Community discussions

 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1302
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Do not open port tcp/23 to your device from internet you will be hacked

Wed Aug 08, 2018 9:34 am

If you do not like to get hacked, do not open port tcp/23 from internet trough your firewall.
I have used Splunk to monitor what is blocked on my wan port on my RB750Gv3.
Using Splunk to monitor: viewtopic.php?f=2&t=137338

My last filter rule logs all that is not allowed and send it out using syslog to Splunk.
chain=input action=drop in-interface=ether1-Wan log=yes log-prefix="FW_Drop_all_from_WAN"
The result is an average on 100 000 hit each day. Nearly all on port tcp/23.
Port tcp/23 get hammered more than 1 time every seconds from different IP.
From the graphs you can see that each source IP do try many times for some days, then gives up.

So do not use telnet port tcp/23.
Use SSH on a random high port like 53244 if you need console access from outside.
Or use port knocking.

Port tcp/23
Block_telnet.jpg
All ports
Block_port.jpg
You do not have the required permissions to view the files attached to this post.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
whatever
Member Candidate
Member Candidate
Posts: 100
Joined: Thu Jun 21, 2018 9:29 pm

Re: Do not open port tcp/23 to your device from internet you will be hacked

Wed Aug 08, 2018 9:53 am

Imho you shouldn't be using telnet at all, not even in LAN. You shouldn't just firewall it but also disable the corresponding service.
 
usdmatt
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Tue Oct 29, 2013 6:18 pm

Re: Do not open port tcp/23 to your device from internet you will be hacked

Wed Aug 08, 2018 11:12 am

This isn't really a surprise for most people. Every service you run will get hit by attacks. Software like fail2ban has existed for years specifically to allow you to run a service (SMTP/HTTP/SSH/whatever) that is going to get abused, and automatically block repeated hack attempts.

I've seen the random port suggestion a few time. Apparently it works fairly well as most of the automated hacks aren't going to bother scanning every port. It only takes a quick nmap scan to find it though, and you've not really improved security other than moving the door behind some bushes.

Personally I find it crazy that people open these services in the first place. Your router should be locked down entirely from the WAN. If you need remote access, add rules for specific addresses that you connect from. If you can't do that use a VPN.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1302
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Do not open port tcp/23 to your device from internet you will be hacked

Wed Aug 08, 2018 3:36 pm

This isn't really a surprise for most people.
I am not surprised by the number of the attack, but that its >95% on tcp/23.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
eXS
newbie
Posts: 42
Joined: Fri Apr 14, 2017 4:01 am

Re: Do not open port tcp/23 to your device from internet you will be hacked

Wed Aug 08, 2018 7:29 pm

Port 23, among many others, is one that I also monitor & ban on. (add to 'ban' address list)

As indicated, I've also found it to be the most frequently hit port, I get hit constantly.

Disable the service & change the corresponding service port to something (anything) else.
 
User avatar
k6ccc
Member
Member
Posts: 479
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: Do not open port tcp/23 to your device from internet you will be hacked

Wed Aug 08, 2018 7:34 pm

Short comment would be: DUH!
OK, now for the longer, more polite answer. Anyone who runs almost any type of server these days will see piles of attack attempts on a variety of ports. Yes, Telnet is one of the most common. I don't log them, but I do have firewall rules that drop and count packets. I just looked at one of my RB750r2 routers that has a DSL connection facing the internet. Since that router was last reset 72 days ago, there have been 3,702 dropped packets on port 21, 22,236 dropped packets on port 22, and 130,890 packets on port 23. There have also been 3,036 dropped packets on port 8291 (the normal WinBox port). My cable internet connection into the other router gets far more attack attempts. None of these ports are in use as they have been moved and there are other security features to prevent access including but not limited to non-standard port, Port Knocks, Restrictive IP access, VPN, port scanning detection and blocking. I have had friends who make a living in IT security attempt to break in and all have given me a clean bill of health, so I think I'm in pretty good shape :)
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim
 
tippenring
Member Candidate
Member Candidate
Posts: 179
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: Do not open port tcp/23 to your device from internet you will be hacked

Wed Aug 08, 2018 9:35 pm

This isn't really a surprise for most people.
I am not surprised by the number of the attack, but that its >95% on tcp/23.
I expect the rest of the ports getting pinged are dropped further up in the firewall chain, so not being reported.

Who is online

Users browsing this forum: No registered users and 15 guests