Page 1 of 1

Disallow unknown logins from internet access

Posted: Mon Apr 23, 2018 3:13 am
by MarHazK
Hello,

How to block unknown logins (specific IP) from the internet to my winbox, telnet & ssh. This ip (118.101.53.152) keep retrying/brute force to login my routerOS since last week till now.

Thanks,

Best regards,
Marhazk

Re: Disallow unknown logins from internet access

Posted: Mon Apr 23, 2018 3:44 am
by CZFan
The question is do you "really" need acces to your router devices from Internet side? If not, then best is to disable these service from outside by creating a firewall rule on the input chain, protocol=top port=22, 23, 8192, etc in interface=wan action drop

Then in ip settings, you specify a local lan address that is allowed to access it from lan side.

Some possible nasties going around regarding this and being investigated by mikrotik, see posts of vulnerability

Re: Disallow unknown logins from internet access

Posted: Mon Apr 23, 2018 5:24 am
by MarHazK
yep, have to access from internet for backup-solution purposes.. normally i connect through PPTP but incase some "gateway/pptp ip/intranet" down, i have to use the public ip..
just wondering, how about if I change the services ports (22, 23, 8192) to the new ports (2222, 2223, 18192), is it possible to "them" to track it? in most cases what i meant..

Re: Disallow unknown logins from internet access

Posted: Mon Apr 23, 2018 6:33 am
by 2frogs
Changing ports will help with most. Using address-list and port knocker to limit access is even better.

Re: Disallow unknown logins from internet access

Posted: Mon Apr 23, 2018 7:23 am
by yhfung
In general, you have to disable all except ssh with other port number. Also the password should be strong enough to against hackers. It means the password should not be very simple. It may contains Upper and local case letters, numbers and symbols. The length should be at least 8 or more. For me I use 16-characters.

YH

Re: Disallow unknown logins from internet access

Posted: Mon Apr 23, 2018 10:44 am
by pe1chl
yep, have to access from internet for backup-solution purposes.. normally i connect through PPTP but incase some "gateway/pptp ip/intranet" down, i have to use the public ip..
You really need to rethink that backup solution!
It is quite dangerous to leave your MikroTik open for management from outside.
Find some way to allow only a small set of IP addresses.

Re: Disallow unknown logins from internet access

Posted: Mon Apr 23, 2018 12:05 pm
by whitbread
You can restrict access per user to IP(-ranges). So you may allow access only to a restricted user only.

I would tend to think about using port knocking - easy to configure and use and pretty safe if you use a good port combination.

Re: Disallow unknown logins from internet access

Posted: Mon Apr 23, 2018 8:57 pm
by anav
Suggest use VPN to access the router from external and then use Winbox from the internal side only to do the rest.

Re: Disallow unknown logins from internet access

Posted: Mon Apr 23, 2018 10:17 pm
by ochaconm
Changing the original ports to others will not prevent you from being exposed/hacked unless you also implement some kind of port scan firewall.

Any "serious" hacker will easily find the open ports, even if you change them.

My suggestion is, to connect through a VPN(Suggested IPSec, PPTP is vulnerable).