Hi, I can no longer SSH into my Mikrotik using it’s public IP. This was working fine and then without any change it is not.
I can still get in on private IP but when I try using the public IP, I get an error message. I have tried this on Bash for Windows, a Fedora machine and Putty.

The error message I get from Bash for Windows is:
ssh: connect to host port 22: Resource temporarily unavailable

On Putty I get “Network error, timed out”.

Here are some of my settings, can somebody please help? Thank you.



ip rou pri
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 ADS 0.0.0.0/0 2.127.238.108 1
1 ADC 2.127.238.108/32 pppoe-out1 0
2 DC 10.0.0.0/24 10.0.0.1 HomeNetwork 255
3 DC 10.0.20.0/24 10.0.20.1 management 255
4 DC 10.0.30.0/24 10.0.30.1 Internet 255
5 ADC 192.168.88.0/24 192.168.88.1 LAN 0



/ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=srcnat action=masquerade out-interface=SkyDsl

1 chain=srcnat action=masquerade src-address=192.168.88.0/24

2 chain=dstnat action=dst-nat to-addresses=192.168.88.241 to-ports=48085 protocol=tcp dst-address=
dst-port=48085

3 chain=dstnat action=dst-nat to-addresses=192.168.88.241 to-ports=48085 protocol=udp dst-address=
dst-port=48085

4 ;;; FIFA17_1
chain=dstnat action=dst-nat to-addresses=192.168.88.241 to-ports=9000-9999 protocol=tcp
dst-address=

5 chain=srcnat action=masquerade to-addresses=10.0.0.0/24 out-interface=SkyDsl

6 chain=srcnat action=masquerade to-addresses=10.0.30.0/24 out-interface=SkyDsl


> ip ser pri
Flags: X - disabled, I - invalid

NAME PORT ADDRESS CERTIFICATE

0 telnet 23
1 ftp 21
2 www 80
3 ssh 22
4 X www-ssl 443 none
5 api 8728
6 winbox 8291
7 api-ssl 8729 none


/ip firewall> filter print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=input action=accept protocol=icmp

1 ;;; default configuration
chain=input action=accept connection-state=established

2 ;;; default configuration
chain=input action=accept connection-state=related

3 ;;; default configuration
chain=forward action=accept connection-state=established

4 ;;; default configuration
chain=forward action=accept connection-state=related

5 ;;; Accept established connections
chain=input action=accept connection-state=established

6 ;;; Accept related connections
chain=input action=accept connection-state=related

7 ;;; Allow limited pings
chain=input action=accept protocol=icmp limit=50/5s,2

8 ;;; From our LAN
chain=input action=accept src-address=192.168.88.0/24 in-interface=LAN

9 ;;; Log everything else
chain=input action=log log-prefix=“DROP INPUT”

10 chain=output action=accept protocol=tcp content=530 Login incorrect dst-limit=1/1m,9,dst-address/1m

11 chain=output action=add-dst-to-address-list protocol=tcp address-list=ftp_blacklist address-list-timeout=3h
content=530 Login incorrect

12 ;;; Drop Brute Forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22

13 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3
address-list=ssh_blacklist address-list-timeout=1w3d dst-port=22

14 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2
address-list=ssh_stage3 address-list-timeout=1m dst-port=22

15 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1
address-list=ssh_stage2 address-list-timeout=1m dst-port=22

16 ;;; SSH create blacklist
chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1
address-list-timeout=1m dst-port=22

17 ;;; SSH
chain=input action=accept connection-state=new protocol=tcp dst-port=22

18 chain=forward action=accept

19 chain=forward action=accept protocol=udp dst-port=48085

20 chain=forward action=accept protocol=tcp dst-port=48085

21 ;;; default configuration
chain=forward action=drop connection-state=invalid

22 ;;; Drop invalid connections
chain=input action=drop connection-state=invalid

23 ;;; Drop excess pings
chain=input action=drop protocol=icmp

24 ;;; Drop everything else
chain=input action=drop

25 ;;; drop ftp brute forcers
chain=input action=drop protocol=tcp src-address-list=ftp_blacklist dst-port=21

26 ;;; drop ssh brute forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22

27 ;;; default configuration
chain=input action=drop in-interface=SkyDsl

My guess is that you did few quick connections from external address and it ended up in your ssh_blacklist.

Btw, if you inspect your firewall closely, you’ll see that rules #5 and #6 are useless, because they are exactly same as #2 and #3. Also #7 and #23 will never match anything, when all icmp is already unconditionaly accepted by #1. And same goes for #25-#27, because nothing will get past #24. And in forward, #19 and #20 after #18 are useless too.

Thank you for your answer. I do not think it could be the blacklist as I have tried this from three different locations, from my home, work and from my 4G phone connection and get the same issue each time. Last week I could log on fine and I have made no changes.

I will inspect the firewall to remove any redundant rules, I am still very new with routers.

Thanks again.

Hi again, anybody gone any ideas regarding the original post, it does not seem to be because of the blacklist as this has been in place for a while and it was working OK. Also, this is from multiple locations with different public IPs, the terminal does not even get as far as to ask for password. Thank you for any help.

Try to check WAN interface with Tools->Torch, if you see incoming connections on port 22. Because either there’s something wrong with your config, or the problem is elsewhere, for example ISP could be blocking incoming connections.

Try changing SSH port in / ip service

Sent from my MI MAX using Tapatalk