Strange logs

slv · March 28, 2018, 7:39am

Hello

Since few days I see in logs:

07:20:17 firewall,info input: in:WAN out:(none), src-mac bc:4d:fb:aa:1c:d2, proto TCP (SYN), 201.92.58.210:13575->My_WAN_IP:8291, len 40
07:35:35 firewall,info input: in:WAN out:(none), src-mac bc:4d:fb:aa:1c:d2, proto TCP (SYN), 159.146.49.190:62758->My_WAN_IP:8291, len 40
07:39:55 firewall,info input: in:WAN out:(none), src-mac bc:4d:fb:aa:1c:d2, proto TCP (SYN), 191.19.137.106:9277->My_WAN_IP:8291, len 40
08:01:34 firewall,info input: in:WAN out:(none), src-mac bc:4d:fb:aa:1c:d2, proto TCP (SYN), 172.222.222.243:25906->My_WAN_IP:8291, len 40
08:10:33 firewall,info input: in:WAN out:(none), src-mac bc:4d:fb:aa:1c:d2, proto TCP (SYN), 37.19.95.45:19550->My_WAN_IP:8291, len 40
08:32:08 firewall,info input: in:WAN out:(none), src-mac bc:4d:fb:aa:1c:d2, proto TCP (SYN), 177.95.243.49:49061->My_WAN_IP:8291, len 40
08:32:49 firewall,info input: in:WAN out:(none), src-mac bc:4d:fb:aa:1c:d2, proto TCP (SYN), 179.110.69.91:36141->My_WAN_IP:8291, len 40
08:57:49 firewall,info input: in:WAN out:(none), src-mac bc:4d:fb:aa:1c:d2, proto TCP (SYN), 191.8.45.96:20219->My_WAN_IP:8291, len 40

My firewall looks like:

[mee@Router] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Drop Invalid connections
chain=input action=drop connection-state=invalid
1 ;;; Allow Established connections
chain=input action=accept connection-state=established,related
2 X ;;; Allow ICMP
chain=input action=accept protocol=icmp log=no log-prefix=“”
3 chain=input action=accept protocol=tcp src-address=192.168.0.0/24 dst-port=8291
4 chain=input action=accept protocol=tcp src-address=my_home_IP/26 in-interface=WAN dst-port=8291
5 X chain=input action=accept protocol=tcp src-address=my_home_IP/26 in-interface=WAN dst-port=8090,8091,8081,8082,8071,3080,8084
6 chain=input action=drop protocol=tcp dst-port=8291 log=yes
7 ;;; Allow access to router from known network
chain=input action=accept src-address=192.168.0.0/24
8 ;;; Allow access to router from known network
chain=input action=accept src-address=192.168.88.0/24
9 ;;; Drop anything else
chain=input action=drop

That’s strange because in my opinion firewall shouldn’t allow such conenctions - Do I’m wrong?
How to correct it?

Regards
Slawek

mkx · March 28, 2018, 7:56am

My guess is that your FW is actually dropping the connections as per rule number 6 in your filter list. However, you do see these in your log because your filter rule has “log=yes” … hence log entries.

slv · March 28, 2018, 9:29am

Hi MKX

You are right - so should I concern about such entries (I assume that I have strong password and I limited management access to only few IP) ?
Can I improve something in firewall?

How to create logs that will be persistent on flash and size will be not bigger than xxMB ? How to do that using CLI?
I’m using 6.40.2 ROS.

Regards
SLawek

mkx · March 28, 2018, 9:37am

Your FW regarding the Winbox access port is just fine and if the log entries bother you you could just omit the log=yes part of rule …

I don’t have any definitive advice regarding log … other than that it seems you can’t get log written to persistent storage on the RB device itself … but you can use external syslog server. And it seems that you can not “trim” log to certain size …

pe1chl · March 28, 2018, 9:49am

No, these entries are because other people do not update their router often enough and do not have a correct firewall like you,
and this weekend they got infected by a MikroTik worm on the internet.
Just remove the “log” checkmark and you won’t see these messages (that are not useful to you) anymore.

slv · March 28, 2018, 10:24am

No, these entries are because other people do not update their router often enough and do not have a correct firewall like you,
and this weekend they got infected by a MikroTik worm on the internet.

whoow - Could You be more specific about this worm? What version of ROS are affected?

Thanx for all of You for explanation. This is small instalation without any serwer that can be a syslog so I’m looking how to put logs on router flash to get ability to browse it more than I day into past.

Regards
SLawe

pe1chl · March 28, 2018, 10:46am

Look elsewhere on the forum for the worm.
It depends on the router type if it will write the logs to flash or not.
Cheap/recent routers have a small flash and logfiles are on the ramdisk.
However as long as you don’t reboot they can still be kept quite long.
Just configure log to “disk” and set the size. On the older routers and more
expensive types which have 128MB flash they will be on flash.