It also tried to log into my phone server via SSH. This is the only two things I can find its tried to log into, however other devices on my network don’t have logs of failed logins, its probably tried to log into everything..
Wait, so this behaviour could be an anti virus scanning the network?
I am trying to figure out how this went on. If you know, how does one attempt to access mikrotik router via ftp? I know how to access with web, and I know winbox. One you use chrome and one you download winbox. But how do you access it with ftp? Is it like an ftp client?
Yes. The same experience from other Mikrotik user http://forum.mikrotik.com/t/brute-passwords-of-microtik-devices-from-the-local-network-how-to-identify-malware/152971/15
You can increase the line limit per log file, I use 4096 without any problem.
This can be large if you wish …
Sending all important logs to the hEX with DUDE. DUDE has the syslog function built in.
Filtered DUDElog is written to disk via the log system of the hEX
Here external disk, because of volume and many rewrites.
Rolling set of 900 files with 32000 lines each.
32000 limit, as practical limit, because consultation is via files download over 4G connection.
Thanks. After I saw what holvoe said I thought I would investigate a bit more. I ran two AVG scans on a certain computer which was showing up as trying to log into the server. At that exact time my FreePBX server had a large number of bruteforce attempts on it.
Mikrotik did not seem to, however I think this is because I followed rextended’s advice of blocking all protocols except for Winbox and web.
So it seems AVG was the problem. It caused me a lot of problems because I also actually got hacked this week on my own PC lol, so i thought it was related but i dont think it was.
I am sort of clueless as to how you log files on a separate HDD. I assume this is what you’re doing? So like the storage space on the Mikrotik is very small, so you connect a hard drive to it, and store the logs on that hard drive? Is that what you’re doing? How do you connect the hard drive to the MT Router?
Syslog can be network service on whatever ( virtual machine, raspberry pi, Linux computer, …).
I use USB drive on RB5009 as external disk, also did this on Hex.
So you plugged a USB drive into your router?
Do all routers come with a USB port on them? I dont think my router (RB2011iL) has one, but it might
No, not all do.
I don’t think my router RB2011iL has one. No mention of it in the data sheet or manual and I can’t ever remember seeing one on it. So I will have to find a different way
No USB, or microSD slot as in the hEX … was a problem for extra disk… but now there is the new ROSE
https://help.mikrotik.com/docs/display/ROS/ROSE-storage
NFS mount, SMB client, iSCSI (SAN) disk … network connected storage, both as initiator (client) and host !
NVMe over TCP is new to me.
If used correctly, NVMe/TCP (poor man’s RDMA) is normally very efficient in terms of latency and throughput compared to eg SCSI.
Hi everyone.
Would it be possible to view the log entries that were in the log prior to a power outage?
Unfortunately some RBs are not under UPS and there won’t be a chance to get them.
On these, when the power fails, all the registry entries prior to the power failure disappear…
Is it possible to retrieve and view them somehow?
Thanx
Logging to actions “echo” and “memory” … are gone after power failure or reset/restart.
Logging to actions “disk” and “remote” are still available. ( “disk” is to the flash or other added storage, like USB stick.) (“remote” requires a syslog server, like the one in DUDE)
So in a nutshell (since I’m no expert) you are telling me that they are irretrievably lost.
So if, for the next time, I want to save this data, should I use DUDE or an external USB stick?
Could you kindly post me some links describing the detailed procedure to use these tools?
Unfortunately I’m not very fond of the command line and I don’t know where to start.
Thank you
That’s the second (stronger) option, to send it with “remote” to a SYSLOG like Dude.
Changing logging from action “echo” or “memory” to “disk” would put those logs in the flash file specified, which survives reboots and resets.
You may want to only send some “topics” to flash. All is done in winbox or webfig, no command line needed.
The exemple for DUDE is above http://forum.mikrotik.com/t/is-there-a-way-to-see-all-previous-failed-logins-on-winbox/166239/1 , where “dudelog” action is just some “disk” action in logging for the topic ‘dude’.
(“dudelog” is just using the local logging system to store the received logs (which have topic “dude”) in permanent storage.)
There is no need for syslog function like in dude or the “remote” action to send it, if you just want to store it locally, in flash or USB drive. Just use “disk” as action.
Just a warning: ‘flash’ has a limited number of writes before it wears out and fails. Even if that limit is a few million times, if you have 100 lines per second, it will at be the limit rather fast.
(That’s the reason fo the USB-stick (similar limits apply!) or USB disk drive) http://forum.mikrotik.com/t/um-on-cf-drive-many-sector-writes-is-that-a-problem/48045/1