Brute Force Attacks

mozerd · January 9, 2024, 11:21am

FYI

The following IP address 95.214.54.110 is trying very hard to gain access to my Tik via VPN [port 500] each and every day now for months …

Just a FYI

How many are seeing the very same intrusion attempt on their Tiks ?

anav · January 9, 2024, 11:46am

Its called blissful peace of mind. I dont log
While your worrying, I am reading a great big book about how to help people with networking anxiety.
Apparently you can hit them over the head with a book, or tell them not to log.

woland · January 9, 2024, 11:52am

https://www.virustotal.com/gui/ip-address/95.214.54.110/community
Known, reported for scanning and trying a Zyxel exploit… There are millions of similar compromised IPs scanning.
Enjoy: https://cybermap.kaspersky.com/

nickcarr · January 9, 2024, 2:43pm

Hi.
Anav is right: don’t log it.
Has Mikrotik high CPU usage or you already have some dynamic rule that could move these attackers to an addresses list to be dropped with a raw rule, for X minutes?

kevinds · January 16, 2024, 11:09am

I’ve been seeing that too, two IP addresses, one at time, but different from yours.

I was thinking, ‘what are they doing’? They are trying to break the encryption password, after that, they need to figure out an account user/pass, maybe a certificate..

I made a post about this on the other forum we frequent because security wise, that is activity I had never seen before.

Filling the log annoys me, so I block the IP for a month at a time.

rextended · January 16, 2024, 11:19am

When will they start doing it with IPv6…

kevinds · January 16, 2024, 11:31am

Perhaps but they have to find it first.

I’ve seen very few attacks on IPv6.

I started using IPv6 in 2008, I’ve seen maybe 10 in that time, at least 3 of them I suspect they got the IPs from my ISP.

anav · January 16, 2024, 12:47pm

When easy IPV4 targets are not available for starters and if you have something considered of value and exploitable the level of interest climbs......regardless of IPV....

rextended · January 16, 2024, 12:51pm

Then, if you leave doors, windows, skylights and manholes open, it is obvious that sooner or later someone will enter your house...

jvanhambelgium · January 16, 2024, 5:37pm

Not entirely from the same source IP, but close … IP 95.214.55.244

inetnum: 95.214.52.0 - 95.214.55.255
netname: PL-MEV-20181221
country: PL
org: ORG-MSZO78-RIPE

Some Polish operated IP-space.
For the last 30 days, it is trying consistently these 4 destination ports on my frontdoor
Screenshot from 2024-01-16 18-33-39.png

anav · January 16, 2024, 8:09pm

Strange, its not like you have some secret recipe for vodka

ntmr · January 17, 2024, 9:29am

Perhaps the vodka market is drying out and they want to get into chocolate or beer

jvanhambelgium · January 17, 2024, 1:50pm

I could throw in a couple of Belgian Waffles

anav · January 17, 2024, 2:32pm

But then you would need french beurre and Canadian Maple Syrup.

erlinden · January 17, 2024, 2:50pm

Greetings from the Netherlands

vingjfg · January 17, 2024, 6:57pm

It will be below -15°C tomorrow so I could do with waffles (des gaufres de Liège s.v.p!) and some hot chocolate. Beer? In het stoofvlees!

@Mozerd, thanks for the heads up. If you are interested in contributing, you can join the DShield sensor project.

The other way around, you can use their information to create and update a deny list to block the worst offenders: Script here!

anav · January 17, 2024, 10:39pm

Perhaps you should make use of Mozerds most excellent service, light years ahead of the game in the DIY category…