Hacking problem?

tvecis · June 20, 2016, 7:15pm

Hi.

At the beginning I realised that someone is brute forcing my SSH and Telnet password.
Then I do this >>> http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention

After that

But when I blocking this MAC, starts this

and the Internet is going down.

Is this hacking problem? If yes, What can I do against this hacker?

ZeroByte · June 20, 2016, 7:58pm

Don’t use the MAC address because the MAC address on the WAN side will always be the ISP’s router, no matter what IP address the packet contains.
Basically, you’re blocking communications that go through the ISP’s router, which obviously will disconnect you from the Internet.

I recommend that you just block ssh and telnet from the WAN interface entirely, and that will solve your problem.

BartoszP · June 20, 2016, 8:04pm

Forget MAC

Make rule to add source addresses of offending traffic to ssh port to the “blacksshlist” list and the second rule to block these addresses.

tvecis · June 20, 2016, 8:07pm

Yes you are right. I realised that this is ISP cisco router mac

tvecis · June 21, 2016, 7:02am

Hmm…

Now Just turned off SSH&Telnet services
P.S.
Is this going from my ISP internet to my AP, or from the hacker’s computer directly to my AP?

BartoszP · June 21, 2016, 7:27am

For SSH, TELNET and FTP try this .. 4 h blocking window for attacker.

/ip firewall filter
add action=add-src-to-address-list address-list=ATTACK_SSH address-list-timeout=4h chain=input comment=ATTACK_SSH dst-port=21,22,23 in-interface=ETH1-WAN protocol=tcp src-address-list=!MYPRECIOUSIPS
add action=drop chain=input comment="DROP ATTACK_SSH" in-interface=ETH1-WAN src-address-list=ATTACK_SSH

Same for DNS DDOS - block all WAN side traffic to DNS server:

/ip firewall filter
add action=add-src-to-address-list address-list=DDOS_DNS address-list-timeout=4h chain=input comment=DDOS_DNS dst-port=53 in-interface=ETH1-WAN protocol=udp
add action=drop chain=input comment="DROP DNS DDOS" in-interface=ETH1-WAN src-address-list=DDOS_DNS

Do not forget to accept traffic from your own address if you want to connect via 21,22,23 ports from WAN side … just put them into MYPRECIOUSIPS address list.

/ip firewall address-list
add address=x.x.x.x  comment=HomeSweetHome list=MYPRECIOUSIPS
add address=y.y.y.y comment=OfficeSweetOffice list=MYPRECIOUSIPS

tvecis · June 21, 2016, 8:54am

Thanks! Added this rules. Hope this helps