Torch results to variable

RouterOS Scripting
1

Hello,
we got a customer that periodically tries to access other network devices (I think he/she gots some good hacking skills since he/she is able to find other customers ip addresses) using ssh or port 8291

I want to prove that is her/his fault by making a script that listens for outgoing ssh/8291 connections.

Basically I want the result of torch command into a variable like:

:set $test [/tool torch interface=ether1 port=ssh]
:if ($test != 0) do {
/log info "Outgoing ssh connection attempt"
}

is it possible?or is there another way to achieve the same result?

thanks

2

Use a firewall rule that log the attempt…

Or better use firewall rules for prevent his attempt.

3

thanks, can I have an hint?
such as chain forward and dst port forx example 22?

4

yes, for log or for DROP is the same:

a firewall filter rule, on forward, src interface = ether1 protocol tcp, dst-port 22,8291

5

It seems that you do not address the real problem.

Do not allow any access your router using SSH or Winbox.. Do always use VPN, and if VPN can not be use follow these rules.

  1. Use another port than default.
  2. Use port knocking. This prevents someone from seeing open ports.
  3. Use a long and good password.
  4. Use access list to prevent any random internet from accessing your router.
  5. Log everything. (See my signature for example.)
  6. Upgrade firmware to latest stable release
  7. ++++
6

yes thanks. I’ve already known those security suggestions.

The question is about how to log that, not how to secure

7

Just to see that some reach your system at port 8291 or port 22 raise all red flag.

As other write add a filter rule for those port, add logging.

If you like to use a good logging system, see my signature on how to use Mikrotik with Splunk to show all logging.

8

in my opinion, allowin ssh only from inside lan or “seeing” others IP it is not a security issue. I use port knockinf when I need to access from outside the network.
I personally suggest to use very strong password first

9

You only need to add a firewall filter rule (in input or forward depending on what you are after) that will log the traffic, then you can still accept it for now and later see if you would want to change it to block.
It is likely that your customer does not have so good hacking skills, but rather he has bad security skills and their router has been hacked and is now trying to find new victims.
Of course it depends on your service relation with customers whether you need to do anything about that. When you manage their routers, you are in trouble.

10

what about this?

/ip firewall filter
add action=add-src-to-address-list address-list=outgoing_ssh_attempts address-list-timeout=\
    4w2d chain=forward dst-port=22 in-interface=LAN protocol=tcp