Login attemps via SSH

RouterOS Beginner Basics
1

I’ve got three questions about the Mikrotik I’m working on now, but I’ll split them into three different threads.

Background: I inherited a Mikrotik router at the childrens hospital where I’m providing very limited IT support. The main IT guy is in hospital, and probably won’t recover for a while.

Anyway, I was browsing through the WinBox programme (v2.9.50) and I noticed in the logs three red lines that said user “root” attempted to log in from an external IP address via SSH and failed.

I’m assuming this is NOT a good thing. I know on soho wireless routers, you can turn off external access. Is this possible to do in RouterOS?

Thanks in advance for the help.

Seth

2

For simply turning off all access from outside, edit the address permitted to access SSH under “/ip services”.

3

Thanks, I’ll give that a try.

Seth

4

I don’t have SSH under IP Services… I’m running RouterOS 2.9.50. If I upgraded to the latest version (is that possible?), would that give me the SSH option?

5

I use the firewall. Be careful about the entries. Not difficult at all to lock yourself out. I like to log in by ssh, then look in the log “/log print”. It will show what ip you logged in from. That is the subnet you want to allow in the following. I used 192.168.0.0/24 as your localnet. You may enter multiple entries for allowing localnets to login to the router. Just insure they are all before the “chain=input action=drop” entry. Order is important!

/ip firewall filter
add chain=input action=accept connection-state=established
add chain=input action=drop connection-state=invalid
add chain=input action=accept protocol=icmp
add chain=input action=accept protocol=udp
add chain=input action=accept src-address=192.168.0.0/24

and after you are certain you have the correct localnet entered, this is last:
add chain=input action=drop

If anything locks you out, it will be this entry.
This is all covered in the manual under firewall filter. See the section “Protect your RouterOS router”.
Have a null modem cable handy. :wink:

6

These are the rule that we use for this

/ip firewall filter
add action=drop chain=input comment="drop ftp brute forcers" disabled=no \
    dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output comment="" content="530 Login incorrect" \
    disabled=no dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=output comment="" content=\
    "530 Login incorrect" disabled=no protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" disabled=no \
    dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input comment="" connection-state=new \
    disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input comment="" connection-state=new \
    disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input comment="" connection-state=new \
    disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input comment="" connection-state=new \
    disabled=no dst-port=22 protocol=tcp

The first set of rules will block someone trying to brute force their way in with FTP. The second set of rules will allow someone 3 attempts to log in via ssh in 3 minutes, if they fail they are blocked for the next week, you can of course change the time frames however you choose. Since most brute force login attempts are preformed by bots and they try it very quickly, they get blocked.