Attack by SSH ..

samsoft08 · September 11, 2007, 12:56am

this is an example for what i see every day in my router os log :

sep/10 23:32:20 system,error,critical login failure for user save from 218.189.137.70 via ssh 
sep/10 23:32:29 system,error,critical login failure for user styx from 218.189.137.70 via ssh 
sep/10 23:32:39 system,error,critical login failure for user toto from 218.189.137.70 via ssh 
sep/10 23:32:48 system,error,critical login failure for user tuningar from 218.189.137.70 via ssh

its just an example , pages of this every day !!
how i can stop this attack please ??

ericsooter · September 11, 2007, 1:20am

/ ip firewall filter
add chain=input protocol=tcp dst-port=21-22
src-address-list=!secure-addresses action=drop comment=“Only allow FTP
and SSH from our network” disabled=no

Define a list called “secure-addresses” and put all your allowable subnets. This will shutdown those brute force attacks.

Eric

ashish · September 11, 2007, 4:13am

You can also Disable Option from

/ip service disable=ssh

yancho · September 11, 2007, 4:38pm

Or change default ssh port to something else like 222.

omega-00 · September 12, 2007, 12:47am

Use the following, it will give them 3 login attempts then adds them to a blacklist for 7 days

/ ip firewall filter
add chain=input protocol=tcp dst-port=22 src-address-list=black_list action=drop \
    comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
    src-address-list=ssh_stage3 action=add-src-to-address-list address-list=black_list address-list-timeout=7d \
    comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
    src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m \
    comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
    src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m \
    comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
    action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m comment="" \
    disabled=no

Which means you can still use ssh if you need to.