I noticed an ssh error on RB5009 with Starlink WAN at a remote site. I have not made any attempts to connect with SSH and do not know of anyone at remote site that may have attempted SSH connection.
SSH Service was enabled on port 22, so I changed to different port
screenshot shows the log and also the details of ROS and router in Winbox footer
Any ideas on why this error occurred?
Any advice on other necessary precautions?
Was port 22 and SSH open to the WAN interface? If so, hopefully you have a strong password or had password auth disabled for SSH. Public addresses are very frequently scanned and open ports attacked.
In your case you probably have a CGNAT IPv4 address but a publicly routable IPv6 address. It’s a large address space, but maybe bad actors are probing it. Or perhaps it was someone entering the wrong address, however unlikely.
If you had a weak password on the router then the cautious approach would be to reset it to defaults before making any other changes.
The precaution I would take would be to verify that your firewall is accepting only the traffic you want and dropping everything else - including SSH. If you need to manage the router, VPN to it, then SSH or use WinBox through the tunnel.
If you must have SSH open to the internet, it would be better to take several precautions - different port as you have done, password auth disabled (use certs only) or with very strong password, enable port knocking and/or fail2ban via script. And get a notification of activity so that you can determine if you are seeing an attack or unauthorized logins.
You can have some antivirus that scan local network to find weak devices...
Yes, port 22 and SSH was open to WAN interface. Yes, CGNAT IPv4 address on WAN and I have IPv6 disabled in Mikrotik settings.
Thank you for all of the advice. I will try to understand, absorb and implement what I can.
I see and experience this ssh error every day. With some specific client I need to retry connecting several times until it succeeds.
