Mikrotik Errors

tabate47 · August 6, 2013, 3:50pm

Every time I log into my terminal, I have many errors. Here is the current list:

(1405 messages not shown)
aug/06/2013 07:57:06 system,error,critical login failure for user debug from 182.1
8.18.197 via ssh
aug/06/2013 07:57:09 system,error,critical login failure for user baby from 182.18
.18.197 via ssh
aug/06/2013 07:57:13 system,error,critical login failure for user science from 182
.18.18.197 via ssh
aug/06/2013 07:57:16 system,error,critical login failure for user technology from
182.18.18.197 via ssh
aug/06/2013 07:57:19 system,error,critical login failure for user biology from 182
.18.18.197 via ssh
aug/06/2013 07:57:22 system,error,critical login failure for user chemistry from 1
82.18.18.197 via ssh
aug/06/2013 07:57:25 system,error,critical login failure for user math from 182.18
.18.197 via ssh
aug/06/2013 07:57:28 system,error,critical login failure for user lab from 182.18.
18.197 via ssh

What are these? Is someone trying to get in? How do I protect myself against it if they are?

Thanks.

jaykay2342 · August 6, 2013, 3:58pm

looks like your ssh is open for the world. is common to get those scans for users with “insecure” password once your ssh is reachable from the internet. you should limit ssh access a bit. for example with firewall rules.

tabate47 · August 6, 2013, 4:09pm

Ok. I understand. Do I need to have ssh open at all?

What is the best way to secure ssh?

efaden · August 6, 2013, 4:33pm

Drop the connections with the firewall from the WAN interface to the router that you don’t need. Personally I have a default drop and only allow certain connections to the router (e.g. VPN).

mahnet · August 6, 2013, 4:45pm

change the ssh service port from default

normis · August 7, 2013, 7:43am

Follow the advice here, to protect your router from such attacks: http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention

tabate47 · August 9, 2013, 8:57pm

I added this:

add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop
comment=“drop ssh brute forcers” disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist
address-list-timeout=10d comment=“” disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3
address-list-timeout=1m comment=“” disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment=“” disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list
address-list=ssh_stage1 address-list-timeout=1m comment=“” disabled=no

to my firewall. Right now I have some accept rules and a general deny rule. Where should these new rules be located? Above the deny, above the accept, in the middle? Thanks.

tabate47 · August 11, 2013, 1:00pm

Does it matter where I place the ssh programming language in my firewall?

AlArenal · August 11, 2013, 1:25pm

When processing a chain, rules are taken from the chain in the order they are listed there from top to bottom. If a packet matches the criteria of the rule, then the specified action is performed on it, and no more rules are processed in that chain (the exception is the passthrough action). If a packet has not matched any rule within the chain, then it is accepted.

see: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter

tabate47 · August 12, 2013, 2:00am

I understand the text that is written, but I don’t understand how the script is processed, so that is why I was asking where the language needs to be placed in the firewall. If anyone knows, I would appreciate it.