Recently we have been seeing multiple login attempts through Winbox in our log: Most of these attempts are successful but last just a second before logging out. (See attached Image)
Is this something with the Dude? It is not happening on all devices, just a random few it seems. It looks like every 2-5 minutes this happens.
Anyone have any ideas as to what this might be? Nothing appears messed up or passwords changed nor is there any visible eveidence of hacking.
Are the devices internal, or reachable from the public internet?
Are you using the Dude to monitor your system?
If you add a new user named something else and remove the default ‘admin’ user does the message change at all?
For better security add a PPTP setup to the box, and setup a firewall filter rule in input that only allows the PPTP addresses to access the router.
Cheers
Disable the admin account, but first create a new administrator user (not an obvious admin name).
Be sure to use a strong password.
Also block port 80 traffic with a destination address equal to your your interface addresses.
This will prevent them from downloading winbox from the router.
Under /ip services we had changed all the service ports and we access our routers through our custom ports.
43 of our routers have public ip addresses on them, and until we changed the service ports we saw lots ssh login attacks etc… same as most people’s complaints. We use firewall rules similiar to following:
/ip firewall filter
#
add chain=input protocol=tcp psd=21,3s,3,1 action=drop comment="DROP PORT SCANNERS" disabled=no
add chain=forward protocol=tcp dst-port=25 src-address-list=SPAMMER action=drop comment="BLOCK SPAMMERS OR INFECTED USERS"
add chain=forward protocol=tcp dst-port=25 connection-limit=30,32 limit=50,5 action=add-src-to-address-list address-list=SPAMMER address-list-timeout=1d comment="ADD SPAMMERS TO A BLOCK LIST FOR ONE DAY"
#
add chain=input protocol=tcp connection-limit=3,32 src-address-list=BLACK_LIST action=tarpit comment="SUPPRESS DOS ATTACKS" disabled=no
add chain=input protocol=tcp connection-limit=10,32 action= add-src-to-address-list address-list=BLACK_LIST address-list-timeout=1d comment="DETECT DOS ATTACK" disabled=no
#
add chain=input protocol=tcp dst-port=23 action=drop comment="DENY STANDARD TELNET ACCESS"
add chain=input protocol=tcp dst-port=22 action=drop comment="DENY STANDARD SSH ACCESS"
#
add chain=input action=jump jump-target=BAD_PEOPLE comment="JUMP TO THE BAD_PEOPLE CHAIN" disabled=no
add chain=forward action=jump jump-target=VIRUS comment="JUMP TO THE VIRUS CHAIN" disabled=no
#
add chain=input connection-state=invalid action=drop comment="DROP INVALID CONNECTIONS"
add chain=input connection-state=established action=accept comment="ALLOW ESTABLISHED CONNECTIONS"
add chain=input connection-state=related action=accept comment="ALLOW RELATED CONNECTIONS"
add chain=input protocol=icmp limit=5,5 action=accept comment="ALLOW LIMITED PINGS"
add chain=input protocol=icmp action=drop comment="DROP EXCESS PINGS"
#
# See http://isc.incidents.org/top10.php for some more info on "recommended" ports to block at the firewall
# Also, http://www.symantec.com/ and http://www.sophos.com/virusinfo/
#
# Top Ten Bad People List - http://isc.incidents.org/top10.html
#
add chain=BAD_PEOPLE src-address=81.180.98.3/32 action=drop comment="KNOWN SPAMMER" disabled=no
add chain=BAD_PEOPLE src-address=24.73.97.226/32 action=drop comment="KNOWN SPAMMER" disabled=no
add chain=BAD_PEOPLE src-address=67.75.20.112/32 action=drop comment="http://isc.incidents.org/top10.htm - 06.06.2007" disabled=no
add chain=BAD_PEOPLE src-address=218.104.138.166/32 action=drop comment="http://isc.incidents.org/top10.htm - 06.06.2007" disabled=no
add chain=BAD_PEOPLE src-address=212.3.250.194/32 action=drop comment="http://isc.incidents.org/top10.htm - 06.06.2007" disabled=no
add chain=BAD_PEOPLE src-address=80.132.187.0/24 action=drop comment="http://isc.incidents.org/top10.htm - 06.06.2007" disabled=no
add chain=BAD_PEOPLE src-address=218.104.138.0/24 action=drop comment="http://isc.incidents.org/top10.htm - 06.06.2007" disabled=no
add chain=BAD_PEOPLE src-address=219.77.152.0/24 action=drop comment="http://isc.incidents.org/top10.htm - 06.06.2007" disabled=no
add chain=BAD_PEOPLE src-address=150.164.055.022 action=drop comment="http://isc.incidents.org/top10.htm - 06.13.2007" disabled=
add chain=BAD_PEOPLE src-address=061.187.249.167 action=drop comment="http://isc.incidents.org/top10.htm - 06.13.2007" disabled=no
add chain=BAD_PEOPLE src-address=202.113.096.015 action=drop comment="http://isc.incidents.org/top10.htm - 06.13.2007" disabled=no
add chain=BAD_PEOPLE src-address=125.244.116.130 action=drop comment="http://isc.incidents.org/top10.htm - 06.13.2007" disabled=no
add chain=BAD_PEOPLE src-address=195.254.134.018 action=drop comment="http://isc.incidents.org/top10.htm - 06.13.2007" disabled=no
add chain=BAD_PEOPLE src-address=085.185.053.004 action=drop comment="http://isc.incidents.org/top10.htm - 06.13.2007" disabled=no
add chain=BAD_PEOPLE src-address=219.153.048.229 action=drop comment="http://isc.incidents.org/top10.htm - 06.13.2007" disabled=no
add chain=BAD_PEOPLE src-address=064.185.225.095 action=drop comment="http://isc.incidents.org/top10.htm - 06.13.2007" disabled=no
add chain=BAD_PEOPLE src-address=060.206.125.226 action=drop comment="http://isc.incidents.org/top10.htm - 06.13.2007" disabled=no
add chain=BAD_PEOPLE src-address=201.6.254.10 action=drop comment="SSH Login Attack - 06.18.2007" disabled=no
add chain=BAD_PEOPLE src-address=61.156.8.161 action=drop comment="SSH Login Attack - 06.18.2007" disabled=no
add chain=BAD_PEOPLE src-address=24.234.145.37 action=drop comment="FTP Login Attack - 06.18.2007" disabled=no
add chain=BAD_PEOPLE src-address=211.154.164.109 action=drop comment="SSH Login Attack - 06.22.2007" disabled=no
add chain=BAD_PEOPLE src-address=84.61.23.12 action=drop comment="FTP Login Attack - 06.22.2007" disabled=no
add chain=BAD_PEOPLE src-address=59.151.23.228 action=drop comment="SSH Login Attack - 06.22.2007" disabled=no
add chain=BAD_PEOPLE src-address=69.46.16.185 action=drop comment="SSH Login Attack - 06.25.2007" disabled=no
add chain=BAD_PEOPLE src-address=212.169.36.43 action=drop comment="SSH Login Attack - 06.26.2007" disabled=no
add chain=BAD_PEOPLE src-address=211.110.211.56 action=drop comment="SSH Login Attack - 06.26.2007" disabled=no
add chain=BAD_PEOPLE src-address=60.13.184.4 action=drop comment="SSH Login Attack - 06.27.2007" disabled=no
add chain=BAD_PEOPLE src-address=220.130.210.92 action=drop comment="SSH Login Attack - 06.27.2007" disabled=no
add chain=BAD_PEOPLE src-address=195.243.154.99 action=drop comment="SSH Login Attack - 06.29.2007" disabled=no
add chain=BAD_PEOPLE src-address=67.109.174.77 action=drop comment="SSH Login Attack - 06.30.2007" disabled=no
add chain=BAD_PEOPLE src-address=88.115.65.242 action=drop comment="SSH Login Attack - 07.05.2007" disabled=no
add chain=BAD_PEOPLE src-address=62.77.194.112 action=drop comment="SSH Login Attack - 07.05.2007" disabled=no
add chain=BAD_PEOPLE src-address=85.214.27.221 action=drop comment="SSH Login Attack - 07.05.2007" disabled=no
add chain=BAD_PEOPLE src-address=210.245.87.105 action=drop comment="SSH Login Attack - 07.05.2007" disabled=no
add chain=BAD_PEOPLE src-address=88.191.14.96 action=drop comment="FTP Login Attack - 07.06.2007" disabled=no
add chain=BAD_PEOPLE src-address=124.225.128.18 action=drop comment="SSH Login Attack - 07.13.2007" disabled=no
add chain=BAD_PEOPLE src-address=195.24.216.42 action=drop comment="SSH Login Attack - 07.13.2007" disabled=no
add chain=BAD_PEOPLE src-address=222.18.54.33 action=drop comment="SSH Login Attack - 07.15.2007" disabled=no
add chain=BAD_PEOPLE src-address=67.109.174.77 action=drop comment="SSH Login Attack - 07.15.2007" disabled=no
add chain=BAD_PEOPLE src-address=81.18.89.154 action=drop comment="SSH Login Attack - 07.15.2007" disabled=no
add chain=BAD_PEOPLE src-address=222.90.234.68 action=drop comment="SSH Login Attack - 07.13.2007" disabled=no
add chain=BAD_PEOPLE src-address=83.175.206.152 action=drop comment="SSH Login Attack - 07.17.2007" disabled=no
add chain=BAD_PEOPLE src-address=200.26.142.218 action=drop comment="SSH Login Attack - 07.17.2007" disabled=no
add chain=BAD_PEOPLE src-address=210.212.79.38 action=drop comment="SSH Login Attack - 07.18.2007" disabled=no
add chain=BAD_PEOPLE src-address=61.146.178.13 action=drop comment="SSH Login Attack - 07.18.2007" disabled=no
#
add chain=VIRUS protocol=tcp dst-port=111 action=drop comment="RFC PORTMAPPER"
add chain=VIRUS protocol=udp dst-port=111 action=drop comment="RFC PORTMAPPER"
add chain=VIRUS protocol=tcp dst-port=135-139 action=drop comment="BLASTER WORM" disabled=no
add chain=VIRUS protocol=udp dst-port=135-139 action=drop comment="MESSENGER WORM" disabled=no
add chain=VIRUS protocol=tcp dst-port=445 action=drop comment="BLASTER WORM" disabled=no
add chain=VIRUS protocol=udp dst-port=445 action=drop comment="BLASTER WORM" disabled=no
add chain=VIRUS protocol=tcp dst-port=593 action=drop comment="MSBLAST WORM" disabled=no
add chain=VIRUS protocol=tcp dst-port=995-999 action=drop comment="SOBIG.F WORM" disabled=no
add chain=VIRUS protocol=tcp dst-port=1024-1030 action=drop comment="NETSPY, LATINUS, REMOTE STORM" disabled=no
add chain=VIRUS protocol=tcp dst-port=1080 action=drop comment="MYDOOM" disabled=no
add chain=VIRUS protocol=tcp dst-port=2049 action=drop comment="NFS" disabled=no
add chain=VIRUS protocol=udp dst-port=2049 action=drop comment="NFS" disabled=no
add chain=VIRUS protocol=tcp dst-port=3133 action=drop comment="BACKORIFFICE" disabled=no
add chain=VIRUS protocol=udp dst-port=3133 action=drop comment="BACKORIFFICE" disabled=no
add chain=VIRUS protocol=tcp dst-port=5554 action=drop comment="SASSER" disabled=no
add chain=VIRUS protocol=tcp dst-port=5900 action=drop comment="USED BY ULTRA VNC - LOTS OF ATTACKS" disabled=no
add chain=VIRUS protocol=tcp dst-port=12345 action=drop comment="NETBUS" disabled=no
add chain=VIRUS protocol=tcp dst-port=27374 action=drop comment="SUBSEVEN" disabled=no
add chain=VIRUS protocol=tcp dst-port=65506 action=drop comment="PHATBOT, AGOBOT, GAOBOT" disabled=no
We use The Dude server to monitor the devices. I will change the user name on a device and see what the difference is. Thanks for the help thus far. Any more ideas are more than welcome…
Note, that 2.9=> Winbox uses 8291 TCP port.
A bit more info: The blacked out ip in the picture from my 1st post is the router where our Dude server sits behind. When I login to a device through the Dude, it comes from the same ip. My biggest issue is why there are so many logins.
Would the Dude be trying to perform some action that would cause this? This is one of the other issues I was going to post on, but it may be relevant to this one: In The Dude under the devices tab > RouterOS, the connections all fail. Every now and then, some devices are able to connect. Is there any reason The Dude or be trying to login via Winbox. If you notice in the first post, most logins are successful, but the login/logout occurs within 1 second.
The Dude does login to the units to retrieve info on them, and if you have that network element set to Mikrotik RouterOS I would assume it would access it through the standard winbox port, not using winbox but just the port. I have seen this a few times on some of my network devices, and it was the Dude, and had to be as they were internal non accessible routers.
An easy test to see if it is your Dude server would be to add a user called ‘TheDude’ (or whatever), and the configure the network element on you Dude server with the matching username. If the logins continue but the name matches the new one used on the Dude server then you found your culprit.