Strange SSH anomaly

routerboard: yes
model: 751U-2HnD
serial-number: XXXXXXXXXXXX
current-firmware: 3.10
upgrade-firmware: 3.10
routerOS: 6.7

I observed a very strange anomaly this morning and would really appreciate some help understanding what I saw. On my input rules I allow SSH since I occasionally need remote access to my router. To better secure it there are only two accounts allowed access to it - my own and admin. Both use 24 character passwords; mine is set to allow full access while admin is set to read only.

This morning while looking in the connections table I observed a connection from a foreign IP to me on port 22. The TCP state said “Established” and when I torched the connection I observed bidirectional traffic on the interface with that foreign IP. Looking at “/system users active users” I was the only one logged into the router.

How could someone have established an SSH connection to my router without the login showing up as an active user? Am I not interpreting what I observed correctly?

It only means that SSH client is connected to router, but not authenticated using user name/password.
Maybe someone tried to brute-force SSH service.

HTH,

this is exactly what happened - when ssh is established there is a lot of chatter to establish a secure connection before any credentials are exchanged.

To see this you can check by yourself - enable ssh debug logs and set up debugging on your side and then attempt the connection using wrong credentials.

The best thing to do is apply the firewall rules that block ssh attempts after a couple of failed logins.

The rule set is in the wiki somewhere.

I have it on all my routers so that I can access from anywhere but blocks others after 3 failed logins.