blocking access to ROS box

bino · April 8, 2010, 1:26am

Dear All

I have this rule in my filter

[admin@mybox] > /ip fir fil print det
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; Block All tcp to local
     chain=input action=drop protocol=tcp dst-address-type=local src-address-list=!sshok 

 1   ;;; Block All udp to local
     chain=input action=drop protocol=udp dst-address-type=local src-address-list=!sshok

but when I ssh login from my station, I got this msg :

apr/07/2010 22:52:32 system,error,critical login failure for user root from 89.46.37.118 via ssh
apr/07/2010 22:52:34 system,error,critical login failure for user root from 89.46.37.118 via ssh
apr/07/2010 22:52:34 system,error,critical login failure for user root from 89.46.37.118 via ssh
apr/07/2010 22:52:37 system,error,critical login failure for user root from 89.46.37.118 via ssh
apr/07/2010 22:52:37 system,error,critical login failure for user oracle from 89.46.37.118 via ssh
apr/07/2010 22:52:39 system,error,critical login failure for user oracle from 89.46.37.118 via ssh
apr/07/2010 22:52:39 system,error,critical login failure for user test from 89.46.37.118 via ssh
apr/07/2010 22:52:41 system,error,critical login failure for user test from 89.46.37.118 via ssh

I’m sure that 89.46.37.118 is not in my allowed address list (sshok)

Is it normal ?

Sincerely
-bino-

fewi · April 8, 2010, 1:37am

Those rules should work, but something else in the rule set might interfere with them. Can you post the entire ruleset along with the address list?

Also, usually it’s easier to just accept traffic that you want and then drop everything else rather than deny specific traffic. Additionally, dst-address-type=local is unnecessary in the ‘input’ chain since only traffic destined for the router goes into that chain, so a local destination address type is implied.

/ip firewall filter
add chain=input action=accept protocol=tcp src-address-list=sshok 
add chain=input action=accept protocol=udp src-address-list=sshok
add chain=input action=drop

bino · April 8, 2010, 2:24am

Do you mean including the mangle rules ?
For the filter, those 2 rules is the only i have in.

Well, actualy I only follow suggestion on securing mt box from http://wiki.mikrotik.com/wiki/Securing_your_router

Ok I’ll try it

Sincerely
-bino-