denied winbox/dude message

jphconstantin · December 10, 2017, 5:39pm

Hello,
Found in my log:

denied winbox/dude connect from 5.39.218.37

Shall I consider that as an attempt of attack ?
Shall I protect better my router ?

Thank you,

jarda · December 10, 2017, 9:36pm

Sure. Especially if it is not your address and the connection attempts are repetitive.

docmarius · December 11, 2017, 7:16am

You should assume any connection on any open port possible on your system, because you can not control what people do on the internet. Actually you should expect them to do it and there is nothing you can do except secure your equipment (e.g. closing ports you don’t need, restricting access to certain IPs. In this case, do you really need winbox acces from the WAN?). Getting alarmed by every connection attempt due to a port scan or ping is overreacting.

jphconstantin · December 11, 2017, 2:01pm

No I don’t want any access to winbox from the WAN.
I suppose I will find how to fix that in the wiki.
Thank you.

docmarius · December 11, 2017, 3:58pm

You just need to add a firewall filter rule on chain input, incoming port WAN (use the proper name from you system), protocol 6 (tcp) port 8291.

/ip firewall filter add action=drop chain=input comment="Winbox on WAN" in-interface=WAN dst-port=8291 protocol=tcp

But the best approach on the WAN would be only to accept established/related packets and specific ones you actually want (e.g. tunnel related) and drop the rest.

Something like:
input:

accept ICMP (optional)
accept all from LAN
fasttrack established/related (optional)
accept established/related
accept specific ones if needed (optional)
drop all
forward:
accept ICMP (optional)
accept all from LAN
fasttrack established/related (optional)
accept established/related
accept specific port or protocol forwarding (optional)
drop all
output:
accept all (default rule, no need to set it explicitly)

jphconstantin · December 11, 2017, 4:42pm

I believed that the fasttrack rules should be the first ones ?

jarda · December 11, 2017, 10:47pm

Fasttrack rules can be where you need them. Just follow them by the same accepting rule because not all traffic is fasttrackable.

loic69 · March 5, 2018, 9:27pm

Why can we had this winbox/dude denied in the time we have ACL that restrict IP address in /ip service winbox…
in our case we’re aothorizing just one IP.
And we have this winbox/dude from others IP in the internet !