Community discussions

MikroTik App
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

under attack in port 32231? - help

Sun Dec 23, 2018 6:20 pm

Hello ,
I have a router wiht a public IP , and start to notice that he is booting every 3 min
when I got to him I saw the cpu is 100%
after using the torch - I saw a lot of connections in port 32231 tcp
so first I block the port in the firewall -
is there anything else I can do ?
in less the n10 min there is almost 10M in the rule of the firewall

Thanks ,
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: under attack in port 32231? - help

Sun Dec 23, 2018 6:53 pm

Not sure the best approach but perhaps

/ip firewall filter
add action=add-src-to-address-list address-list=port_scan_tcp \
address-list-timeout=2d chain=input comment="Port_Scan_TCP Make List" \
dst-port=32231 in-interface-list=WAN protocol=tcp
add action=add-src-to-address-list address-list=port_scan_udp \
address-list-timeout=2d chain=input comment="Port_Scan_UDP Make List" \
dst-port=32231 in-interface-list=WAN protocol=udp

/ip firewall raw
add action=drop chain=prerouting comment="Drop Scanner List - TCP" \
src-address-list=port_scan_tcp
add action=drop chain=prerouting comment="Drop Scanner List - UDP" \
src-address-list=port_scan_udp
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: under attack in port 32231? - help

Sun Dec 23, 2018 7:28 pm

Hey

Your default policy on public interfaces should be to black ALL and only allow what you need.

To maximally protect the open ports (=> "what your need" from above), one could limit access based on source. Another option is to implement "port knocking": only allow connection after specific sequence of events.
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: under attack in port 32231? - help

Mon Dec 24, 2018 1:37 pm

Ok I will give it a try

Thanks!
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: under attack in port 32231? - help

Fri Dec 28, 2018 12:41 pm

is there any way to know in which port someonw is trying to connect my router?

becasue this is what I did
I block all port that not in use in my network:
/ip firewall filter
add action=add-src-to-address-list address-list=Port_TCP_Scan address-list-timeout=2d chain=input dst-port=100-8599 in-interface=pppoe-out1 \
    protocol=tcp
add action=add-src-to-address-list address-list=Port_TCP_Scan address-list-timeout=2d chain=input dst-port=100-8599 in-interface=pppoe-out1 \
    protocol=udp
add action=add-src-to-address-list address-list=Port_TCP_Scan address-list-timeout=2d chain=input dst-port=8601-8999 in-interface=pppoe-out1 \
    protocol=tcp
add action=add-src-to-address-list address-list=Port_TCP_Scan address-list-timeout=2d chain=input dst-port=8601-8999 in-interface=pppoe-out1 \
    protocol=udp
add action=add-src-to-address-list address-list=Port_TCP_Scan address-list-timeout=2d chain=input dst-port=9002-9998 in-interface=pppoe-out1 \
    protocol=tcp
add action=add-src-to-address-list address-list=Port_TCP_Scan address-list-timeout=2d chain=input dst-port=9002-9998 in-interface=pppoe-out1 \
    protocol=udp
add action=add-src-to-address-list address-list=Port_TCP_Scan address-list-timeout=2d chain=input dst-port=10000-65433 in-interface=pppoe-out1 \
    protocol=tcp
add action=add-src-to-address-list address-list=Port_TCP_Scan address-list-timeout=2d chain=input dst-port=10000-65433 in-interface=pppoe-out1 \
    protocol=udp
add action=reject chain=input in-interface=pppoe-out1 reject-with=icmp-network-unreachable src-address-list=Port_TCP_Scan
/ip firewall raw
add action=drop chain=prerouting comment="Drop Scanner List - TCP" src-address-list=Port_TCP_Scan
and I can see that address is being blcok -

so I do have 2 questions:
1. is there a smarter and easier whay to do this? , becaause now if I need to open more ports , I need to create and change 2 firewall rules
mayeb something of - "if input is not known ports(and give here a list) then blcok " , that way I will only have 1 rule
2. is there a way to know to which port there are tying to enter? because now it's a big range 10000-65433 , and maybe there is a way to see that its on port 60000?(for example)

Thanks,
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11434
Joined: Thu Mar 03, 2016 10:23 pm

Re: under attack in port 32231? - help

Fri Dec 28, 2018 1:11 pm

is there any way to know in which port someonw is trying to connect my router?

Unless you create some 140k rules (for each port and TCP/UDP protocols) and log everything you won't know which particular port is being tried.

But then, what's the point in knowing it? If all ports are closed except for a good reason, then it doesn't matter who's knocking where. Just follow advice by @sebastia above ... and don't bother logging, you'll get drowned in meaningless log entries and you'll miss the important ones (such as your favourite iPhone X being knocked off WiFi or something).

To your question #1: firewall rules are evaluated from first to last. If you add rule that allows particular connection and you move it above your more general reject/drop rule(s), that connection will be allowed.
And, BTW, why bothering to reject ... drop is good enough (and you're not using up UL for rejecting connections). Plus the knocker needs to wait for some timeout before knowing it can't enter there while if you reject it, it can try other port sooner.
 
Pea
Member Candidate
Member Candidate
Posts: 230
Joined: Fri Jul 17, 2015 11:07 pm
Location: Czech

Re: under attack in port 32231? - help

Fri Dec 28, 2018 1:28 pm

There is better way than drop selectively not used ports:
1) accept only what you need
2) reject/drop everything else
That's it.
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: under attack in port 32231? - help

Sun Dec 30, 2018 5:10 pm

isn't what I did ?
all the ports I don't use - I dorp them

this was the question -
is it good?

Thanks ,
 
R1CH
Forum Guru
Forum Guru
Posts: 1099
Joined: Sun Oct 01, 2006 11:44 pm

Re: under attack in port 32231? - help

Sun Dec 30, 2018 5:15 pm

All you need is a rule at the end of the input chain with action=drop, with your allow rules before it. Stop trying to be fancy with specific ports, TCP scanners, address lists, etc. These offer no additional benefit over a simple drop rule and actually increase resource usage and open you up to DoS.
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: under attack in port 32231? - help

Mon Dec 31, 2018 9:56 am

I'm trying to learn , this is all - :-)
not trying to build something new...

so what you are saying is -
the first rules will be what I allow to enter the router \ netwrok
that whay I know what is going in
and in the end to put "input , tcp , drop"
so when I will need to add new port - I will just add it in the start , right?

an another thing :
if I have a nat rule from port 9999 to 10.0.0.10
do I need to allow this port in the filter also?
or the NAT rule can stand by it self?(and I don't need to add enable port 9999 , tcp , forward in the filter ) ?


Thanks,
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2865
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: under attack in port 32231? - help

Mon Dec 31, 2018 1:37 pm

Yes.

If you want to protect your castle then you build THE WALL which stops all at the gate and then allow to go inside only allowed persons/goods/packets. It is far far easier then allow all to enter and spy them for "bad guys". :D :D :D
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: under attack in port 32231? - help

Mon Dec 31, 2018 2:17 pm

so something like will be Ok and work?
/ip firewall filter
add chain=input comment="Allow ssh , winbox " dst-port=8291,22 protocol=tcp
add chain=input comment="Allow Ping " protocol=icmp
add chain=forward comment="Allow NAT to camera" dst-port=9999 protocol=tcp
add action=drop chain=input comment="Block all other" dst-port=!8291,22 \
    protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat to-addresses=0.0.0.0
add action=dst-nat chain=dstnat dst-port=9999 protocol=tcp to-addresses=\
    10.0.0.100 to-ports=9999
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2865
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: under attack in port 32231? - help

Mon Dec 31, 2018 3:42 pm

Yes.
You don't need
...dst-port=!8291,22 ...
You accept it earlier so packets to 8291 and 22 do not even reach this drop rule.
I suggest to change 8291 port to other port in you configuration for winbox access.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: under attack in port 32231? - help

Mon Dec 31, 2018 4:28 pm

Here is what I do.

If someone tries one of the 65535 ports that are not open (NAT/Firewall) then block that IP for 24 hour.

One of the last rule:
/ip firewall filter
add action=add-src-to-address-list address-list=FW_Block_user_try_unkown_port address-list-timeout=1d chain=input \
    comment="This is used to collect uer who tries non open ports." in-interface=ether1-Wan
The top rules (below default established etc):
/ip firewall filter
add action=accept chain=forward comment="Accept WhiteList to access all" protocol=tcp src-address-list=Whitelist_IP
add action=drop chain=input comment="Drop user that has tried blocked ports" in-interface=ether1-Wan log-prefix=\
    FW_Drop_all_from_WAN src-address-list=FW_Block_user_try_unkown_port
The Whitelist is used to prevent myself from being locked out. I do add my work IP (static), so I can get inn that way,

Strict rules, but works for me.
 
R1CH
Forum Guru
Forum Guru
Posts: 1099
Joined: Sun Oct 01, 2006 11:44 pm

Re: under attack in port 32231? - help

Mon Dec 31, 2018 4:39 pm

Such rules open you up to resource exhaustion DoS and offer very little protection over a default drop. I would not recommend them.
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: under attack in port 32231? - help

Mon Dec 31, 2018 5:01 pm

Thanks ,


by the way
what is the different between "drop" and "reject"
aren't they do the same job?
prevent knowing there is something in that IP?

I do have 2 more questions:
1.
I have in my router a L2TP client
why do I need to add this rule to make this work?
add action=accept chain=input comment="To router " dst-port=1701 protocol=udp
isn't the connection is udp is from the router to the external server?
or the lt2p is working both way?

2.
it's seem that the ntp is not sync now and also the DNS .....
I added port 123,53 -accept
but in the ntp I get
"server-not-synchronized"
why?

this is what I have :
add action=accept chain=input comment="To router " dst-port=9000,2222 protocol=tcp
add action=accept chain=input comment="L2TP To Office" dst-port=1701 protocol=udp
add action=accept chain=input comment=NTP dst-port=123,53 protocol=udp
add action=accept chain=input comment=NTP dst-port=123,53 protocol=tcp
add action=accept chain=forward comment=Camera1 dst-port=99,8600 protocol=tcp
add action=accept chain=forward comment=Camera2 dst-port=9999 protocol=tcp
add action=accept chain=forward comment=Camera3 dst-port=9001 protocol=tcp
/system ntp client print 
             enabled: yes
         primary-ntp: 202.162.32.12
       secondary-ntp: 0.0.0.0
    server-dns-names: 
                mode: unicast
       poll-interval: 4m16s
       active-server: 202.162.32.12
    last-update-from: 202.162.32.12
  last-update-before: 38s980ms
     last-adjustment: 751us


Thanks ,
Last edited by David1234 on Mon Dec 31, 2018 6:07 pm, edited 2 times in total.
 
Pea
Member Candidate
Member Candidate
Posts: 230
Joined: Fri Jul 17, 2015 11:07 pm
Location: Czech

Re: under attack in port 32231? - help

Mon Dec 31, 2018 5:32 pm

This simplification should explain the difference:
Reject: someone comes to your address and try to open door of your house, but you tell him that it is well locked
Drop: someone comes to your address but there is no house or door to open and he gives up after while (timeout)

It is up to you what you use.
I personally prefer for home setup the reject (with tcp reset) for protocol TCP and final drop for everything else:
add action=reject chain=input comment="Reject TCP" protocol=tcp reject-with=tcp-reset
add action=drop chain=input comment="Drop everything else"
Last edited by Pea on Tue Jan 01, 2019 5:48 pm, edited 1 time in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11434
Joined: Thu Mar 03, 2016 10:23 pm

Re: under attack in port 32231? - help

Mon Dec 31, 2018 6:50 pm

My analogy is as follows:
  • reject: when somebody knocks on my door, I shout "go away!"
  • drop: when somebody knocks on my door, I silently wait for them to go away
In both cases the door is locked.

For connections originated from router (i.e. if router is DNS or SNTP client), you don't need any allow rules in chain=input ... only a general rule:
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
The outgoing connections should be limited in chain=output ... allowed connections in output will be "related" in chain=input .
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: under attack in port 32231? - help

Mon Dec 31, 2018 8:22 pm

  • reject: when somebody knocks on my door, I shout "go away!"
  • drop: when somebody knocks on my door, I silently wait for them to go away
I would say
  • reject: when somebody knocks on my door, I shout "go away!" Hacker thinks: "AHH there are someone inn there, try more ports, maybe some other is open."
  • drop: when somebody knocks on my door, I silently wait for them to go away. Hacker thinks: "Hmm No response at all, there may not be anything there, try to break inn to next host."
So I would say DROP is better to use than REJECT.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: under attack in port 32231? - help

Mon Dec 31, 2018 8:27 pm

Such rules open you up to resource exhaustion DoS and offer very little protection over a default drop. I would not recommend them.
Its in anyway hard to stop any large DoS attempt, at least for home user.

For me this works like this:
User tries to access a random port (one that is not open)
User enters the block list. (due to the rule)
When user later comes to a port that is normally open (like 80), he/she can not even access this.
So the user/hacker can not try any script or hack at my open ports that he/she would normally be able to do if he/she was not blocked.
 
R1CH
Forum Guru
Forum Guru
Posts: 1099
Joined: Sun Oct 01, 2006 11:44 pm

Re: under attack in port 32231? - help

Mon Dec 31, 2018 8:34 pm

Imagine an attacker is sending small flood of 10mbps, they are TCP packets with spoofed IPs, so your address list is filling up at a rate of 10k+ unique addresses per second which increases memory and CPU usage. Without the rule, the packets would be dropped with no additional overhead.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: under attack in port 32231? - help

Mon Dec 31, 2018 9:11 pm

Could have been done, but in 6 month this has never happens. My access list do have around 1500 IP on average, some days up to 2500 but goes down.
Here is the last week, stabel on 1500 IP. (using Splunk to measure it)
.
access-list.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: under attack in port 32231? - help

Mon Dec 31, 2018 9:23 pm

My blocked access list have around 1500 IPs on average, some days up to 2500.

Yeah, I have 2,700 collected over about three days, so about 900 attempts per day.
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: under attack in port 32231? - help

Tue Jan 01, 2019 10:43 am

Great
I have another question now :
I put the rule you told me as number 0
/ip firewall filter add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
can you explain to me what it does in simple (like the great example of the door? :-)

also I have "Drop" rules in the end
add action=add-src-to-address-list address-list=Port_Scan address-list-timeout=2d chain=input comment="Block all other connections" in-interface=pppoe-out1
add action=drop chain=input comment="Block all other connections" in-interface=pppoe-out1
add action=add-src-to-address-list address-list=Port_Scan address-list-timeout=2d chain=forward comment="Block all other connections" in-interface=pppoe-out1
add action=drop chain=forward comment="Block all other connections" in-interface=pppoe-out1
which someone in th post told it's a good idea to put

but when I look at the address list
I see that
google (8.8.8.8) is block?
My DNS server is block
and the ntp client is not in sync
why it is?

Thanks ,
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: under attack in port 32231? - help

Tue Jan 01, 2019 10:50 am

Better to post this new question as a new thread.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11434
Joined: Thu Mar 03, 2016 10:23 pm

Re: under attack in port 32231? - help

Tue Jan 01, 2019 12:08 pm

Better to post this new question as a new thread.

And with export of complete /ip configuration. It's really hard to comment particular FW rules without knowing the whole picture.

Regarding the accept established,related,untracked rule: when a packet arrives at input interface and router determines proper chain to deal with it, it needs to check FW rules to determine action for that packet. If general rule is to drop everything (not allowed by previous rules), FW rules have to be carefully crafted.

Example: DNS request, sent by router to google DNS server ... when DNS client on RB sends out packet, firewall checks rules for chain=output. Normally there are none so initial packet is free to leave router. Connection tracking engine makes a note of new connection. Then a reply packet artives at input interface, router determines (with a help from connection tracking engine) that it's a reply packet and it should enter chain=input. If there was no rule allowing google DNS server to talk to your RB (possibly limited set of src-port), then FW would drop this packet when executing last rule (drop all). The rule we're discussing, however, allows this packet as it is part of (now) established connection. As vast majority of packets belong to established connectikns it's good to place this rule on very top of FW rule list. It is virtually impossible to construct decent FW rule list on edge firewall/router that allows outgoing connections but limits incoming connections without using this kind of rule.
And the same rule for chain=forward (for traffic that only flows through RB).

Story with "related" is similar, but for a few particular L7 protocols. FTP being prime example as it uses two distinct ports on server, one for control and one for data where data connection is initiated by FTP server and without app helper run by firewall (inspecting control flow) firewall would not allow data connection (actually already NAT even without firewall wouldn't pass it) ... and data connection is related to the already established control connection.

The same story goes with "untracked". I don't remember any protocol that can't be tracked (perhaps some of forum gurus can provide an example), but connection tracking engine can be configured not to track certain traffic.

Who is online

Users browsing this forum: davidhirka and 87 guests