Do not open port tcp/23 to your device from internet you will be hacked

Jotne · August 8, 2018, 6:34am

If you do not like to get hacked, do not open port tcp/23 from internet trough your firewall.
I have used Splunk to monitor what is blocked on my wan port on my RB750Gv3.
Using Splunk to monitor: http://forum.mikrotik.com/t/tool-using-splunk-to-analyse-mikrotik-logs-3-3-graphing-everything/121810/1

My last filter rule logs all that is not allowed and send it out using syslog to Splunk.

chain=input action=drop in-interface=ether1-Wan log=yes log-prefix="FW_Drop_all_from_WAN"

The result is an average on 100 000 hit each day. Nearly all on port tcp/23.
Port tcp/23 get hammered more than 1 time every seconds from different IP.
From the graphs you can see that each source IP do try many times for some days, then gives up.

So do not use telnet port tcp/23.
Use SSH on a random high port like 53244 if you need console access from outside.
Or use port knocking.

Port tcp/23

All ports

whatever · August 8, 2018, 6:53am

Imho you shouldn’t be using telnet at all, not even in LAN. You shouldn’t just firewall it but also disable the corresponding service.

usdmatt · August 8, 2018, 8:12am

This isn’t really a surprise for most people. Every service you run will get hit by attacks. Software like fail2ban has existed for years specifically to allow you to run a service (SMTP/HTTP/SSH/whatever) that is going to get abused, and automatically block repeated hack attempts.

I’ve seen the random port suggestion a few time. Apparently it works fairly well as most of the automated hacks aren’t going to bother scanning every port. It only takes a quick nmap scan to find it though, and you’ve not really improved security other than moving the door behind some bushes.

Personally I find it crazy that people open these services in the first place. Your router should be locked down entirely from the WAN. If you need remote access, add rules for specific addresses that you connect from. If you can’t do that use a VPN.

Jotne · August 8, 2018, 12:36pm

I am not surprised by the number of the attack, but that its >95% on tcp/23.

eXS · August 8, 2018, 4:29pm

Port 23, among many others, is one that I also monitor & ban on. (add to ‘ban’ address list)

As indicated, I’ve also found it to be the most frequently hit port, I get hit constantly.

Disable the service & change the corresponding service port to something (anything) else.

k6ccc · August 8, 2018, 4:34pm

Short comment would be: DUH!
OK, now for the longer, more polite answer. Anyone who runs almost any type of server these days will see piles of attack attempts on a variety of ports. Yes, Telnet is one of the most common. I don’t log them, but I do have firewall rules that drop and count packets. I just looked at one of my RB750r2 routers that has a DSL connection facing the internet. Since that router was last reset 72 days ago, there have been 3,702 dropped packets on port 21, 22,236 dropped packets on port 22, and 130,890 packets on port 23. There have also been 3,036 dropped packets on port 8291 (the normal WinBox port). My cable internet connection into the other router gets far more attack attempts. None of these ports are in use as they have been moved and there are other security features to prevent access including but not limited to non-standard port, Port Knocks, Restrictive IP access, VPN, port scanning detection and blocking. I have had friends who make a living in IT security attempt to break in and all have given me a clean bill of health, so I think I’m in pretty good shape

tippenring · August 8, 2018, 6:35pm

I expect the rest of the ports getting pinged are dropped further up in the firewall chain, so not being reported.