Community discussions

MikroTik App
 
daromer
just joined
Topic Author
Posts: 4
Joined: Mon Feb 27, 2012 3:15 pm

[SOLVED]Failed logins via SSH even though i have drop all...

Mon Feb 27, 2012 3:23 pm

Lets see if i can explain this.

Firewall rules (Incomming port 1. WAN port):
1. allow SSH TCP port 22 from ip xxx.yyy.aaa.bbb
2. Deny all incomming

I also got the basic rules for accept for state established and related. Nothing else is allowed on incomming on this machine.

Service list for ssh is allow all.

So far so good. When i test from several external ips nothing happen. I cant get in. Thats expected right.
I can get in from ip xxx.yyy.aaa.bbb and that is ok aswell.

BUT.

Every now and then i can see this in logs:
09:16:18 system,error,critical login failure for user root from aaa.bbb.ccc.ddd via ssh
09:16:22 system,error,critical login failure for user root from aaa.bbb.ccc.ddd via ssh
09:16:26 system,error,critical login failure for user root from aaa.bbb.ccc.ddd via ssh

How the heck can someone get in at all?

Does Ip service list sometimes go before firewall rules and sometimes not? What have i missed? The router itself is fresh installed and this happens.


edit: Some info about the system:
RB750 running at v5.13
Last edited by daromer on Tue Feb 28, 2012 11:31 am, edited 2 times in total.
 
User avatar
nickshore
Long time Member
Long time Member
Posts: 521
Joined: Thu Mar 03, 2005 4:14 pm
Location: Suffolk, UK.
Contact:

Re: Failed logins via SSH even though i have drop all...

Mon Feb 27, 2012 4:00 pm

can you export your input chain rules ?
 
daromer
just joined
Topic Author
Posts: 4
Joined: Mon Feb 27, 2012 3:15 pm

Re: Failed logins via SSH even though i have drop all...

Mon Feb 27, 2012 4:14 pm

Sure:
[user@MikroTik] /ip firewall filter> print chain=input
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; Loggning h▒r
     chain=input action=log protocol=tcp in-interface=ether1-gateway dst-port=22 log-prefix="Input Dropped:"

 1 X ;;; ICMP
     chain=input action=accept protocol=icmp limit=0,5 dst-limit=0,5,dst-address/1m40s

 2   ;;; Mikrotik WEB
     chain=input action=accept protocol=tcp src-address=workip in-interface=ether1-gateway dst-port=8291

 3   ;;; Micke
     chain=input action=accept protocol=tcp src-address=<home> dst-port=8291

 4   ;;; Micke
     chain=input action=accept protocol=tcp src-address=<home> dst-port=22

 5   chain=input action=accept protocol=tcp src-address=<work> in-interface=ether1-gateway dst-port=80

 6   chain=input action=accept protocol=tcp src-address=<work> in-interface=ether1-gateway dst-port=22

 7   ;;; PPTP VPN Jobbet
     chain=input action=accept protocol=tcp src-address=<home>/24 dst-port=1723

 8   ;;; OpenVPN
     chain=input action=accept protocol=tcp src-address=<server>/24 dst-port=1194

 9   ;;; default configuration established
     chain=input action=accept connection-state=established in-interface=ether1-gateway

10   ;;; default configuration Related
     chain=input action=accept connection-state=related in-interface=ether1-gateway

11   ;;; default configuration
     chain=input action=drop in-interface=ether1-gateway

Hmm. can it be #4 doing this? I dont understand how though. Comming from inside somehow? Cant imagine that if so.
 
daromer
just joined
Topic Author
Posts: 4
Joined: Mon Feb 27, 2012 3:15 pm

Re: Failed logins via SSH even though i have drop all...

Tue Feb 28, 2012 11:31 am

Problem is now solved. I had totaly forgot that i had another vlan active with one 2nd external address. :? :lol:

Who is online

Users browsing this forum: BioMax, mbovenka, PBondurant, valeb and 48 guests