There have been constant attempts to login on my router by the generic user “admin” (which doesn’t exist).
My router is nowhere near the edge of the network, but it is accessible from every subnet and currently has no firewall rules. In turn, access to the network is guarded by RADIUS, DHCP is static only, ARPWATCH notifies through IM so you actually hear when devices connect. So, the router may be unsecured but it’s not exactly not secure, and it’s not like you can login without credentials anyway, which is why when I saw it came from winbox and from that specific user (i.e; the preset user in winbox) I was just going to ignore it.
Then I realized a couple of things, 1. the source of the login attempts are the interfaces of the router itself. I have not setup any tunneling or anything like that, but I haven’t set up a lot of stuff so perhaps I’m missing something; and 2, the persistence of it is quite high, 38K attempts in a day or two. Those log entries have to be stored somewhere, don’t they? I checked the main disk of my system, it’s just .3GB, while the other is a little over 1GB. I don’t remember moving the logs’ storage, I don’t even know if it can be done—so I took it as good news for now.
Any idea where do the log in attempts come from?
Different/all interfaces or always from the same *.253 interface ? Offcourse this is very interesting & 200% not normal, but without any config or schematic what can we say…
Who know this router has once been compromised or something? I see you run 6.49.6 but was it upgraded recently? Was it ever connected on Internet with a lower release having some serious vulnerabilities etc.
Perhaps you should NETINSTALL again ? You have running scripts on this unit ??
etc,etc
Is there a question in all of that??
Unless you provide a network diagram showing what connected devices are at play
and the config of the MT,
there is nothing really more to do…
