Well, an VERY interesting and strange thing happened today. I was 100+ km away from office and the server room, when my customer called me to inform me that his server located in my server room is not reachable. Well, I checked the core router via GPRS, and it was not reachable too. The core router is HP G4 server, running ROS 5.0rc10. After I came back, I was not able to connect to the router via winbox. OK, I restarted the router by power off/on. It booted (beep tone) but still I was not able to connect to it. I attached the monitor and keyboard, and accessed that way. Now comes the tricky part: In firewall filters, there was new stuff added: drop all traffic in both input and forward??!?! Additionally, these filter rules was entered TWICE for INPUT and FORWARD respectively. Well, this is ABSOLUTELY STRANGE, as I don’t share my password with anybody. This router has unique password, not used on any other ROS in our system. I am the only person that knows the password!! I of course, simply disabled these rules, and everything came back to normal.
SSH, Telnet, FTP are disabled in IP-> Services.
Anybody had this kind of problem?? What the hell have happened here? Intrusion?? I’m still confused, really, as I never heard happening nothing even similar to this. Too bad I powered the router off/on, the content of the log simply vanished …
Oh, forgot to ask, RU sure the default password is not there any more? Happened to me once. Set my passwords to find more then a year later the default one had never been erased!
The default pass was the first thing to remove after installation of the ROS It’s not there for sure…
I will set some logging to remote server, this should never happen again…
In History, it only says that filter rule changed four times…
Very interesting that both INPUT and FORWARD had DROP all traffic rule twice?? How was it even possible to put it in TWICE from remote connection?
That’s not so hard. Write the rules first but disabled. Than enable them all in one go…
But yeah, why would a hacker write same rule twice? It is still weird, I agree with you.
Unfortunately no. I have no idea what was really happened. However, router password is changed, logging enabled to disk. Will see if it will happen again. Hopefully, it will not
Weird things also happen when i swap to a RB1100.
I was using a Watchguard X20E with log server setup. For a whole year, i didn’t see any attempts to “try” and log on to the router on the watchguard logs.
I changed to a RB1100 early 2011. Then on the log window in winbox, i notice many failed attempts of brute force log ins. Trying with usernames like admin, user, accounts, resource etc… Particularly on port 22 and 23. happened 3 times so far. Of coz, all those username tried are not correct. haha
Suspecting my systems in my place are infected with malware or something, i rebuild all my PCs and servers. after that, it happen once again. i did a google on the IP adrress that tried to come in, found out that the IP originated from Australia.
Not saying the fault lies with the mikrotik device. just weird why it happens after i swap.
Well, i block 22/23 now… seems fine.
Don’t get surprise if you see bruteforce attack on port 22!
That’s very common.
To leverage the problem, you can change the port to something else (let’s say… why not 2222?), bots won’t bother you anymore.
And ultimatly, use SSH keys authentication only (well, I stil have to do that myself )
you can also limit the address range allowed to connect to 22/23 (or any service). I have a firewall setup that blacklists ips that fail to login after 5 attempts in addition to limited ip range for winbox, ssh and telnet.
Whats nice about it is you get a automatically made list of offenders.
Yes, in my case I’ve limited access to admin ip range only (ie 10.0.0.0/27) and an admin ip will be blocked after 5 attempts (Blacklisted) , all public ip’s are blocked by default.
It’s not there for sure…
)