Protection?

What is the best way to make sure my MT box can hold these guys off?
Just a strong password? This box has been up for 1 day now.

echo: system,error,critical login failure for user root from 62.213.0.226 via ssh
echo: system,error,critical login failure for user cosmin from 62.213.0.226 via ssh
echo: system,error,critical login failure for user cip52 from 62.213.0.226 via ssh
echo: system,error,critical login failure for user cip51 from 62.213.0.226 via ssh
echo: system,error,critical login failure for user root from 62.213.0.226 via ssh
echo: system,error,critical login failure for user noc from 62.213.0.226 via ssh
echo: system,error,critical login failure for user webmaster from 62.213.0.226 via ssh
echo: system,error,critical login failure for user data from 62.213.0.226 via ssh
echo: system,error,critical login failure for user user from 62.213.0.226 via ssh
echo: system,error,critical login failure for user web from 62.213.0.226 via ssh
echo: system,error,critical login failure for user web from 62.213.0.226 via ssh
echo: system,error,critical login failure for user oracle from 62.213.0.226 via sh
echo: system,error,critical login failure for user sybase from 62.213.0.226 via ssh
echo: system,error,critical login failure for user master from 62.213.0.226 via ssh
echo: system,error,critical login failure for user account from 62.213.0.226 via ssh
echo: system,error,critical login failure for user backup from 62.213.0.226 via ssh
echo: system,error,critical login failure for user server from 62.213.0.226 via ssh
echo: system,error,critical login failure for user adam from 62.213.0.226 via ssh
echo: system,error,critical login failure for user alan from 62.213.0.226 via ssh
echo: system,error,critical login failure for user frank from 62.213.0.226 via ssh
echo: system,error,critical login failure for user george from 62.213.0.226 via ssh
echo: system,error,critical login failure for user henry from 62.213.0.226 via ssh
echo: system,error,critical login failure for user john from 62.213.0.226 via ssh
echo: system,error,critical login failure for user root from 62.213.0.226 via ssh
echo: system,error,critical login failure for user root from 219.151.40.10 via ssh
echo: system,error,critical login failure for user root from 219.151.40.10 via ssh

My favorite trick is to proxy / tunnel the hackers ip back to himself. That way he tries to SSH into his own box.

Sam

I think what your are seeing is generated from infected machines out on the internet - most likely the people on the other end of those IP addresses don’t even know they are scanning you. I see a lot of these on one of our servers…infact, the exact same username attempts you posted. Every day it’s a new batch of IP addresses, some from the US, some from other countries. Anyone know of such a virus/trojan/worm?

That’s my theory anyway

Just make sure you’ve got strong passwords and maybe set your admin name to something different.

setup an access-list so that only specific networks/IP’s can manage the MT box remotely. drop everything else.

Change the port that ssh is using; /ip service. This is a very simple script that only attacks port 22.

At the same time, unless you really need to be able to administer your box from the Internet, restrict access to your local LAN / admin workstation.

Oh, and firewall rules in the Input chain as well. You really shouldn’t be allowing inbound connections to the router unless you have a specific rule to allow restricted ligitimate access.

Regards

Andrew

How do you accomplish that?

What I do is not allow any connections on the internet interface except for VPN connections, udp and pings. If I am outside the network, then I VPN first, then login through ssh or winbox. There is no need to have any open ports on the internet. I guess it all depends on how security conscious you are.

D~

Security is great. Phone calls from users with problems is not great.

With a setup like this, it sounds to me that you would face a lot of phone calls…

But I might be wrong - or perhaps my previous customers has been dumber than average.

I am not sure what you are referring to as far as phone calls from customers with this setup? Can you elaborate?

As an ISP I’m sure you have some sort of support-center to handle your customers who’s calling you, having problems.

My experience tells me that an advanced login routine will result in many user problems and phone calls for support (how do I do that? do I need that? how do I install the client? SSH, is that a cake? And all sorts of silly questions. )

This is why I raised the question. But as I’ve read your initial posting again, I see that the described way of logging in is for you as an administrator not for the end users. My bad there - I really didn’t read your post good enough.

G’dday.

No problem. That setup is for internet facing routers for administration.
Any internal routering is done on non routable ip ranges so they can not be accessed from outside the network unless you vpn as well.

D~