I don't get it why would anybody want to allow connections to some random port (3389 is as nice random number as any other between 0 and 65536) from internet at large?

Your firewall rule is not complete ... attacker can easily change source port to some other and your rule won't catch anything. I guess the tool used by attackers is really a "script kiddie" class ... if I'd create one, first thing to do would be to randomize source port number.

I don't get it why would anybody want to allow connections to some random port (3389 is as nice random number as any other between 0 and 65536) from internet at large?

Your firewall rule is not complete ... attacker can easily change source port to some other and your rule won't catch anything. I guess the tool used by attackers is really a "script kiddie" class ... if I'd create one, first thing to do would be to randomize source port number.

Iv put rule to to mark any attempts to dst port 3389 regardless of source port, and only ones that come in one month are from 60000 port(and the other one im using), also its probing other ports other than 3389, and all comes from weird IP adresses from russia as i said..

And when they where hacked there was open connection from 60000>3389(We just got into this company previous tech guys didint change default port)

So tell me what im supposed to do?Just ignore it?I already changed default RDP port and added single white list adress which can acces RDC, but this attempts are still comming in from same adresses/country that hacked them before.

I don't get it why would anybody want to allow connections to some random port (3389 is as nice random number as any other between 0 and 65536) from internet at large?

Your firewall rule is not complete ... attacker can easily change source port to some other and your rule won't catch anything. I guess the tool used by attackers is really a "script kiddie" class ... if I'd create one, first thing to do would be to randomize source port number.

Iv put rule to to mark any attempts to dst port 3389 regardless of source port, and only ones that come in one month are from 60000 port(and the other one im using), also its probing other ports other than 3389, and all comes from weird IP adresses from russia as i said..

And when they where hacked there was open connection from 60000>3389(We just got into this company previous tech guys didint change default port)

So tell me what im supposed to do?Just ignore it?I already changed default RDP port and added single white list adress which can acces RDC, but this attempts are still comming in from same adresses/country that hacked them before.

Even if you properly drop connections from Russia, they will keep trying. And if you have "log=yes" you will have all those tries in your log even though all those tries are not successful (as you have action=drop, the log message is benign ... if someone would successfully connect through, it wouldn't be logged under this firewall filter rule).
I'd just set log=no and (more or less) forget about it. Or, if you have a general rule at the end of list to drop anything not explicitly accepted by previous rules, you can safely remove these FW rules completely and let ultimate rule drop them.

... i was just wondering if anyone else is getting probed via this port as it seams im catching this on several locations and not 100% sure what to do about it.

... i was just wondering if anyone else is getting probed via this port as it seams im catching this on several locations and not 100% sure what to do about it.

Could be, but I don't notice as I have a general drop rule at the end of firewall rules list. It does show increasing number of connections/packets involved, but I don't log details so I don't know why they were dropped. Well, I do know they were dropped because it wasn't something I explicitly allowed, but that's all.

... i was just wondering if anyone else is getting probed via this port as it seams im catching this on several locations and not 100% sure what to do about it.

Could be, but I don't notice as I have a general drop rule at the end of firewall rules list. It does show increasing number of connections/packets involved, but I don't log details so I don't know why they were dropped. Well, I do know they were dropped because it wasn't something I explicitly allowed, but that's all.

Problem is not blocked ports, problem is that we do have 10+ open ports for VPN, RDC etc, and if they already managed penetrate RDC, im afraid they may do it again, so i rather honey-pot them tho it doesnt mean its any 100% protection..

... i was just wondering if anyone else is getting probed via this port as it seams im catching this on several locations and not 100% sure what to do about it.

Could be, but I don't notice as I have a general drop rule at the end of firewall rules list. It does show increasing number of connections/packets involved, but I don't log details so I don't know why they were dropped. Well, I do know they were dropped because it wasn't something I explicitly allowed, but that's all.

Problem is not blocked ports, problem is that we do have 10+ open ports for VPN, RDC etc, and if they already managed penetrate RDC, im afraid they may do it again, so i rather honey-pot them tho it doesnt mean its any 100% protection..

Probably best practice is to limit access to open ports from select public IP addresses/subnets ... if that's feasible to do. E.g. if you only expect to receive RDP or VPN connections from a few remote places, you can explicitly allow connections only from those IP addresses. This greatly narrows probability of attacker bypassing firewall.
If that's not feasible, you could try to implement some port-knocking mechanism (so that in order to "open", say, RDP port, you need to try to open a few other ports in predefined sequence with tight timing in place). This technique is generally not acceptable for "plain" users, but might be fine with some advanced users.
Whatever you pass through firewall you have to secure at the application server (if possible at all).

In short: if it's feasible, deny everything that is not explicitly allowed (default with it's implicit allow all rule is just the opposite).

I'm seeing them too. From two different routers:

Code: Select all

[admin@MikroTik] > /log print count-only  where message~":60000->"
6

and

Code: Select all

[admin@MikroTik] > /log print count-only  where message~":60000->"
14

They are stealth in the sense that they avoid typical blacklisting attempts; just a few contacts per hour coming from different ips. I think basically looking for open ports.

They tried 3389,143,389,3390,9999,3389 in one machine and 3399,8022,3389,33890,1500,222,8083,13389,3395,2222,3391,110. It looks like variants of default service ports of known vulnerable services. Changing the port of a service is usually not the solution to the problem...

One solution to the problem is to close everything except a few service ports (like web server or VPN ports) and a whitelist and then add to it static addresses or even DDNS names, and hack a port knocking script that will add any one "knocking" the right sequence of ports into the whitelist for a while... I'm half way there: I have blacklist/whitelist and ddns, one of this days I'll hack the port knocking stuff and close anything not intended for general consumption.