Block strange outgoing ssh connections

Brans · July 13, 2021, 10:41am

How i can block this strange(fake?) ssh connections outgoing from my router? And what type of connections it is?

strange connections.jpg

rextended · July 13, 2021, 10:50am

If IS TRUE, or your router is compromised, or you have done a mess with NAT rules.

Brans · July 13, 2021, 11:03am

I use one NAT rule just for masquerade and simple FW

/ip firewall filter
add action=drop chain=input connection-state=invalid
add action=accept chain=input connection-state=established,related
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input dst-port=22 protocol=tcp
add action=drop chain=input
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward
add action=accept chain=output
/ip firewall nat
add action=masquerade chain=srcnat

All connections are without traffic flow Orig./Repl. Rates 0/0 and bytes 500/0 stay 24/h

rextended · July 13, 2021, 11:18am

You accept VPN, WinBox and SSH (all on default ports!) from all the world:

add action=accept chain=input dst-port=22 protocol=tcp

I’m not surprised if someone has take the control of your routerboard and use it for DDoS/Brute Force attacks or port scan

jvanhambelgium · July 13, 2021, 11:25am

Depending on the RouterOS you run, your device might indeed be compromised. Especially since you have “Winbox” worldwide open…a bad, really bad idea…
RouterOS had some severe security issues in the past where one could gain access without even knowing your login/passwords…

I would perform a complete net-install and start over again. Update to the latest RouterOS before you connect it to the Internet and really review your access-policy.

rextended · July 13, 2021, 11:28am

= leave the default firewall rules, and services only on LAN

Brans · July 13, 2021, 11:31am

You accept VPN, WinBox and SSH (all on default ports!) from all the world:
add action=accept chain=input dst-port=22 protocol=tcp
I'm not surprised if someone has take the control of your routerboard and use it for DDoS/Brute Force attacks or port scan

It's ok i do it on purpose. This is my lab router, chr(6.48.3) on VPS. I just want to check how is it going without port change/knocking/cert login/etc. I'm logging all brute force(no one yet trying my ssh login name) so i don't think this router is compromised(thats why i ask about ssh outgoing connection), but maybe im wrong.

rextended · July 13, 2021, 11:33am

I can’t write obviously some thing on this forum…
But if you leave open WinBox port…
Use your imagination…

tangent · July 13, 2021, 11:45am

Not just "VPN," but PPTP, perhaps the least secure VPN protocol still in use. I don't know why anyone is still teaching how to set it up, nor why it's installed in the default build of RouterOS. It offers several better choices.

...and SSH (all on default ports!)

Yeah, that's bad, especially the default port choice. Although it may be "security through obscurity," moving SSH to a non-default port will cut the amount of attempts on that port by a huge amount, simply because script kiddies are lazy.

@Brans, I won't ask you your SSH password, but at least answer me this: does it meet MikroTIk's recommended security minimums? If they seem overly stringent, they're based on having no connection limiting, which greatly increases the amount of password guesses your attackers get. 8 random characters is enough if you have good limiting. 8 non-random characters is probably insecure even with connection rate limiting.

rextended · July 13, 2021, 11:52am

Please... I know the differencies, The reply is for OP, not for you...

Yourself reply: "kiddies are lazy"

tangent · July 13, 2021, 11:56am

Even if it weren’t immoral to provide an insecure public IP redirecting gateway, being against the public good, it’s probably directly against your VPS provider’s ToS.

I’ll make a couple of observations about your original log:

First, those are mostly China Telecom and China Mobile destination addresses. This strongly supports the idea that your CHR is under active attack. Whether it’s compromised yet, I don’t think we can say yet, but you do need to be concerned.

Second, why is the source port 22? Those aren’t inbound connections to your CHR, they’re coming from your CHR on its SSH port. Why? You haven’t got SSH port forwarding enabled, have you?

Brans · July 13, 2021, 12:47pm

Login and password was changed on the beginning.Password meet MikroTIk’s recommended security minimum
SSH port forwarding is disabled

/ip ssh print
           forwarding-enabled: no
  always-allow-password-login: no
                strong-crypto: no
            allow-none-crypto: no
                host-key-size: 2048

rextended · July 13, 2021, 12:52pm

Ok, all those is a big novel, but the end is simple:

(With great probability) your router is compromised.

Is virtual?
If you can:
Stop vm, export to disk, backup with 7zip and share the vm on forum for further analysis the file and folder inside the image.