:08:37 route,ospf,debug,raw ssh_blacklist (input):     00 0A 02 01 00 00 00 28 00 00 00 00 00 00 00 00
Sep/13/2012 16:08:37 route,ospf,debug,raw ssh_blacklist (input):     AC 10 00 C8 B0 6E EF 95 5C 8B 55 2B EE CD 0F 49
Sep/13/2012 16:08:37 route,ospf,debug,raw ssh_blacklist (input):     70 B1 8B 29
Sep/13/2012 16:08:37 route,ospf,debug ssh_blacklist (input):   received options: E
Sep/13/2012 16:08:38 pptp,debug,packet ssh_blacklist (input): rcvd Echo-Request from 10.0.0.2
Sep/13/2012 16:08:38 pptp,debug,packet ssh_blacklist (input):     identifier=15
Sep/13/2012 16:08:38 pptp,debug,packet ssh_blacklist (input): sent Echo-Reply to 10.0.0.2
Sep/13/2012 16:08:38 pptp,debug,packet ssh_blacklist (input):     identifier=15
Sep/13/2012 16:08:38 pptp,debug,packet ssh_blacklist (input):     result-code=1
Sep/13/2012 16:08:38 pptp,debug,packet ssh_blacklist (input):     error-code=0

francisuk24 · Tue Mar 18, 2014 12:15 am

Im new to RouterOS and i have a question.

If i wont to input "http://www.spamhaus.org/drop/drop.txt" this list, How do i go about doing it?

amt · Fri Jul 01, 2016 1:15 pm

Im new to RouterOS and i have a question.

If i wont to input "http://www.spamhaus.org/drop/drop.txt" this list, How do i go about doing it?

Hi,

Check this
http://joshaven.com/resources/tricks/mi ... ress-list/

MT router under attack?

MT router under attack?

Re: MT router under attack?

Re: MT router under attack?

Re: MT router under attack?

Re: MT router under attack?

Re: MT router under attack?

Re: MT router under attack?

Re: MT router under attack?

Re: MT router under attack?

Re: MT router under attack?

Re: MT router under attack?

Re: MT router under attack?

Re: MT router under attack?

Who is online