Hi,
I just wondering why I have in my router LOG still records
including name of Mikrotik router and “SSH-2.0-ROSSSH?”
This looks like something bad …
It would seem you don’t have anything to worry about unless you are running very old code.
http://forum.mikrotik.com/t/denial-of-ssh-service-was-fulldisclosure-post/69247/1
It’s incredibly important we all work to keep our devices up to date. The old adage of unboxing a router, setting it up and forgetting about it just isn’t safe. It wasn’t before and it definitely isn’t now.
Thank’s for explanation. I have most current version (6.39 now).
If this not concern to those who have current firmware - so why this message is in my router log ?
I don’t get that message in my log on 6.38.5. Could you post a chunk of your log showing the message in particular?
I see over there in rows with the title “Router SSH-2.0-ROSSSH?”.
May 3 20:40:54 192.168.3.250 May 3 20:40:54 Router Msg-Type = discover
May 3 20:40:54 192.168.3.250 May 3 20:40:54 Router Parameter-List = Subnet-Mask,Classless-Route,Router,Static-Route,Domain-Server,NTP-Server,CAPWAP-Server,Vendor-Specific
May 3 20:40:54 192.168.3.250 May 3 20:40:54 Router Host-Name = "Router"
May 3 20:40:54 192.168.3.250 May 3 20:40:54 Router Client-Id = 01-XX-XX-XX-XX-XX-95
May 3 20:40:54 192.168.3.250 May 3 20:40:54 Router sending string
May 3 20:40:54 192.168.3.250 May 3 20:40:54 Router SSH-2.0-ROSSSH?
What are your logging settings?
/system logging print
/system logging print
Flags: X - disabled, I - invalid, * - default
# TOPICS ACTION PREFIX
0 * info remote
1 * error remote
2 * warning remote
3 * critical remote
4 ovpn remote
5 route remote
6 firewall remote
7 certificate remote
8 debug remote
Thanks, you have debug on. I also don’t see the topics displayed in your log message. Is your syslog server truncating that part of the message? It’d be right before the actual message text. Here’s a message from mine:
15:33:34 ssh,debug,packet packet create: 94
The topics would help us tell where it’s coming from.
Also it appears you may be running CAPsMAN. Is it possible it’s trying to control a device with really old code that may be vulnerable to that old exploit?
May 4 20:16:51 192.168.3.250 May 4 20:16:51 Router Host-Name = "Router"
May 4 20:16:51 192.168.3.250 May 4 20:16:51 Router Client-Id = 01-XX-XX-XX-XX-XX-95
May 4 20:16:51 192.168.3.250 May 4 20:16:51 Router received Router Advertisement on interface=ether1-gateway
May 4 20:16:51 192.168.3.250 May 4 20:16:51 Router received prefix 2001:db8:1::/64
May 4 20:16:55 192.168.3.250 May 4 20:16:55 Router sending string
May 4 20:16:55 192.168.3.250 May 4 20:16:55 Router SSH-2.0-ROSSSH?
May 4 20:16:55 192.168.3.250 May 4 20:16:55 Router
May 4 20:16:55 192.168.3.250 May 4 20:16:55 Router closing connection: <connection error> ::ffff:NNN.NN.NNN.NNN:57954 (4)
May 4 20:16:55 192.168.3.250 May 4 20:16:55 Router skip Router Advertisement sending on pppoe-out1: no prefixes to send
May 4 20:16:57 192.168.3.250 May 4 20:16:57 Router dhcp-client on ether1-gateway sending discover with id 787888673 to 255.255.255.255
Thanks for the additional post but I think your Syslog server is trimming the topics out.
What can I do to find out this problem?
If you stop logging DEBUG I imagine it will go away on it’s own. I can turn on DEBUG on one of mine that is dumping to syslog to see if I see that string with any topics.
Long term you probably want to look into why your Syslog server is truncating topics off of the messages.
Right, after switching off Debug it’s gone !
Thanks
Question is why this is included in DEBUG log mode ?