Community discussions

 
User avatar
zipvault
Member Candidate
Member Candidate
Topic Author
Posts: 144
Joined: Fri Dec 23, 2016 8:15 am

Please Help me im being attacked RIGHT NOW

Fri Dec 23, 2016 5:36 pm

please help me im being attacked
how can i prevent this

help me find them?
this was just now..

log print
dec/24 00:33:46 system,error,critical login failure for user administrator from 190.82.77.203 via telnet 
dec/24 00:33:47 system,error,critical login failure for user root from 85.11.22.132 via telnet 
dec/24 00:33:48 system,error,critical login failure for user root from 190.82.77.203 via telnet 
Last edited by normis on Tue Dec 27, 2016 10:24 am, edited 1 time in total.
Reason: removed excess log
ZipVault
 
pe1chl
Forum Guru
Forum Guru
Posts: 5926
Joined: Mon Jun 08, 2015 12:09 pm

Re: Please Help me im being attacked RIGHT NOW

Fri Dec 23, 2016 5:43 pm

Why do you allow login from internet?
Did you configure a PPPoE interface using some shady Youtube video instead of the official method?
What is your firewall right now? Does it drop all new incoming traffic from your internet interface?
 
User avatar
greek
Member Candidate
Member Candidate
Posts: 111
Joined: Thu Nov 04, 2010 11:37 pm
Location: Russia, 78rus

Re: Please Help me im being attacked RIGHT NOW

Fri Dec 23, 2016 5:55 pm

Go to IP - Services menu, click telnet and click Disable-button (with red cross)
 
User avatar
zipvault
Member Candidate
Member Candidate
Topic Author
Posts: 144
Joined: Fri Dec 23, 2016 8:15 am

Re: Please Help me im being attacked RIGHT NOW

Fri Dec 23, 2016 6:04 pm

i had turned of the remote login option...

Yes i turned of the telnet service now,
Are you only meant to enable telnet when u want to use it or

can i block telnet so only my mac address can access??

How do i set my local address book to only access??


Yes i have about 80 firewall rules at the moment


Should i reset and start build again??
ZipVault
 
User avatar
zipvault
Member Candidate
Member Candidate
Topic Author
Posts: 144
Joined: Fri Dec 23, 2016 8:15 am

Re: Please Help me im being attacked RIGHT NOW

Fri Dec 23, 2016 6:13 pm

I thought i had setup the brute force rule on mikrotik wiki also???

The one if an ip gets three wrong entries then they

Get put on a list

And if they stay on the list for 1 minute

Then they get put on a block list

Can any one shine some light on a script that does this

Because obviously the one i did is not working..
ZipVault
 
User avatar
todayheads
Frequent Visitor
Frequent Visitor
Posts: 79
Joined: Wed Jul 27, 2016 2:18 pm

Re: Please Help me im being attacked RIGHT NOW

Fri Dec 23, 2016 6:55 pm

i am gonna advice you with something

allow accessing webfig online from ur network only not global
 
User avatar
todayheads
Frequent Visitor
Frequent Visitor
Posts: 79
Joined: Wed Jul 27, 2016 2:18 pm

Re: Please Help me im being attacked RIGHT NOW

Fri Dec 23, 2016 6:57 pm

and please next time you don't have to paste whole log
 
dhapollo
just joined
Posts: 4
Joined: Fri Dec 23, 2016 6:36 pm

Re: Please Help me im being attacked RIGHT NOW

Fri Dec 23, 2016 7:25 pm

Go to the ip> firewall> filter's rules> add a new one. Chain input port 23, Action drop
if this works?
Relax, I'm still learning English :)
 
User avatar
zipvault
Member Candidate
Member Candidate
Topic Author
Posts: 144
Joined: Fri Dec 23, 2016 8:15 am

Re: Please Help me im being attacked RIGHT NOW

Fri Dec 23, 2016 7:43 pm

i am gonna advice you with something

allow accessing webfig online from ur network only not global

what is the best way you would advise to do this?
ZipVault
 
mpreissner
Member
Member
Posts: 356
Joined: Tue Mar 11, 2014 11:16 pm
Location: Columbia, MD

Re: Please Help me im being attacked RIGHT NOW

Fri Dec 23, 2016 8:04 pm

Add a firewall rule on the INPUT chain that only allows WinBox, SSH, and HTTPS from one of your internal networks. Then add a firewall rule right below that to drop all traffic to your device. These two rules ensure that ONLY traffic from you is allowed to go directly to your device.
Michael Preissner
CISSP, CCSP, CEH, PMP
 
User avatar
zipvault
Member Candidate
Member Candidate
Topic Author
Posts: 144
Joined: Fri Dec 23, 2016 8:15 am

Re: Please Help me im being attacked RIGHT NOW

Fri Dec 23, 2016 8:53 pm

okay,

i had over 85 firewall rules earlier,

i have cut it back to 30 now,

how do i specify a specific ip

for instance earlier i had a mangement address book

and i allowed only one ip address to access the webconf

but i deleted it now im unsure how to reinstate this local only method

or single ip access management access rule?
ZipVault
 
User avatar
zipvault
Member Candidate
Member Candidate
Topic Author
Posts: 144
Joined: Fri Dec 23, 2016 8:15 am

Re: Please Help me im being attacked RIGHT NOW

Fri Dec 23, 2016 8:57 pm

Add a firewall rule on the INPUT chain that only allows WinBox, SSH, and HTTPS from one of your internal networks. Then add a firewall rule right below that to drop all traffic to your device. These two rules ensure that ONLY traffic from you is allowed to go directly to your device.

i can use something like this does this look good??? ->


/ip firewall address-list
add list=management-servers address=192.168.00.000

/ip firewall filter
add chain=input src-address-list=management-servers protocol=tcp dst-port=21,22,23,80,443,8291 action=accept

add chain=input protocol=tcp dst-port=21,22,23,80,443,8291 action=drop


im only new to mikrotik only being using it a few days????
ZipVault
 
mpreissner
Member
Member
Posts: 356
Joined: Tue Mar 11, 2014 11:16 pm
Location: Columbia, MD

Re: Please Help me im being attacked RIGHT NOW

Fri Dec 23, 2016 9:22 pm

If you write firewall rules like that, you'll end up missing things.

Best practice is to create a rule that allows your management access, and then create a DROP ALL rule at the bottom of the chain. As you find you need to allow additional traffic, you simply add a rule above the DROP ALL rule. You need to make sure you also order the rules correctly to minimize processing overhead, so put the most frequently matched rules at the top, since rules are processed from the top down. Here's my INPUT chain, which is pretty well locked down.
/ip firewall filter
add action=accept chain=input comment="Accept related/established from internal networks" connection-state=\
    established,related in-interface=!ether1-gateway log=yes log-prefix=gateway-accept-est-rel-internal
add action=accept chain=input comment=\
    "default configuration - Accept inbound related/established" connection-state=\
    established,related in-interface=ether1-gateway log=yes log-prefix=accept-inbound-rel-est
add action=accept chain=input comment="Accept inbound for SSTP VPN" dst-port=443 in-interface=ether1-gateway log=yes \
    log-prefix=accept-inbound-SSTP-VPN protocol=tcp
add action=accept chain=input comment="Accept inbound L2TP/IPsec VPN" dst-port=1701,500,4500 in-interface=\
    ether1-gateway log=yes log-prefix=accept-inbound-l2tp-ipsec-vpn protocol=udp
add action=drop chain=input comment="default configuration - drop unsolicited inbound WAN traffic" in-interface=\
    ether1-gateway log=yes log-prefix=drop-inbound-unsolicited
add action=accept chain=input comment="Accept broadcast traffic from internal networks" dst-address-type=\
    broadcast,multicast in-interface=!ether1-gateway log-prefix=accept-input-bcast/mcast
add action=accept chain=input comment="default configuration - accept icmp on all interfaces" protocol=icmp
add action=accept chain=input comment="Allow MGMT access from internal networks" dst-address=172.16.0.30 dst-port=\
    22,8291 in-interface=!ether1-gateway log-prefix=mgmt-accept-internal protocol=tcp
add action=accept chain=input comment="Accept DHCP on all interfaces" dst-port=67 log-prefix=log-dhcp protocol=udp
add action=drop chain=input comment="drop and log all inbound traffic not matching previous rules" log=yes \
    log-prefix=drop-and-log-input
Michael Preissner
CISSP, CCSP, CEH, PMP
 
User avatar
blajah
Member Candidate
Member Candidate
Posts: 224
Joined: Fri Jun 12, 2015 8:58 pm
Location: Belgrade, Serbia
Contact:

Re: Please Help me im being attacked RIGHT NOW

Fri Dec 23, 2016 9:36 pm

Well, if you are allowing mgmt from specific pool of ip addresses there is no need to create access list , you can do it directly via firewall rule. It is easier to read if you have access list but at the end its up to you.
/ip firewall address-list
add list=management-servers address=192.168.0.0[b]/24[/b]
bold text was missing

Also, in rule itserlf, you do not need to overcomplicate with ports/services definitions.
It will work also this way:
/ip firewall filter
add chain=input src-address-list=management-servers  action=accept
to allow mgmt from your pool

and to deny rest
/ip firewall filter
add chain=input in-interface=YourWAN  action=drop
regarding IP, services itself, you have option to define "available form" where you can specify what service is available from .

I do not have any issues with things you followed to secure your router, but in 70% tutorials rules are overcomplicated without real reason.

One elegant way to drop all these "service-hunters" is like this:
add action=add-src-to-address-list address-list=@Services_Phase1 address-list-timeout=30m chain=input comment=IN-Services1 dst-port=21,22,23,69,80,443,8080 \
    in-interface=YourWAN protocol=tcp
add action=add-src-to-address-list address-list=@Services_Phase2 address-list-timeout=30m chain=input comment=IN-Services2 dst-port=21,22,23,69,80,443,8080 protocol=tcp \
    src-address-list=@Services_Phase1
add action=add-src-to-address-list address-list=@Services_Phase3 address-list-timeout=1w chain=input comment=IN-Services3 dst-port=21,22,23,69,80,443,8080 protocol=tcp \
    src-address-list=@Services_Phase2
Then in RAW firewall drop @Services_Phase3:
add action=drop chain=prerouting src-address-list=@Services_Phase3
I have bigger routing table.
 
User avatar
zipvault
Member Candidate
Member Candidate
Topic Author
Posts: 144
Joined: Fri Dec 23, 2016 8:15 am

Re: Please Help me im being attacked RIGHT NOW

Sat Dec 24, 2016 4:45 am

Thankyou i really appreciate your input it makes sense

If i do not specify ports in the rule does it just apply to all ports?


One question i have


What is phase 1, 2 and 3 services?
ZipVault
 
User avatar
blajah
Member Candidate
Member Candidate
Posts: 224
Joined: Fri Jun 12, 2015 8:58 pm
Location: Belgrade, Serbia
Contact:

Re: Please Help me im being attacked RIGHT NOW

Sun Dec 25, 2016 2:27 pm

If i do not specify ports in the rule does it just apply to all ports?
Yes
What is phase 1, 2 and 3 services?
Just names of access lists who are created by firewall rules. You can change names whatever you like.

One more note, as you see there are no DNS rules involved in this rule-set. You need to take care of that also.
I have bigger routing table.
 
User avatar
zipvault
Member Candidate
Member Candidate
Topic Author
Posts: 144
Joined: Fri Dec 23, 2016 8:15 am

Re: Please Help me im being attacked RIGHT NOW

Sun Dec 25, 2016 3:10 pm

One more note, as you see there are no DNS rules involved in this rule-set. You need to take care of that also.

my dns always changes is there a way for me to still make better dns rules that auto update??
ZipVault
 
User avatar
blajah
Member Candidate
Member Candidate
Posts: 224
Joined: Fri Jun 12, 2015 8:58 pm
Location: Belgrade, Serbia
Contact:

Re: Please Help me im being attacked RIGHT NOW

Mon Dec 26, 2016 2:22 pm

Well, i'm not sure what do you mean by "my dns changes"? Is your ISP changing IP's of DNS or there is something else?
Securing your DNS ( disabling DNS amplification attacks from your router) can be done by various methods, but maybe easiest to maintain is to create access list with IP's of your DNS servers, and create firewall rule ( even better RAW firewall rule) which will drop port 53 from all IP addresses except from IP's residing on access list. Something like this:
chain=input action=drop protocol=udp src-address-list=!DNS in-interface=WAN dst-port=53 log=no log-prefix=""
This means, drop udp traffic on WAN interface targeted to router itself on port 53 where source addresses are not from DNS list. Because your DNS changes, its easier for you to maintain access list then changing rule all over again ( with every change of your DNS).
Advice:
If you have some 100% correct rules, try to move them from IP firewall to RAW firewall, just to decrease load on CPU, because all statements in RAW firewall are considered on routing level, or to be more precise, before packets enter inside of your router.
I have bigger routing table.
 
User avatar
zipvault
Member Candidate
Member Candidate
Topic Author
Posts: 144
Joined: Fri Dec 23, 2016 8:15 am

Re: Please Help me im being attacked RIGHT NOW

Mon Dec 26, 2016 7:22 pm

Ur a legend blajah raw FIRE

I made it tcp also


Does dns only resolve on 53? Learn something new everyday
ZipVault
 
User avatar
blajah
Member Candidate
Member Candidate
Posts: 224
Joined: Fri Jun 12, 2015 8:58 pm
Location: Belgrade, Serbia
Contact:

Re: Please Help me im being attacked RIGHT NOW

Tue Dec 27, 2016 1:34 pm

Yeah, only on port 53, mainly UDP, but if data is bigger then 512 bytes, then it switches to TCP.
I have bigger routing table.
 
User avatar
zipvault
Member Candidate
Member Candidate
Topic Author
Posts: 144
Joined: Fri Dec 23, 2016 8:15 am

Re: Please Help me im being attacked RIGHT NOW

Wed Dec 28, 2016 3:16 pm

dec/24 00:33:46 system,error,critical login failure for user administrator from 190.82.77.203 via telnet 
dec/24 00:33:47 system,error,critical login failure for user root from 85.11.22.132 via telnet 
dec/24 00:33:48 system,error,critical login failure for user root from 190.82.77.203 via telnet 
[/quote]


Hi @normis i intentionally posted the whole log to give people the chance to block those ips if they needed

Do we have a global running block list

Someone should make one..
ZipVault
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24268
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Please Help me im being attacked RIGHT NOW

Wed Dec 28, 2016 3:30 pm

This is useless. The addresses will never repeat them. Read up on how DDoS works. These are disposable victims of trojans and other bugs, cameras, infected PCs etc.
No answer to your question? How to write posts
 
User avatar
zipvault
Member Candidate
Member Candidate
Topic Author
Posts: 144
Joined: Fri Dec 23, 2016 8:15 am

Re: Please Help me im being attacked RIGHT NOW

Wed Dec 28, 2016 3:47 pm

WAN interface targeted to router itself on port 53 .

your probably going to laugh at me but i have a dumb questions which one is my wan interface in picture attached..
Screen Shot 2016-12-28 at 11.43.24 PM.png
You do not have the required permissions to view the files attached to this post.
ZipVault
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24268
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Please Help me im being attacked RIGHT NOW

Wed Dec 28, 2016 3:48 pm

We can't know that. WAN is the one where your ISP is plugged in :)
No answer to your question? How to write posts
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1718
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Please Help me im being attacked RIGHT NOW

Wed Dec 28, 2016 3:55 pm

Probably PPoE one as ISP wants authentication.
Real admins use real keyboards.
 
User avatar
zipvault
Member Candidate
Member Candidate
Topic Author
Posts: 144
Joined: Fri Dec 23, 2016 8:15 am

Re: Please Help me im being attacked RIGHT NOW

Wed Dec 28, 2016 4:23 pm

This is useless. The addresses will never repeat them. Read up on how DDoS works. These are disposable victims of trojans and other bugs, cameras, infected PCs etc.

Currently with my arp and nat im hoping no random address can even access

But reading about things like shodan

Im wondering if it is worthwhile to create a gloabl attack list updated from shodan as a resource for example if it updated in real time

the one that attacked me for instance i noticed the traceroute was coming from the same 4 or 5 ips

One was traced to chile another sweden.


My theory is

If someone is attacking through series of static set ips and it doesnt work on one router the router can update a global list to prevent any other mikrotik being attacked from those address or macs within a timeframe

Does this make sense? Tell me im crazy if u will
ZipVault
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24268
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Please Help me im being attacked RIGHT NOW

Wed Dec 28, 2016 4:25 pm

You will never be able to firewall each "bad" IP individually. The reverse approach is much easier - drop everything and allow only yourself and only on non-standard ports. Implement multiple layers of security if needed, but again - drop everything first.
No answer to your question? How to write posts
 
User avatar
zipvault
Member Candidate
Member Candidate
Topic Author
Posts: 144
Joined: Fri Dec 23, 2016 8:15 am

Re: Please Help me im being attacked RIGHT NOW

Wed Dec 28, 2016 4:33 pm

You will never be able to firewall each "bad" IP individually. The reverse approach is much easier - drop everything and allow only yourself and only on non-standard ports. Implement multiple layers of security if needed, but again - drop everything first.
Yes you Makes perfect sense

maybe ten years from now routers will have this system in place


I have been droping everything last not first,

My understanding was firewall rule ran from top being first and bottom last?
ZipVault
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24268
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Please Help me im being attacked RIGHT NOW

Wed Dec 28, 2016 4:37 pm

MikroTik routers already have such firewall.

First add rule for your own IP addresses with action accept. Add as many known IP addresses as you need (your home, office, etc). Then change your telnet and ssh ports to something other than standard, you can do this in the "system -> services" menu. Disable telnet if you don't use it.

Then add rule to drop everything (chain input, action drop). First rules will allow your access, next rules will drop everything that is not allowed in previous rules.
No answer to your question? How to write posts
 
User avatar
zipvault
Member Candidate
Member Candidate
Topic Author
Posts: 144
Joined: Fri Dec 23, 2016 8:15 am

Re: Please Help me im being attacked RIGHT NOW

Wed Dec 28, 2016 4:49 pm

Got it thanks for clarification

Drop last
ZipVault
 
pe1chl
Forum Guru
Forum Guru
Posts: 5926
Joined: Mon Jun 08, 2015 12:09 pm

Re: Please Help me im being attacked RIGHT NOW

Wed Dec 28, 2016 6:55 pm

We can't know that. WAN is the one where your ISP is plugged in :)
When even you say that, small wonder that so many users get confused about that!
The dangerous truth is that when you have a PPPoE interface, as he has, and it is the link to the ISP, the
firewall has to be configured with the pppoe-out1 interface as the input interface that is blocked by
default, not the ether1 interface which has this rule by default.

We have discussed it before. I think this is another example of a user who was attacked and would
probably later become victim of a DNS reflection DDoS abuse, just because of this default-accept
policy in the MikroTik firewall. It should really be reversed, drop everything except from the interfaces
that are known to be trusted (LAN, WiFi, bridge-local, that kind of thing).
 
User avatar
zipvault
Member Candidate
Member Candidate
Topic Author
Posts: 144
Joined: Fri Dec 23, 2016 8:15 am

Re: Please Help me im being attacked RIGHT NOW

Thu Dec 29, 2016 2:47 am

Ppoe is coming through ether1

My rules are set to ether1

So ur saying i should have set to ppoe interface?

Or i can try to set for both?

Does raw firewall or prerouting happen before the ppoe virtual interface???
ZipVault
 
bennn
just joined
Posts: 11
Joined: Mon Oct 03, 2016 7:20 pm

Re: Please Help me im being attacked RIGHT NOW

Thu Dec 29, 2016 3:23 am

So ur saying i should have set to ppoe
Potentially, yes. I agree that this is normal operation for me too. I found this when dst-nat rules were not working when I set them to ether1 but did work when set to the pppoe interface.
Or i can try to set for both?
You can, but this shouldn't be necessary if configured correctly.


The best thing to do is for you to try to connect to your Mikrotik from an external internet source (mobile data maybe?) and test access.
 
User avatar
zipvault
Member Candidate
Member Candidate
Topic Author
Posts: 144
Joined: Fri Dec 23, 2016 8:15 am

Re: Please Help me im being attacked RIGHT NOW

Thu Dec 29, 2016 4:20 am

The best thing to do is for you to try to connect to your Mikrotik from an external internet source (mobile data maybe?) and test access.

Hi ben i have firewall and arp and nat and local management only set up

Remote access is off and telnet is off so im pretty sure i have covered all bases regarding remote access management, thanks for ur help



In the interest of this forum post getting to long
Can we continue the similar conversation but regarding fast track here:

http://forum.mikrotik.com/viewtopic.php?f=13&t=116258
ZipVault
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24268
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Please Help me im being attacked RIGHT NOW

Thu Dec 29, 2016 8:07 am

when you have a PPPoE interface, as he has, and it is the link to the ISP.
Is it? I can't tell just from the name. It could be a local test network. Also, I can't be sure that if his connection drops, that his router becomes open to whatever other connections that can reach his router at that moment. You should probably have some basic rules on the interface itself as well.

Yes, if PPPoE interface in that photo is actually connected to your ISP and the connection goes through it, all the rules should be configured on the PPPoE interface.
No answer to your question? How to write posts

Who is online

Users browsing this forum: No registered users and 35 guests