wtf? Bruteforce login bot or what?

RouterOS General
1

Whats that?

[valodja@mt] ip address>
echo: system,error,critical login failure for user jeanette from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user jeanine from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user jeanna from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user jed from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user jeff from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user jeffrey from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user jena from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user jennifer from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user jenny from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user jerald from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user jeremiah from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user jeremy from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user jericho from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user jerry from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user jerome from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user jerrard from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user jesse from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user jessica from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user jhonathan from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user jhonny from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user jill from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user jim from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user jimmy from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user joan from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user joanna from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user joanne from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user joby from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user jocelyn from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user jodi from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user jodie from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user jody from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user joe from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user joey from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user john from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user johnathan from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user jojo from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user jonathan from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user john from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user jordan from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user joseph from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user josh from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user joyce from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user johnny from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user joshua from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user jude from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user judith from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user judy from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user jule from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user julia from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user julian from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user juliana from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user julie from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user juliet from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user julius from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user july from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user june from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user junior from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user justice from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user justin from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user justine from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user jr from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user kacey from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user kailey from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user kaitlin from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user kaitlyn from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user kaleb from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user karen from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user kate from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user kathrina from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user kathrine from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user katie from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user kay from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user kaylie from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user keaton from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user keegan from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user keisha from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user keith from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user kelly from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user kelvin from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user ken from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user kenny from 83.145.55.2 via ssh
[valodja@mt] ip address>
echo: system,error,critical login failure for user kent from 83.145.55.2 via ssh
[valodja@mt] ip address>
2

Welcome to the Internet. Try searching around as this has been discussed many times. Google also knows about this :wink:

3

:smiley:

Drop all incoming traffic (in input table) from addresses that are not welcome, and you soved the problem.
And answer to your question: YES, this is brute force bot…

4

Also look up the owner of the offending IP and file a compliant at their abuse address… it might not help but hopefully they’ll contact the offender and tell him to quit or be disconnected

/Jörgen

5

allow only trusted ip’s to login via ssh

i suggst you to do same for ftp too.

or use port pinging for allowing connections it is like

if address sends udp packet to port aaaaa then tcp packet to port bbbb, then allow this host to connect to router

6

Something like this will be the equivalent of a hosts.allow/hosts.deny for the MT box to allow the two netblocks you see in the code and disallow everything else. Change the IPs to your own netblocks, copy and paste. Put it toward the top of your rules list.

/ ip firewall filter 
add chain=input src-address=10.0.0.0/8 protocol=tcp dst-port=21-23 \
    action=accept comment="" disabled=no
add chain=input src-address=69.39.96.0/20 protocol=tcp dst-port=21-23 \
    action=accept comment="" disabled=no
add chain=input src-address=0.0.0.0/0 protocol=tcp dst-port=21-23 \
    action=reject reject-with=icmp-network-unreachable comment=""