denied winbox/dude message

Hello,
Found in my log:

denied winbox/dude connect from 5.39.218.37

Shall I consider that as an attempt of attack ?
Shall I protect better my router ?

Thank you,

Sure. Especially if it is not your address and the connection attempts are repetitive.

You should assume any connection on any open port possible on your system, because you can not control what people do on the internet. Actually you should expect them to do it and there is nothing you can do except secure your equipment (e.g. closing ports you don’t need, restricting access to certain IPs. In this case, do you really need winbox acces from the WAN?). Getting alarmed by every connection attempt due to a port scan or ping is overreacting.

No I don’t want any access to winbox from the WAN.
I suppose I will find how to fix that in the wiki.
Thank you.

You just need to add a firewall filter rule on chain input, incoming port WAN (use the proper name from you system), protocol 6 (tcp) port 8291.

/ip firewall filter add action=drop chain=input comment="Winbox on WAN" in-interface=WAN dst-port=8291 protocol=tcp

But the best approach on the WAN would be only to accept established/related packets and specific ones you actually want (e.g. tunnel related) and drop the rest.

Something like:
input:

  • accept ICMP (optional)
  • accept all from LAN
  • fasttrack established/related (optional)
  • accept established/related
  • accept specific ones if needed (optional)
  • drop all
    forward:
  • accept ICMP (optional)
  • accept all from LAN
  • fasttrack established/related (optional)
  • accept established/related
  • accept specific port or protocol forwarding (optional)
  • drop all
    output:
  • accept all (default rule, no need to set it explicitly)

I believed that the fasttrack rules should be the first ones ?

Fasttrack rules can be where you need them. Just follow them by the same accepting rule because not all traffic is fasttrackable.

Why can we had this winbox/dude denied in the time we have ACL that restrict IP address in /ip service winbox…
in our case we’re aothorizing just one IP.
And we have this winbox/dude from others IP in the internet !