Community discussions

MUM Europe 2020
 
Maximize
just joined
Topic Author
Posts: 4
Joined: Tue Apr 23, 2013 7:35 pm

security help as well as why router deassign and assign ip

Tue Apr 23, 2013 8:00 pm

ok New member but have barely gotten by as a mikrotik user for some time.

I have recently had a customer with a vonage phone start having no incoming or going voice on her phone.

I had made no changes to the mikrotik, but vonage was insisting it was a firewall problem.

I checked the firewall and I noticed the default drop rule that is on the tik by default kept shifting position (not staying at the bottom)

Could this be dropping the connection to her vonage?

I also around this time checked the log and noticed at varying intervals the router would deassign her ip then seconds later reassign it back. this would happen over and over again seconds apart for some time. at other times it would deassign and reassign every 40 minutes (nearly exactly 40 minutes, differing only by seconds).

during the time I was trying to discover the cause one time I checked the log I had dozens or hundreds of entries in the log of critical errors due to failed log in over ssh it looked like a brute force attack. I took a snip (win7 screen snip) of the logs.

at this time I get a call from the vonage customer saying everything is working now (but it wasnt anything I changed)[/color]

while logged in remotely... ...later that day or next day I found hundreds again this time over www not ssh and the user name was all admin 8 minutes later I look again and the attack seemed to stop with the last entry saying user admin at the same ip has logged in !


I immediately change the password, and reboot the router, after a couple minutes log back in remotely again change user name and pass and close all ports but 8291

I havent since seen an atack

but what started as her vonage phone deaasign and reassign is no longer affecting her ip but had moved to 2 other ip's these two people have yet to complain

please note that one of the 2 newer affected devices changed ip from 192.168.xxx.xx to 192.168.15.2, the 15.2 seems to be the first ip assigned by a vonage phone to a downstream device. yet this is a differnt customer in a different apartment yet connected to the same wireless ap.

I really don't know what to think of this or what to do, but I was wondering if there is someone who can share their default secure router settings that I could assign to my own as I do not have nearly enough knowledge to handle this alone.

and know nothing of scripting. If I havent been able to do it through the gui I havent been able to do it at all

I also plan to do the add arp to leases and add arp reply only to the interface, to make sure there arent any unknown connected devices on my network..

btw all client devices connect through ubiquiti unifi ap's I keep a computer onsight wired to router for managing the unifi's and other admin tasks


please advise!!! And thanks!!!
You do not have the required permissions to view the files attached to this post.
 
gotsprings
Forum Veteran
Forum Veteran
Posts: 845
Joined: Mon May 14, 2012 9:30 pm

Re: security help as well as why router deassign and assign

Fri Apr 26, 2013 8:29 pm

Sounds like your drop rule is on the wrong interface.

Like out of the box its on ether-1.
If you are using PPPoE you need to move it to that interface.

Ports SSH and WWW log ins should be dumped by default using the basic drop rule.
"It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so."
Mark Twain
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: security help as well as why router deassign and assign

Sat Apr 27, 2013 2:37 pm

Drop all rules (there is usually more than one) usually show at the end of the relevant sections - input, forward etc. if the rules are being displayed in rule number order. If however you reorder them by clicking on the header of another column then they may seem to have moved.

The deassigns/assigns can occur for various reasons but do not necessarily imply that the router initiated the process. It is probably responding to an external condition - e.g. link goes down, comes back up and client makes a new DHCP request during validity period of existing lease.
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
Maximize
just joined
Topic Author
Posts: 4
Joined: Tue Apr 23, 2013 7:35 pm

Re: security help as well as why router deassign and assign

Sat Apr 27, 2013 3:11 pm

thanks for you two's reply's

I was beginning to think no one would

the deassign /assign has happened to 2 ap's and to clients on 3 or 4 of the ap's on the network

I am hoping for more input on long term security as well as better accounting.

I was also hoping for someones default setup for their routers hoping it might ease my lack of knowledge on these routers.

My current plan for near future is to reset the router add arp to make sure all users are showing up in the dhcp leases list
that way I can continue to use simple queue's to make sure they aren't abusing their use.

I would like to find out how to group users so that they share a bandwidth amount, if anyone can help with that?

after resetting the router I plan to disable all service ports and changing from the default winbox port
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: security help as well as why router deassign and assign

Sat Apr 27, 2013 9:19 pm

What is the lease time for your dhcp server? Is it 40 minutes?
/ip dhcp-server print

I will presume it is, since I have seen this before on my dhcp server. Here is what I used to determine the problem, which I have yet to solve, but your input may help. What I found is when the client renews the lease, sometimes the dhcp server is not resetting expires-after in the lease. This seems to be client device dependent. If it renews ok the first time, it will always renew ok. If it fails to reset expires-after the first time, it will always fail.

Do the system logging first, then go to the log and watch the dhcp server transactions with the "print follow" command below.

When you see your device renew the lease, go to "/ip dhcp-server lease". See if it reset the expires-after to 40 minutes, or did it leave it at a little less than 20 minutes? The last-seen time and the expires-after time should total the lease time (40 minutes?). My faulty router (on a renew) will not set the expires-after on certain devices only. The last-seen and expires-after totaled a few seconds less than 20 minutes after the renew, not 40 minutes as I expected. The bad part is the dhcp server tells the client it is good for another 40 minutes, so renew a little after 20 minutes. You will see this in the ack packet: Address-Time=2400
/system logging
add topics=dhcp,debug action=memory

/log
print follow where topics~"dhcp"

/ip dhcp-server lease
print detail
Your input would be most helpful.
 
Maximize
just joined
Topic Author
Posts: 4
Joined: Tue Apr 23, 2013 7:35 pm

Re: security help as well as why router deassign and assign

Sun Apr 28, 2013 3:36 pm

I'll have to try that when I can. but lease time is definitely supposed to be default at 3 days
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: security help as well as why router deassign and assign

Sun Apr 28, 2013 3:48 pm

I know what the default is. I also know the default name for that dhcp server is dhcp1, not default, like your pic shows. Check to insure it is 3 days. I had mine set initially to 1 hour when I was testing this, and now I'm using 10 minutes to speed up the testing.

I just started the test again. Give me an hour or so to get a new log from my test and I'll post it here. It looks just like yours, but only 10 minutes between deassigned/assigned message sets.

edit: Here it is. Look familiar?
[admin@test] /log> print follow where topics~"dhcp,info"
07:40:33 dhcp,info dhcp3 assigned 192.168.2.238 to 00:AA:BB:CC:DE:02
07:50:33 dhcp,info dhcp3 deassigned 192.168.2.238 from 00:AA:BB:CC:DE:02
07:50:37 dhcp,info dhcp3 assigned 192.168.2.238 to 00:AA:BB:CC:DE:02
08:00:37 dhcp,info dhcp3 deassigned 192.168.2.238 from 00:AA:BB:CC:DE:02
08:00:38 dhcp,info dhcp3 assigned 192.168.2.238 to 00:AA:BB:CC:DE:02
08:10:38 dhcp,info dhcp3 deassigned 192.168.2.238 from 00:AA:BB:CC:DE:02
08:10:39 dhcp,info dhcp3 assigned 192.168.2.238 to 00:AA:BB:CC:DE:02
08:20:39 dhcp,info dhcp3 deassigned 192.168.2.238 from 00:AA:BB:CC:DE:02
08:20:39 dhcp,info dhcp3 assigned 192.168.2.238 to 00:AA:BB:CC:DE:02
08:30:39 dhcp,info dhcp3 deassigned 192.168.2.238 from 00:AA:BB:CC:DE:02
08:30:40 dhcp,info dhcp3 assigned 192.168.2.238 to 00:AA:BB:CC:DE:02
-- Ctrl-C to quit. Space prints separator. New entries will appear at bottom.
Add: I filed a bug report today with MikroTik. I'll keep you posted.
 
Maximize
just joined
Topic Author
Posts: 4
Joined: Tue Apr 23, 2013 7:35 pm

Re: security help as well as why router deassign and assign

Mon Apr 29, 2013 8:02 pm

two pics
You do not have the required permissions to view the files attached to this post.
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: security help as well as why router deassign and assign

Mon Apr 29, 2013 8:51 pm

Then your case is probably not related to mine. The frequency of my deassign/assign happens at exactly the lease time. If I change it to 1 hour, it happens at 1 hour, but only this client device. Other client devices on the same network do fine, and always do. This device fails the renew only at one half the lease time. Once the lease expires, it renews ok a few seconds later.

edit: I would still check "/ip dhcp-server lease" and see what is set in "last-seen" and "expires-after" for that lease.
 
deejayq
Member Candidate
Member Candidate
Posts: 195
Joined: Wed Feb 23, 2011 8:33 am

Re: security help as well as why router deassign and assign

Sun Jun 30, 2013 11:16 am

i had the same problem with a client assigning and deasigninig ip. but it was due to a faulty rj45 connector. the device on the other end was a d-link router.
after changing the rj45 the problem was gone.

Who is online

Users browsing this forum: No registered users and 39 guests