Help to understand log - Possible Attack?

Hi everyone,

I’m having this constant connection tries in the mikrotik and I think it is an attack but I can’t fully understand the log.

I banned the ip:

filter add chain=input src-address=58.218.198.171/32 in-interface=my_wan action=drop

Also made a rule with forward.

But this messages in the log screen keep apearing with different port number like if it was getting into the mikrotik. (I only have SSH and winbox port in the mikrotik and is being filtered by my lan so I don’t think he is gonna get into the router but I’m afraid because of the resources.)

18:30:45 firewall,info input: in:ether1 out:(none), src-mac 58:f3:9c:3d:bb:1a, proto TCP (SYN), 58.218.198.171:60001->myWAN:22, len 60
18:30:46 firewall,info input: in:ether1 out:(none), src-mac 58:f3:9c:3d:bb:1a, proto TCP (SYN), 58.218.198.171:60001->myWAN:22, len 60
18:30:48 firewall,info input: in:ether1 out:(none), src-mac 58:f3:9c:3d:bb:1a, proto TCP (SYN), 58.218.198.171:60001->myWAN:22, len 60
18:30:50 firewall,info input: in:ether1 out:(none), src-mac 58:f3:9c:3d:bb:1a, proto TCP (SYN), 58.218.198.171:54368->myWAN:22, len 60
18:30:51 firewall,info input: in:ether1 out:(none), src-mac 58:f3:9c:3d:bb:1a, proto TCP (SYN), 58.218.198.171:54368->myWAN:22, len 60
18:30:53 firewall,info input: in:ether1 out:(none), src-mac 58:f3:9c:3d:bb:1a, proto TCP (SYN), 58.218.198.171:54368->myWAN:22, len 60
18:30:55 firewall,info input: in:ether1 out:(none), src-mac 58:f3:9c:3d:bb:1a, proto TCP (SYN), 58.218.198.171:48833->myWAN:22, len 60
18:30:56 firewall,info input: in:ether1 out:(none), src-mac 58:f3:9c:3d:bb:1a, proto TCP (SYN), 58.218.198.171:48833->myWAN:22, len 60
18:30:58 firewall,info input: in:ether1 out:(none), src-mac 58:f3:9c:3d:bb:1a, proto TCP (SYN), 58.218.198.171:48833->myWAN:22, len 60

I tracked the ip seems to be a range from China, I have block rules for port scanning and flood but it seems is not something like that.

I would like to know if I’m missing something?

thanks in advance

Regards,

Hi,

The connections are coming on port ether1

18:30:45 firewall,info input: in:ether1 out:(none), src-mac 58:f3:9c:3d:bb:1a, proto TCP (SYN), 58.218.198.171:60001->myWAN:22, len 60

therefore correct firewall rule should be:

filter add chain=input src-address=58.218.198.171/32 in-interface=ether1 action=drop

Hi kamillo, that’s exacty my rule, just change mywan for ehter1.

Looking in the logs, I realized that I had enabled “log” in a filter rule that drops traffic from certain ports, and I believe that the log was “logging” the action that the mikrotik takes when filtering that.

Is there any chance that the rule I wrote before was just that? a log event?

Thx for your response.

Yes it is possible, if you do something like that:

filter add chain=input src-address=58.218.198.171/32 in-interface=ether1 action=drop log=yes

RouterOS will drop packets from 58.218.198.171 incoming on interface ether1 and will also log an action (you will see an entry in the logs)

When you are worried about “possible attack” when seeing SSH connection attempts, you should change your firewall
so that it drops all incoming connections by default and only allows what you require (e.g. management from 1 address).

You can block someone who tries SSH, but there are thousands and thousands of others who are doing the same.
The internet is not a friendly place.

pe1chl, I have my firewall rules against port-scan, blocking ssh connections from my wan’s and filtering winbox to my subnet only, that’s why I got confused I was like “how can this be possible?” but it was all about the “log” thing.

I turned it off and all is fine now.

Thanks both for your replies.