Everyday, in the late afternoon, I get this message on my MT box.
echo: system, error, critical login failure for user Administrator from x.x.x.x via ftp
The message just keeps repeating over and over, and over, scrolling down my screen. I barely have enough time to enter a command myself before it scrolls off the screen. Each day, its from a different IP address. Is somebody trying to hack my system? What should I do?
Its just a FTP scaning bot, My FTP server use to get that all the time.
If you don’t use Mikrotik’s FTP just disable it under services. Its like a brute force, they are just trying many usernames and password, and you can tell its a bot because it goes so fast.
you can also change the FTP port in services, or use firewall to block everyone except your known IPs
Which would be better, change the port or exclude IPs? Crap. Now I am getting the same message for SSH. Who is this joker? That really chaffs my hide. Is there any way to find out who is doing this?
well, you can lookup the IP in the whois database’s but that will only give you a ISP.
Don’t let it get to you, it happens to everyone. just do one of the above suggestions and be done with it.
These things scan the web looking for open ports like 21 for ftp and 22 for SSH, when they find one they start hammering it with user names and passwords. Its also not just one person, every time you see a different ip chances are it is a different person.
I vote on the firewall. See the section on the firewall filter in the docs. Near the bottom of the page are a couple examples. The “Protect your Router” rules will stop the attempts. Don’t forget to let your IP address through so you can login.
usually these bruteforcers come from a big number of random IPs, so you can’t just look them up. that’s why I said, move all services to other ports, block everyone except yourself and some other safe IPs