MT router under attack?

kvan64 · October 6, 2007, 9:38pm

Hi, for the last few days, every time I open a new terminal, I see a list of critical login failures of non-existed user-names. Sometimes it appears that there are thousands of those messages (not shown). Am I under some kind of attack? What should I do?
Look below:

MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

(3124 messages not shown)
oct/07/2007 06:23:51 system,error,critical login failure for user httpd from 213
.21.208.164 via ssh
oct/07/2007 06:23:55 system,error,critical login failure for user pop from 213.2
1.208.164 via ssh
oct/07/2007 06:24:00 system,error,critical login failure for user nobody from 21
3.21.208.164 via ssh
oct/07/2007 06:24:03 system,error,critical login failure for user root from 213.
21.208.164 via ssh
oct/07/2007 06:24:12 system,error,critical login failure for user backup from 21
3.21.208.164 via ssh
oct/07/2007 06:24:17 system,error,critical login failure for user info from 213.
21.208.164 via ssh
oct/07/2007 06:24:20 system,error,critical login failure for user shop from 213.
21.208.164 via ssh
oct/07/2007 06:24:24 system,error,critical login failure for user sales from 213
.21.208.164 via ssh
Terminal vt102 detected, using multiline input mode
[admin@MikroTik] >

Viroslash · October 6, 2007, 10:49pm

Bruteforce login prevention (FTP and SSH)
From MikroTik Wiki

allows only 10 FTP login incorrect answers per minute

/ip firewall filter

add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop

add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m

add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \
address-list=ftp_blacklist address-list-timeout=3h

This will prevent a SSH brute forcer to be banned for 10 days after repetitive attempts. Change the timeouts as necessary.

/ip firewall filter

add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

steveloomis · October 6, 2007, 11:24pm

Simple to fix. In winbox, got to IP tab, then services. Disable all unnecessary services, like HTTP, FTP, Telnet etc, maybe change the port number to non-standard ports. I have done this repeatedly on many of our MT routers and stopped the attempts to log in…

kvan64 · October 7, 2007, 4:31am

Thanks guys, I have added these firewall rules. Hope that It works.

kvan64 · October 7, 2007, 12:04pm

Viroslash,
I am so glad to see that the bad guy got banned just after three attempts this arvo. I also see his ip address in the blacklist. I was just wondering if I could display a message if black-listed ip addresses attempt to login again? That would be cool.

Viroslash · October 7, 2007, 5:05pm

With this rule you can know who is this trying to login. Put it in previous to the others.

/ip firewall filter
add chain=input protocol=tcp dst-port=20-23 action=add-src-to-address-list address-list=trying_to_login address-list-timeout=1d comment="remote_logins" disabled=no

Repla · August 5, 2008, 10:45pm

How they come to know that I just installed a new copy of RouterOS?

Do they search all internet? or my server sends some packets or they learn it from forums???

0ldman · August 6, 2008, 2:26am

Usually just a random port scan. The local cable company was being hammered, and my subnet is just a few digits different, mine was hammered shortly after.

kameelperdza · September 13, 2012, 8:13am

What i have done is to change critical under logging from echo to disk.
It helps me to keep track on how many times one ip address tries.

Hotz1 · September 13, 2012, 1:35pm

If you want to log every subsequent login attempt from a blacklisted address, put this above the “action=drop” rule:

/ip firewall filter
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=log log-prefix=SSH-blacklisted comment="log blacklisted ssh brute forcers" disabled=no

kameelperdza · September 13, 2012, 2:16pm

Hotz1:

If you want to log every subsequent login attempt from a blacklisted address, put this above the “action=drop” rule:
/ip firewall filter
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=log log-prefix=SSH-blacklisted comment="log blacklisted ssh brute forcers" disabled=no

i have also tried similar rule, but it gives me too much information that i dont need. I just want to see the ip address and how many attemps there was.

This is what i wil usually see with the rule you mentioned

Sep/13/2012 16:08:37 route,ospf,debug ssh_blacklist (input): RECV: Hello <- 172.16.0.1 on ether2 (172.16.0.200)
Sep/13/2012 16:08:37 route,ospf,debug,raw ssh_blacklist (input): PACKET:
Sep/13/2012 16:08:37 route,ospf,debug,raw ssh_blacklist (input):     45 C0 00 54 20 97 00 00 01 59 0B E4 AC 10 00 01
Sep/13/2012 16:08:37 route,ospf,debug,raw ssh_blacklist (input):     E0 00 00 05 02 01 00 30 0A 00 00 01 AC 10 00 00
Sep/13/2012 16:08:37 route,ospf,debug,raw ssh_blacklist (input):     00 00 00 02 00 00 01 10 00 00 0B 77 FF FF FF 00
Sep/13/2012 16:08:37 route,ospf,debug,raw ssh_blacklist (input):     00 0A 02 01 00 00 00 28 00 00 00 00 00 00 00 00
Sep/13/2012 16:08:37 route,ospf,debug,raw ssh_blacklist (input):     AC 10 00 C8 B0 6E EF 95 5C 8B 55 2B EE CD 0F 49
Sep/13/2012 16:08:37 route,ospf,debug,raw ssh_blacklist (input):     70 B1 8B 29
Sep/13/2012 16:08:37 route,ospf,debug ssh_blacklist (input):   received options: E
Sep/13/2012 16:08:38 pptp,debug,packet ssh_blacklist (input): rcvd Echo-Request from 10.0.0.2
Sep/13/2012 16:08:38 pptp,debug,packet ssh_blacklist (input):     identifier=15
Sep/13/2012 16:08:38 pptp,debug,packet ssh_blacklist (input): sent Echo-Reply to 10.0.0.2
Sep/13/2012 16:08:38 pptp,debug,packet ssh_blacklist (input):     identifier=15
Sep/13/2012 16:08:38 pptp,debug,packet ssh_blacklist (input):     result-code=1
Sep/13/2012 16:08:38 pptp,debug,packet ssh_blacklist (input):     error-code=0

francisuk24 · March 17, 2014, 10:15pm

Im new to RouterOS and i have a question.

If i wont to input “http://www.spamhaus.org/drop/drop.txt” this list, How do i go about doing it?

amt · July 1, 2016, 10:15am

Hi,

Check this
http://joshaven.com/resources/tricks/mikrotik-automatically-updated-address-list/