I can see that someone is try to enter the router using ssh2
but all I can see is with which user he is trying
can I know also in which pass is he trying?
like it the img
u can see that some one is trying to enter using user:root,postmaster,postfix…
can I know also what pass is he trying to enter?
no, there is no way to get the actual password, that would be major security issue if it was allowed.
why is that?
It will only show the wrong ones
You can:
- Do a port redirection - dst-nat for ssh port to a server on a separate linux machine you have in your network for sniffing passwords (ex. a Raspberry Pi machine) for connections coming from an address list (and you just add the “suspicious” IP to the list - to be redirected to the fake server)
- Sniff passwords from the linux machine (see http://blog.vpetkov.net/2013/01/29/sniffing-ssh-password-from-the-server-side/ )
edit: I’ve just tested, it works for me! 
Process 20987 attached - interrupt to quit
write(4, "\0\0\0\23\v", 5) = 5
write(4, "\0\0\0\16$ecreTP2$$w0rd", 18) = 18
write(3, "*\373\fAPK\365B\243\220\\\"7(\321\24\216J}g^\2411\3555\27n\352\377\23B\22"..., 64) = 64
write(4, "\0\0\0\26\v", 5) = 5
write(4, "\0\0\0\21An0ther$ecretP@ss", 21) = 21
write(3, "\231\315\3v\306\206\337\213\367\220\245\354\245\36x\317C\262O\37$Q\0218\330\230\364/\363\344\343\232"..., 64) = 64
write(4, "\0\0\0\22\v", 5) = 5
write(4, "\0\0\0\rM2ybeThi$0ne?", 17) = 17
write(3, "\214do\325\307\26~\240\372\260\261\346aK\323\237P\373,\322H\243.\17\177X\225\333\25MT\260"..., 64) = 64
write(8, "\0\0\0+\0\0\0\3\0\0\0#Connection closed by"..., 47) = 47
Process 20987 detached
So:
write(4, “\0\0\0\16**$ecreTP2$$w0rd**”, 18) = 18
write(4, “\0\0\0\21An0ther$ecretP@ss”, 21) = 21
write(4, “\0\0\0\rM2ybeThi$0ne?”, 17) = 17
It works!
All you need is:
- On your MikroTik:
/ip firewall nat add chain=dstnat action=dst-nat protocol=tcp dst-port=22 src-address-list=sniff_ssh dst-address=<MikroTik'sIPAddress> to-addresses=<LinuxSnifferMachineIPAddress>
/ip firewall address-list add list=sniff_ssh address=<Attacker'sIPAddress>
- On your Linux sniffer:
root@sniffer:~# while [ 1 ]; do newpid=`ps aux | grep ssh | grep net | awk {' print $2'}`; if [ -n "$newpid" ]; then strace -q -e write -p $newpid; fi; done
- And wait.
I’m sure it’s worth at least 1 karma .
seem great
my only problem is that I don’t have separate linux machine.
Thanks anyway
Have you tried something like this?
http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention
Or have you considered blocking that ip?
I can’t block the IP because it’s changing .
but i have done this (as you told )
/ip firewall filter
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
but where do I see\change the timeout?
thanks ,
If you mean the 10 day timeout, here. Change the address-list-timeout value.
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no
Have you considered blocking SSH al together if you don’t need it?
Thanks , it’s very helpful
I need SSH service - and I don’t always from witch computer I will try to enter it.(this is why I don’t block the IP )
Then use a other port than de default port
…or use “port knocking”.
Port knocking or a vpn
Sent from my SCH-I545 using Tapatalk
Port knocking as some already mentioned or you can use some filter rules which you can find on the wiki, like these for example:
/ip firewall filter
add action=drop chain=input comment="drop ssh brute force login" disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_blaclist
add action=add-src-to-address-list address-list=ssh_blaclist \
address-list-timeout=1w3d chain=input comment="" connection-state=new \
disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=5m chain=input comment="" connection-state=new \
disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input comment="" connection-state=new \
disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input comment="" connection-state=new \
disabled=no dst-port=22 protocol=tcp
The above rules would allow connections from one IP on ssh three times, if all these attempts fail, then that IP will be banned for 10 days.
from what I have seen from the last few days
the first rules you gave me work just fine :
/ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Aviod to enter from the WiFi
chain=forward action=drop src-address=10.0.0.0/24 dst-address=159.158.157.0/29
1 ;;; drop ssh brute forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22
2 chain=input action=add-src-to-address-list connection-state=new protocol=tcp
src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=1w3d
dst-port=22
3 chain=input action=add-src-to-address-list connection-state=new protocol=tcp
src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m dst-port=22
4 chain=input action=add-src-to-address-list connection-state=new protocol=tcp
src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-port=22
5 chain=input action=add-src-to-address-list connection-state=new protocol=tcp
address-list=ssh_stage1 address-list-timeout=1m dst-port=22
[admin@Koren-ADSL] >
The only issue is that it won’t reset when a good connection is established right?.. it would seem that it would be cool to remove the IP from the list when a valid connection is established. The only way I can think of to do that however is to have the SSH server use the API to remove the entry…
Thoughts?
What do you mean by reset? A valid connection will connect at first attempt and the source IP will be part of the stage1 list which has a time out of 1m. Obviously, you would not attempt a second connection and after one minute the IP will not be any more on any list. Anyway, you still have three attempts to make a successful connection, and only if you fail those three attempts the IP will be part of the ssh black list. You can add attempts though if you like.
Unless you open multiple terminals. I’m just saying that those rules so not only pick up invalid attempts. They pick up valid and invalid. So if you opened multiple valid connections you could also get blocked.
Sent from my SCH-I545 using Tapatalk
Why do you have ssh on a router open for everyone? I usually manage all devices from my office, via vpn or from a jump box at the datacenter. Therefor only those IP(ranges) are allowed to access the routers via ssh.
If it’s possible i would limit the access to as few as possible IPs.
+1
Sent from my SCH-I545 using Tapatalk