I happen to check the log and there were a lot of these message
login failure from user abcde from 222.xxx.xxx by ssh
saro
123
456
Always from 222.xxx.xxx

It did not stop untill I dropped the dsl connection.
Can someone tell me what this is

thanks

Its a Pubic IP, Check the for Open Ports of your router.

Or Do follwoing

[ashish@LAN Server] ip service> print
Flags: X - disabled, I - invalid
# NAME PORT ADDRESS CERTIFICATE
0 telnet 23 128.0.0.0/24
1 X ftp 21 0.0.0.0/0
2 X www 80 0.0.0.0/0
3 X ssh 22 0.0.0.0/0
4 X www-ssl 443 0.0.0.0/0 none

Address=Your Network, So it will allow to telnet only from that network

hi Ashish ;
this is what I have open I think..
[admin@MikroTik] ip service> print
Flags: X - disabled, I - invalid
# NAME PORT ADDRESS CERTIFICATE
0 telnet 23 0.0.0.0/0
1 ftp 21 0.0.0.0/0
2 www 80 0.0.0.0/0
3 ssh 22 0.0.0.0/0
4 X www-ssl 443 0.0.0.0/0 none
[admin@MikroTik] ip service>

It was coming from a different 222.xxx address every minute. Would that be somekind of scan for open ip?

thanks

Another effective solution to solve the problem

http://wiki.mikrotik.com/wiki/Bruteforc ... %26_SSH%29

hi Ashish ;
this is what I have open I think..
[admin@MikroTik] ip service> print
Flags: X - disabled, I - invalid
# NAME PORT ADDRESS CERTIFICATE
0 telnet 23 0.0.0.0/0
1 ftp 21 0.0.0.0/0
2 www 80 0.0.0.0/0
3 ssh 22 0.0.0.0/0
4 X www-ssl 443 0.0.0.0/0 none
[admin@MikroTik] ip service>

It was coming from a different 222.xxx address every minute. Would that be somekind of scan for open ip?

Hi ;
from your winbox go to the menu ip -> services
disable the ftp , ssh and www-ssl , then you will block all the attempts coming from ssh to your MT .

Another effective solution to solve the problem

http://wiki.mikrotik.com/wiki/Bruteforc ... %26_SSH%29

Thanks for the link , i will read it later and check if i already have it in my firewall filter rules or not
with best regards .

Greetings!

Here is a sure stop:

/ip firewall filter add chain=input src-address=xx.xx.xx.xx/24 action=accept
/ip firewall filter add chain=input action=drop

The second line must be the last entry in your input filter list.

Insure they are entered in that order.
xx.xx.xx.xx/24 is your wan net.

And you still get access to everything! But beware! If you don't have a null modem cable handy, this could lock you out if not entered correctly.

NOTE: Here is the way I lock myself out of my boxes most often. If you don't like the way the rules are working and want to delete them, REMOVE THAT SECOND LINE FIRST!! Otherwise, the only input rule is the second one, which is "everybody is locked out". When the response from the box suddenly stops, you'll know what I mean.

Dear,
Just follow http://www.mikrotik.com/testdocs/ros/2.9/ip/filter.php firewall rules and also try to understand it as well.

or simply follow wiki firewall...

thanks for all the answers: I had firewall that I got in wiki examples....

thanks

Just a quick question, is there a way to drop the CLI commands into winbox (I assume not). I am very bad at CLI as I am unable to think in text, I am very much object oriented. Which makes translating the CLI that everyone is posting into the proper action through WinBox a bit difficult.
Example: I am seeing the firewall info that shows ftp address blacklist;

add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop

I am just not sure how to create or do the ftp_blacklist

I would like to do what the Wiki shows in regards to:
allows only 10 FTP login incorrect answers per minute

in /ip firewall filter

add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop

<break> don't want to post the whole thing</break>

I guess I am just not well enough acquainted with the Winbox Menu setup...