Please Help me im being attacked RIGHT NOW

zipvault · December 23, 2016, 3:36pm

please help me im being attacked
how can i prevent this

help me find them?
this was just now..

log print

dec/24 00:33:46 system,error,critical login failure for user administrator from 190.82.77.203 via telnet 
dec/24 00:33:47 system,error,critical login failure for user root from 85.11.22.132 via telnet 
dec/24 00:33:48 system,error,critical login failure for user root from 190.82.77.203 via telnet

pe1chl · December 23, 2016, 3:43pm

Why do you allow login from internet?
Did you configure a PPPoE interface using some shady Youtube video instead of the official method?
What is your firewall right now? Does it drop all new incoming traffic from your internet interface?

greek · December 23, 2016, 3:55pm

Go to IP - Services menu, click telnet and click Disable-button (with red cross)

zipvault · December 23, 2016, 4:04pm

i had turned of the remote login option…

Yes i turned of the telnet service now,
Are you only meant to enable telnet when u want to use it or

can i block telnet so only my mac address can access??

How do i set my local address book to only access??

Yes i have about 80 firewall rules at the moment

Should i reset and start build again??

zipvault · December 23, 2016, 4:13pm

I thought i had setup the brute force rule on mikrotik wiki also???

The one if an ip gets three wrong entries then they

Get put on a list

And if they stay on the list for 1 minute

Then they get put on a block list

Can any one shine some light on a script that does this

Because obviously the one i did is not working..

todayheads · December 23, 2016, 4:55pm

i am gonna advice you with something

allow accessing webfig online from ur network only not global

todayheads · December 23, 2016, 4:57pm

and please next time you don’t have to paste whole log

dhapollo · December 23, 2016, 5:25pm

Go to the ip> firewall> filter’s rules> add a new one. Chain input port 23, Action drop
if this works?

zipvault · December 23, 2016, 5:43pm

what is the best way you would advise to do this?

mpreissner · December 23, 2016, 6:04pm

Add a firewall rule on the INPUT chain that only allows WinBox, SSH, and HTTPS from one of your internal networks. Then add a firewall rule right below that to drop all traffic to your device. These two rules ensure that ONLY traffic from you is allowed to go directly to your device.

zipvault · December 23, 2016, 6:53pm

okay,

i had over 85 firewall rules earlier,

i have cut it back to 30 now,

how do i specify a specific ip

for instance earlier i had a mangement address book

and i allowed only one ip address to access the webconf

but i deleted it now im unsure how to reinstate this local only method

or single ip access management access rule?

zipvault · December 23, 2016, 6:57pm

i can use something like this does this look good??? →

/ip firewall address-list
add list=management-servers address=192.168.00.000

/ip firewall filter
add chain=input src-address-list=management-servers protocol=tcp dst-port=21,22,23,80,443,8291 action=accept

add chain=input protocol=tcp dst-port=21,22,23,80,443,8291 action=drop

im only new to mikrotik only being using it a few days???

mpreissner · December 23, 2016, 7:22pm

If you write firewall rules like that, you’ll end up missing things.

Best practice is to create a rule that allows your management access, and then create a DROP ALL rule at the bottom of the chain. As you find you need to allow additional traffic, you simply add a rule above the DROP ALL rule. You need to make sure you also order the rules correctly to minimize processing overhead, so put the most frequently matched rules at the top, since rules are processed from the top down. Here’s my INPUT chain, which is pretty well locked down.

/ip firewall filter
add action=accept chain=input comment="Accept related/established from internal networks" connection-state=\
    established,related in-interface=!ether1-gateway log=yes log-prefix=gateway-accept-est-rel-internal
add action=accept chain=input comment=\
    "default configuration - Accept inbound related/established" connection-state=\
    established,related in-interface=ether1-gateway log=yes log-prefix=accept-inbound-rel-est
add action=accept chain=input comment="Accept inbound for SSTP VPN" dst-port=443 in-interface=ether1-gateway log=yes \
    log-prefix=accept-inbound-SSTP-VPN protocol=tcp
add action=accept chain=input comment="Accept inbound L2TP/IPsec VPN" dst-port=1701,500,4500 in-interface=\
    ether1-gateway log=yes log-prefix=accept-inbound-l2tp-ipsec-vpn protocol=udp
add action=drop chain=input comment="default configuration - drop unsolicited inbound WAN traffic" in-interface=\
    ether1-gateway log=yes log-prefix=drop-inbound-unsolicited
add action=accept chain=input comment="Accept broadcast traffic from internal networks" dst-address-type=\
    broadcast,multicast in-interface=!ether1-gateway log-prefix=accept-input-bcast/mcast
add action=accept chain=input comment="default configuration - accept icmp on all interfaces" protocol=icmp
add action=accept chain=input comment="Allow MGMT access from internal networks" dst-address=172.16.0.30 dst-port=\
    22,8291 in-interface=!ether1-gateway log-prefix=mgmt-accept-internal protocol=tcp
add action=accept chain=input comment="Accept DHCP on all interfaces" dst-port=67 log-prefix=log-dhcp protocol=udp
add action=drop chain=input comment="drop and log all inbound traffic not matching previous rules" log=yes \
    log-prefix=drop-and-log-input

blajah · December 23, 2016, 7:36pm

Well, if you are allowing mgmt from specific pool of ip addresses there is no need to create access list , you can do it directly via firewall rule. It is easier to read if you have access list but at the end its up to you.

/ip firewall address-list
add list=management-servers address=192.168.0.0[b]/24[/b]

bold text was missing

Also, in rule itserlf, you do not need to overcomplicate with ports/services definitions.
It will work also this way:

/ip firewall filter
add chain=input src-address-list=management-servers  action=accept

to allow mgmt from your pool

and to deny rest

/ip firewall filter
add chain=input in-interface=YourWAN  action=drop

regarding IP, services itself, you have option to define “available form” where you can specify what service is available from .

I do not have any issues with things you followed to secure your router, but in 70% tutorials rules are overcomplicated without real reason.

One elegant way to drop all these “service-hunters” is like this:

add action=add-src-to-address-list address-list=@Services_Phase1 address-list-timeout=30m chain=input comment=IN-Services1 dst-port=21,22,23,69,80,443,8080 \
    in-interface=YourWAN protocol=tcp
add action=add-src-to-address-list address-list=@Services_Phase2 address-list-timeout=30m chain=input comment=IN-Services2 dst-port=21,22,23,69,80,443,8080 protocol=tcp \
    src-address-list=@Services_Phase1
add action=add-src-to-address-list address-list=@Services_Phase3 address-list-timeout=1w chain=input comment=IN-Services3 dst-port=21,22,23,69,80,443,8080 protocol=tcp \
    src-address-list=@Services_Phase2

Then in RAW firewall drop @Services_Phase3:

add action=drop chain=prerouting src-address-list=@Services_Phase3

zipvault · December 24, 2016, 2:45am

Thankyou i really appreciate your input it makes sense

If i do not specify ports in the rule does it just apply to all ports?

One question i have

What is phase 1, 2 and 3 services?

blajah · December 25, 2016, 12:27pm

If i do not specify ports in the rule does it just apply to all ports?

Yes

What is phase 1, 2 and 3 services?

Just names of access lists who are created by firewall rules. You can change names whatever you like.

One more note, as you see there are no DNS rules involved in this rule-set. You need to take care of that also.

zipvault · December 25, 2016, 1:10pm

my dns always changes is there a way for me to still make better dns rules that auto update??

blajah · December 26, 2016, 12:22pm

Well, i’m not sure what do you mean by “my dns changes”? Is your ISP changing IP’s of DNS or there is something else?
Securing your DNS ( disabling DNS amplification attacks from your router) can be done by various methods, but maybe easiest to maintain is to create access list with IP’s of your DNS servers, and create firewall rule ( even better RAW firewall rule) which will drop port 53 from all IP addresses except from IP’s residing on access list. Something like this:

chain=input action=drop protocol=udp src-address-list=!DNS in-interface=WAN dst-port=53 log=no log-prefix=""

This means, drop udp traffic on WAN interface targeted to router itself on port 53 where source addresses are not from DNS list. Because your DNS changes, its easier for you to maintain access list then changing rule all over again ( with every change of your DNS).
Advice:
If you have some 100% correct rules, try to move them from IP firewall to RAW firewall, just to decrease load on CPU, because all statements in RAW firewall are considered on routing level, or to be more precise, before packets enter inside of your router.

zipvault · December 26, 2016, 5:22pm

Ur a legend blajah raw FIRE

I made it tcp also

Does dns only resolve on 53? Learn something new everyday

blajah · December 27, 2016, 11:34am

Yeah, only on port 53, mainly UDP, but if data is bigger then 512 bytes, then it switches to TCP.