Wanted to ask If my IP address is compromised. Getting a lot of calls to 61473 port (Can’t tell what it is even used for) and some outputs are just straight up look like ports scans. Do I need to call my ISP and report this or I can make some firewall rules to block these kind of things?
I’m currently blocking tcp 21,22,23,80,8291,61473 ports if they are not from LAN because I became suspicious.
Also disabled every IP service, but ssh and winbox (and they are only accessible from routers subnet).
Also wanted to know why (default mikrotik rules) drop all not incoming from LAN supersede drop from wan not dstnated? It does not matter what order are they in, drop not dstnated is just not working. I also have hairpin NAT, might that be a problem?
Default firewall rule set blocks everything not explicitly allowed from WAN side (i.e. anything not DST-NATed or not allowed to hit router itself). So it would block the connections you’re doing explicitly. And you’d see it works on the “drop from WAN not DST-NATed” rule statistics (not in log though).
I’d say that yes, what you see is a “normal” behaviour, there will always be some hosts port scanning … either randomly sweeping address space or targeting hosts which are seen in some (unrelated) activity … for example, if you’re running some bittorrent client (even if with perfectly legitimate contents), then your WAN IP address will be widely known as “alive”. It could be that you’re seeing larger number of (UDP) connection attempts towards port which was recently used by bittorrent client (many clients can be configured to use random port each time they start), and this could be legitimate bittorrent clients (which received your IP address/port from trackers).
So my advice: make your firewall setup as tight as possible, but don’t look at logs of blocked attempts (they are already blocked so no new information is provided; it only makes you dizzy).
As a general statement, if you have an Internet facing port for very long you WILL be port scanned and have attempts on many of the common ports. You ISP will either laugh in your face, or at least laugh at you after ending the phone call if you ask them to fix that “problem”. You need to stop those with your firewall rules - which it looks like you are doing.
As for your firewall rules question, rules are always processed in order. If an earlier rule is not doing anything, presumably it is not filtering what you think it should be. Beyond that, we would need to see your configuration to be able to answer. Post your configuration and ask your questions. To export and paste your configuration (and I’m assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) “/export hide-sensitive file=any-filename-you-wish”. Then open the files section and right click on the filename you created and select download in order to download the file to your computer. It will be a text file with whatever name you saved to with an extension of .rsc. Suggest you then open the .rsc file in your favorite text editor and redact any sensitive information. Then in your message here, click the code display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.
There is a difference between the input chain (access to your router) and the forward chain (access to the devices behind the router).
I decided (which is actually a very good approach) to block everything and allow what I want. Very different approach, in my opinion better from a conceptual perspective.
If you want to have a check on your current firewall (and give us a good laugh from time to time…might not be in your case), just share it with us:
/ip/firewall export
Remove any private info and place it in between code tags by using the </> button.
Ahh man. For the torrent, you were right. As for not dstnat, if I shouldn’t expect logs, then why atleast byte counter does not work to ensure blocking of every port that is not dstnated?
The WWW is being constantly scanned by bots, so consider life is normal.
Open ports attract more flies, one thing you can do is
ensure you have source address list for all those externally accessing your server
a. users should either have fixed static WANIPs
OR
b. they should be able to use DYNDSN URLS from providers, there are plenty of free ones.
Hence you simply add src-address-list=ExternalUsers to each dstnat rule.
Prior to change
any ports in dstnat rules appear on the internet as visible but closed
After the chaine
any ports in dstnat rules do not appear on scans (not visible).
+++++++++++++++++++++++++++++++++++++++
Since its been clear to me from day one, that servers were an issue and there is no decrease in people with servers anytime soon,
I recommended to Mikrotik that they provide as an options package …for those with long memory… A zerotrust cloudflare package in ROS.
However the clowns in management think that stating it can be used in a container, is the right approach.
Sorry way to complex and limiting to those with expertise beyond normal and in hardware that can even use containers…
My recommendation was for the ability for novice to medium users to safely setup their servers via their Mikrotik products.
Due to the limited space in older devices especially, it would not make sense to make this a core part of RoS unless it was trivial.
It still is valid capability to provide, but just like first post process, blinders go on when its not their idea…
