Help understanding Mikrotik LOG

ranjan · December 6, 2011, 4:59am

Dear All,
Today when I saw log of mikrotik then I found that there was some activity from firewall at night timing which actually worried me because we don’t work at night.
So please help me understand the log what exactly is the meaning for no.1 and no.2 as shown in attached pic.
Thanks in advance.
Mikrotik Log.jpg

dasiu · December 6, 2011, 7:35am

a TCP SYN packet, initiating a TCP connection to port 22 (SSH) of your router. Someone (maybe a bot) was trying to SSH on the MikroTik
Every DHCP lease has its time. It is specified in “lease-time” parameter of the server. Usually - 3 days. If a DHCP client doesn’t refresh the lease for the time - the lease is deassigned. That happened in the logs .

ranjan · December 6, 2011, 7:43am

Hi dasiu,
Thanks for explaining this.
someone is trying to ssh my router, so is that bot came in my network? How to block such intrusions which is coming through ssh?
Should I disable ssh from my router?
Please help me.

fewi · December 6, 2011, 12:53pm

Do you use SSH to access your router? If not best practice would be to disable the service.

ranjan · December 7, 2011, 4:21am

Thanks fewi.
One more query I have related to upgradation of OS to v5.9, currently my winbox shows my version as v5.6.
After upgrade if anything goes wrong and I want to rollback to v5.6 with all previous configuration then how can I do that?
I have taken backup (Files>Backup).
Can u please tell me step by step process for taking MT RB450G router to its previous version (v5.6) and making it to working condition?
Thanks in advance.

Feklar · December 7, 2011, 3:02pm

Search is your friend, that and the manual available at the wiki.
http://wiki.mikrotik.com/wiki/Manual:RouterOS_FAQ#Downgrading

Configuration does not change from version to version, just syntax sometimes. Though having a backup of the router is never a bad idea.

ranjan · December 9, 2011, 4:44am

Hello,
I have disabled my ssh on mikrotik but still I can that firewall info is showing that someone is trying to login.
Now what should I do?
Screen shot is attached.
Thanks in advance.
Firewall info.jpg

fewi · December 9, 2011, 12:03pm

Nothing. What else is there to do? There’s nothing listening on the port anymore, and you can’t stop the packet from arriving on your router port (unless you control the other end of the connection as well).

Someone is trying a key on the door to your house. You changed the door so there’s no longer a lock at all, but he keeps trying a key. Unless you control the street and can keep him from touching the door at all there’s not much else you can do, but there is also little point in worrying about someone using a key if there’s no actual lock to put the key in.

ranjan · December 10, 2011, 2:31am

Thanks Fewi…