Does it look like I've been hacked?

Suntaznieks · February 16, 2013, 2:02pm

Whenever I open port 22 for ssh almost instantly someone connects to to it.
22 port is bound with ip address “192.168.88.253” which is used by raspberry pi (Raspbian “wheezy” debian linux) and after connection is established it makes connection with my routerboard (192.168.88.1:53).
Please find attached screenshot below for visual view.

Could this mean I am hacked? If this is the case, what should I do to secure my network?

I appreciate your help in advance.

SurferTim · February 16, 2013, 2:12pm

I do not consider that being “hacked”. If you leave that port open, with no firewall rules on the router or raspberry pi, then they are merely accessing it.

I use an Arduino with the ethernet shield in the same configuration as your raspberry pi. I use the firewall on the router to block unwanted connections to the Arduino.

Suntaznieks · February 16, 2013, 3:09pm

Thing that got my attention was established connection. Shouldn’t it drop in case intruder wouldn’t be able to authenticate SSH connection with raspberry? I have no firewall rules for 22 port, just NAT entry.
What kind of rule should I make in firewall to drop unwanted connections?

Thank you so much for your help, I must confess I’m a bit paranoid right now.

zervan · February 16, 2013, 3:52pm

No, his script will try some passwords from dictionary and maybe trying brute-force. You should add some protection to firewall, such as automatic blocking IPs which are scanning your ports. And i recommend you to change outer port from 22 to something else, e. g. 22253 (like 22 for .253) or 25322 or something like that.

SurferTim · February 16, 2013, 4:08pm

zervan is correct. It is only a connection, not a login. That normally requires a user/password for ssh. But the person on the other end of that connection may have bad intentions. A brute force attack is likely, if not happening right now.

I limit my access to a range of valid ips, or use port knocking to gain access.

Suntaznieks · February 16, 2013, 8:20pm

ty guys for replies, I really appreciate your help.

I did as you adviced:

changed SSH port (also made sure it wont conflict with ports that are already in use);
following this manual: http://wiki.mikrotik.com/wiki/Drop_port_scanners blocked port scanning.

If I understand correctly, whenever router will experience port scanning, it will save intruders IP address in firewall address list, thus preventing particular IP address communicating with my router?
screenshot:

could anyone assure if judging by screenshot configuration for blocking port scanning is configured correctly? Thank you!

zervan · February 16, 2013, 8:31pm

Yes

could anyone assure if judging by screenshot configuration for blocking port scanning is configured correctly?

No, there are not all details. This command should tell more:

/ip firewall filter print

Suntaznieks · February 16, 2013, 9:16pm

following information was returned using “/ip firewall filter print” command:

Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=input action=accept connection-state=established

1 ;;; default configuration
chain=input action=accept protocol=icmp

2 ;;; default configuration
chain=input action=accept connection-state=related

3 ;;; VPN
chain=input action=accept protocol=gre

4 ;;; VPN
chain=input action=accept protocol=tcp dst-port=1723

5 chain=input action=accept protocol=tcp dst-port=21

6 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway

7 ;;; Port scanners to list
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1

zervan · February 17, 2013, 8:31am

That’s only the first page. You should copy all pages or use this command to save output to file filter.txt, then send the whole file here:

/ip firewall filter print file=filter

Moreover - in WinBox, you should click on “#” column header to order rules by rule number - to see real situation. Rule order is critical to function so you probably want to see the rules in the right order.

As I look to (part of) your configuration … I don’t like that - I would move scanners detection rules before any other rules except 3 connection tracking rules (#0, #2 and one is missing, dropping “invalid” connections). It doesn’t make sense to detect scanners after you have allowed access to some ports nor after you have dropped any connections from internet - except the situation you want to disable access from internet at all and detect local scanners on your LAN. In fact, only you know what do you need and what do you want to achieve - nobody else here. So we can’t give you the “right” configuration. You should study some examples of firewall rules, understand their meaning and then build your own rule set that is just right for your situation.

Suntaznieks · February 17, 2013, 8:04pm

You are absolutely correct, "dropping port scanners" worked only for computers in LAN, it did not function on ip scanners outside my netwrok. Changing rule order solved this problem.
I also added missing "drop invalid connections" rule, have no idea how it got deleted, probably I was messing with some configuration and accidentally removed it..

Network I want to setup is fairly simple, here is the structure:

basic idea is to have different IP address pools for VPN, Local and DMZ networks. I should have access to DMZ and VPN from Local network but not the other way around. I'm still struggling to set up a DMZ so the work is still in progress.

following information was returned using "/ip firewall filter print file=filter" command:

feb/17/2013 21:57:28 by RouterOS 5.16

software id = 12YS-YBRY

Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=input action=accept protocol=icmp

1 ;;; default configuration
chain=input action=accept connection-state=related

2 ;;; Drop invalid connections
chain=input action=drop connection-state=invalid

3 ;;; default configuration
chain=input action=accept connection-state=established

4 ;;; Port scanners to list
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1
address-list=port scanners address-list-timeout=2w

5 ;;; NMAP FIN Stealth scan
chain=input action=add-src-to-address-list
tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w

6 ;;; SYN/FIN scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn
protocol=tcp address-list=port scanners address-list-timeout=2w

7 ;;; SYN/RST scan
chain=input action=add-src-to-address-list tcp-flags=syn,rst
protocol=tcp address-list=port scanners address-list-timeout=2w

8 ;;; FIN/PSH/URG scan
chain=input action=add-src-to-address-list
tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp
address-list=port scanners address-list-timeout=2w

9 ;;; ALL/ALL scan
chain=input action=add-src-to-address-list
tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp
address-list=port scanners address-list-timeout=2w

10 ;;; NMAP NULL scan
chain=input action=add-src-to-address-list
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w

11 ;;; dropping port scanners
chain=input action=drop src-address-list=port scanners

12 ;;; VPN GRE protocol
chain=input action=accept protocol=gre

13 ;;; PPTP port
chain=input action=accept protocol=tcp dst-port=1723

14 chain=input action=accept protocol=tcp dst-port=21

15 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway

16 ;;; Drop invalid connections
chain=input action=drop connection-state=invalid