Compromised clients / Firewall question

danriis · Sat Mar 20, 2021 2:50 am

Hi all,
So my firewall started spewing thousands of log messages recently, they vary but look mostly like this:

Mar/19/2021 15:52:33 firewall,info forward: in:bridge1 out:ether1_Spectrum WAN, src-mac 2c:0e:3d:39:2b:23, proto TCP (SYN), 10.0.0.91:45572->64.233.185.101:443, len 60
Mar/19/2021 15:52:34 firewall,info forward: in:bridge1 out:ether1_Spectrum WAN, src-mac 2c:0e:3d:39:2b:23, proto TCP (SYN), 10.0.0.91:45570->64.233.185.101:443, len 60
Mar/19/2021 15:52:34 firewall,info forward: in:bridge1 out:ether1_Spectrum WAN, src-mac 2c:0e:3d:39:2b:23, proto TCP (SYN), 10.0.0.91:45571->64.233.185.101:443, len 60
Mar/19/2021 15:52:34 firewall,info forward: in:bridge1 out:ether1_Spectrum WAN, src-mac 2c:0e:3d:39:2b:23, proto TCP (SYN), 10.0.0.91:45572->64.233.185.101:443, len 60
Mar/19/2021 15:52:40 firewall,info forward: in:bridge1 out:ether1_Spectrum WAN, src-mac 2c:0e:3d:39:2b:23, proto TCP (SYN), 10.0.0.91:45572->64.233.185.101:443, len 60
Mar/19/2021 15:52:41 firewall,info forward: in:bridge1 out:ether1_Spectrum WAN, src-mac 2c:0e:3d:39:2b:23, proto TCP (SYN), 10.0.0.91:48669->172.253.124.188:5228, len 60
Mar/19/2021 15:52:42 firewall,info forward: in:bridge1 out:ether1_Spectrum WAN, src-mac 2c:0e:3d:39:2b:23, proto TCP (SYN), 10.0.0.91:48669->172.253.124.188:5228, len 60
Mar/19/2021 15:52:44 firewall,info forward: in:bridge1 out:ether1_Spectrum WAN, src-mac 2c:0e:3d:39:2b:23, proto TCP (SYN), 10.0.0.91:48669->172.253.124.188:5228, len 60
Mar/19/2021 15:52:44 firewall,info forward: in:bridge1 out:ether1_Spectrum WAN, src-mac 2c:0e:3d:39:2b:23, proto TCP (SYN), 10.0.0.91:39846->108.177.122.154:443, len 60
Mar/19/2021 15:52:45 firewall,info forward: in:bridge1 out:ether1_Spectrum WAN, src-mac 2c:0e:3d:39:2b:23, proto TCP (SYN), 10.0.0.91:39847->108.177.122.154:443, len 60

As you can see this is coming from one specific client 10.0.0.091, I also have it happening for another client at 10.0.0.92. I'm not very experienced with firewall stuff but it would appear that these events are being logged because of some firewall rules being activated. My guess was that these clients have some kind 'spam virus' trying to take advantage of their devices, one is an Android phone, the other a Windows PC.
Is there anything I can do but tell the users to clean up their devices? Other ways to strengthen the firewall in regards to this? is this actually getting out to the WAN or (hopefully) being blocked?
Here's a copy of my config, please feel free to ask clarifying questions, and thanks for the help, I'm trying to avoid spending hundreds on consulting and would like to learn more as well.
Thx,
Dan

----------config export / compact / hide sensitive----------------------
# mar/19/2021 17:35:02 by RouterOS 6.44.3
# software id = CKED-AUWZ
#
# model = RB1100x4
# serial number = 91D80AE30458
/interface bridge
add fast-forward=no name=bridge1 priority=0x2000
/interface ethernet
set [ find default-name=ether1 ] name="ether1_Spectrum WAN" speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] name=ether3_SolplexSE speed=100Mbps
set [ find default-name=ether4 ] name=ether4_PossiblyBadPort speed=100Mbps
set [ find default-name=ether5 ] name=ether5_SolPlexNW speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] name=ether10_Community speed=100Mbps
set [ find default-name=ether11 ] speed=100Mbps
set [ find default-name=ether12 ] name=ether12_Lukas speed=100Mbps
set [ find default-name=ether13 ] speed=100Mbps
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.0.0.2-10.0.0.200
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1
/queue simple
add dst="ether1_Spectrum WAN" max-limit=20M/100M name=UnifiController target=\
    10.0.0.250/32
add dst="ether1_Spectrum WAN" max-limit=20M/100M name=AttilaDesktop target=\
    10.0.0.251/32
add dst="ether1_Spectrum WAN" max-limit=10M/100M name=Lukas target=\
    10.0.0.252/32
add disabled=yes dst="ether1_Spectrum WAN" max-limit=24M/500M name=Master \
    target=10.0.0.0/24
/queue type
add kind=pcq name=pcq-download-fastest pcq-classifier=dst-address pcq-rate=\
    100M pcq-total-limit=5000KiB
set 6 pcq-rate=18M pcq-total-limit=5000KiB
set 7 pcq-rate=35M pcq-total-limit=5000KiB
/queue simple
add dst="ether1_Spectrum WAN" max-limit=24M/500M name=EveryoneElse queue=\
    pcq-upload-default/pcq-download-default target=bridge1
add disabled=yes max-limit=12M/100M name="Unifi Controller PC" queue=\
    pcq-upload-default/pcq-download-fastest target=10.0.0.250/32
add disabled=yes max-limit=15M/100M name="Attila Office" queue=\
    pcq-upload-default/pcq-download-fastest target=10.0.0.251/32
add disabled=yes max-limit=15M/100M name="Lukas Desktop" queue=\
    pcq-upload-default/pcq-download-fastest target=10.0.0.252/32
/system logging action
set 0 memory-lines=2000
set 1 disk-file-count=10
/interface bridge filter
add action=drop chain=input disabled=yes in-bridge=bridge1 log=yes \
    src-mac-address=80:7B:3E:37:9C:E5/FF:FF:FF:FF:FF:FF
add action=drop chain=input disabled=yes dst-mac-address=\
    00:0F:66:DC:76:37/FF:FF:FF:FF:FF:FF log=yes src-mac-address=\
    00:0F:66:DC:76:37/FF:FF:FF:FF:FF:FF
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3_SolplexSE
add bridge=bridge1 interface=ether4_PossiblyBadPort
add bridge=bridge1 interface=ether5_SolPlexNW
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10_Community
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12_Lukas
/ip address
add address=10.0.0.1/24 interface=bridge1 network=10.0.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=\
    "ether1_Spectrum WAN"
/ip dhcp-server alert
add disabled=no interface=bridge1 valid-server=74:4D:28:01:2F:35
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.1,71.10.216.1 gateway=10.0.0.1
/ip dns
set allow-remote-requests=yes servers=71.10.216.1,8.8.8.8
/ip firewall filter
add action=drop chain=forward comment="Drop everything from 192.168.1.1" \
    disabled=yes log=yes src-address=192.168.1.1
add action=drop chain=input comment="DROP SSH from WAN requests" dst-port=22 \
    in-interface="ether1_Spectrum WAN" protocol=tcp
add action=drop chain=input comment="DROP webconfig from WAN requests" \
    dst-port=8081 in-interface="ether1_Spectrum WAN" protocol=tcp
add action=drop chain=input comment="DROP Winbox from WAN requests" dst-port=\
    8291 in-interface="ether1_Spectrum WAN" protocol=tcp
add action=jump chain=forward comment="Prevent UDP flooding attack" \
    connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos comment="Prevent UDP flooding attack" \
    dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
    10m chain=detect-ddos comment="Prevent UDP flooding attack"
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    10m chain=detect-ddos comment="Prevent UDP flooding attack"
add action=drop chain=forward comment="Prevent UDP flooding attack" \
    connection-state=new dst-address-list=ddosed src-address-list=ddoser
add action=drop chain=input comment="Prevent outside DHCP requests" dst-port=\
    53 in-interface="ether1_Spectrum WAN" protocol=udp
add action=drop chain=input comment="Prevent outside DHCP requests" dst-port=\
    53 in-interface="ether1_Spectrum WAN" protocol=tcp
add action=fasttrack-connection chain=forward comment="Fasttrack DNS TCP" \
    disabled=yes dst-port=53 protocol=tcp
add action=fasttrack-connection chain=forward comment="Fasttrack DNS UDP" \
    disabled=yes dst-port=53 protocol=udp
add action=add-src-to-address-list address-list="SMTP spammer" \
    address-list-timeout=none-dynamic chain=forward comment=\
    "SMTP spammer gets added to SMTP spammer address list." connection-limit=\
    30,32 dst-port=25 limit=50,5:packet log=yes protocol=tcp
add action=drop chain=forward comment=\
    "Drop packets from SMTP spammer address list." log=yes src-address-list=\
    "SMTP spammer"
/ip firewall nat
add action=masquerade chain=srcnat
/ip route
add disabled=yes distance=1 gateway=208.85.239.109
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.0.0.0/24 port=8081
set ssh address=10.0.0.0/24
set api disabled=yes
set winbox address=10.0.0.0/24
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=MikroTikLV
/system logging
set 0 action=disk topics=info,!dhcp
set 1 action=disk
set 2 action=disk
set 3 action=disk
/tool bandwidth-server
set authenticate=no enabled=no
/tool graphing interface
add
/tool graphing resource
add
/tool netwatch
add down-script=":log info \"Internet Down\"" host=71.94.234.1 interval=5s \
    up-script=":log info \"Internet Up\""
add down-script=":log info \"Gentech Down\"" host=10.0.0.204 interval=10s \
    up-script=":log info \"Gentech Up\""
add down-script=":log info \"small dorm down\"" host=10.0.0.209 interval=10s \
    up-script=":log info \"small dorm Up\""
add down-script=":log info \"Lodge Down\"" host=10.0.0.216 interval=10s \
    up-script=":log info \"Lodge Up\""
add down-script=":log info \"Office Down\"" host=10.0.0.201 interval=10s \
    up-script=":log info \"Office Up\""
add down-script=":log info \"Solplex NW Down\"" host=10.0.0.202 interval=10s \
    up-script=":log info \"Solplex-NW Up\""
add down-script=":log info \"Solplex-SE Down\"" host=10.0.0.203 interval=10s \
    up-script=":log info \"Solplex-SE Up\""
add down-script=":log info \"ping not reaching 8.8.8.8\"" host=8.8.8.8 \
    interval=5s up-script=":log info \"ping reaching 8.8.8.8\""
add down-script=":log info \"ODK Down\"" host=10.0.0.210 interval=10s \
    up-script=":log info \"ODK Up\""
add down-script=":log info \"cabin 11 Down\"" host=10.0.0.211 interval=10s \
    up-script=":log info \"cabin 11 Up\""
add down-script=":log info \"Upper Large Dorm DOWN\"" host=10.0.0.206 \
    interval=10s up-script=":log info \"Upper Large Dorm UP\""
add down-script=":log info \"Nursery Down\"" host=10.0.0.215 interval=30s \
    up-script=":log info \"Nursery Up\""
add down-script=":log info \"Lower Large Dorm DOWN\"" host=10.0.0.207 \
    interval=10s up-script=":log info \"Lower Large Dorm UP\""
add down-script=":log info \"Maintenance Shop Down\"" host=10.0.0.212 \
    interval=10s up-script=":log info \"Maintenance Shop Up\""
add down-script=":log info \"Chris DOWN\"" host=10.0.0.205 interval=10s \
    up-script=":log info \"Chris UP\""
add down-script=":log info \"NANOBEAM AT LODGE DOWN!!!\"" host=10.0.0.246 \
    interval=5s up-script=":log info \"NANOBEAM AT LODGE UP\""
add down-script=":log info \"NANOBEAM AT SOLPLEX DOWN\"" host=10.0.0.247 \
    interval=5s up-script=":log info \"NANOBEAM AT SOLPLEX UP\""
add down-script=":log info \"CORE SWITCH DOWN\"" host=10.0.0.239 interval=10s \
    up-script=":log info \"CORE SWITCH UP\""
add down-script=":log info \"MikroTik NURSERY SWITCH DOWN\"" host=10.0.0.238 \
    interval=10s up-script=":log info \"MikroTik NURSERY SWITCH UP\""
add down-script=":log info \"cabin 13 Down\"" host=10.0.0.217 interval=10s \
    up-script=":log info \"cabin 13 Up\""

jvanhambelgium · Sat Mar 20, 2021 9:08 am

Looking at the repetitive sequences of "SYN" (the very first packet in the 3-way handshake process of TCP transmission) it seems the internal device cannot really establish a dialogue with the outside 64.233.185.101 and keep trying. (that IP belongs to Google for example)
Same behavior for the internal host trying to reach 172.254.x.x and 108.177.x.x

Mar/19/2021 15:52:33 firewall,info forward: in:bridge1 out:ether1_Spectrum WAN, src-mac 2c:0e:3d:39:2b:23, proto TCP (SYN), 10.0.0.91:45572->64.233.185.101:443, len 60
Mar/19/2021 15:52:34 firewall,info forward: in:bridge1 out:ether1_Spectrum WAN, src-mac 2c:0e:3d:39:2b:23, proto TCP (SYN), 10.0.0.91:45570->64.233.185.101:443, len 60
Mar/19/2021 15:52:34 firewall,info forward: in:bridge1 out:ether1_Spectrum WAN, src-mac 2c:0e:3d:39:2b:23, proto TCP (SYN), 10.0.0.91:45571->64.233.185.101:443, len 60
Mar/19/2021 15:52:34 firewall,info forward: in:bridge1 out:ether1_Spectrum WAN, src-mac 2c:0e:3d:39:2b:23, proto TCP (SYN), 10.0.0.91:45572->64.233.185.101:443, len 60
Mar/19/2021 15:52:40 firewall,info forward: in:bridge1 out:ether1_Spectrum WAN, src-mac 2c:0e:3d:39:2b:23, proto TCP (SYN), 10.0.0.91:45572->64.233.185.101:443, len 60

anav · Sat Mar 20, 2021 1:54 pm

(1) Not a fan of bridge firewall filter rules.
What is the purpose of this.............???????
/interface bridge filter
add action=drop chain=input disabled=yes in-bridge=bridge1 log=yes \
src-mac-address=80:7B:3E:37:9C:E5/FF:FF:FF:FF:FF:FF
add action=drop chain=input disabled=yes dst-mac-address=\
00:0F:66:DC:76:37/FF:FF:FF:FF:FF:FF log=yes src-mac-address=\
00:0F:66:DC:76:37/FF:FF:FF:FF:FF:FF

(2) This rule is incomplete needs in interface......
/ip firewall nat
add action=masquerade chain=srcnat in-interface-list=WAN
(note: however there are no interface members or interface list members showing on your config, very annoying when people remove stuff that is important, if truly missing you need to add them!)
you could put for now
/ip firewall nat
add action=masquerade chain=srcnat in-interface="ether1_Spectrum WAN"

(3) Firewall rules need work or more bluntly they are crap. This is what is should look like which is based on the safe and effective default firewall rules.

/ip firewall filter
{input chain}
add action=accept chain=input comment="default configuration" \
connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid connections" \
connection-state=invalid
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="allow Admin access in-interface=bridge source-address-list=adminIPs
[add two RULES FOR ALL USERS TO ACCESS DNS services on the router tcp&udp see below!]
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop All else"

One should add the admin access rule FIrst and then the last rule you should configure is the DROP rule at the end, otherwise you will lock yourself out of the router.
Example of firewall address list rule you would make before configuring the admin allow rule!!!
firewall address list
add address=IPof_adminDesktop list=adminIPs
add address=IPof_adminLaptop list=adminIPs
add address=IPof_Ipad list=adminIPs
add address=IPof_smartphone list-adminIPs
(assumed these have been made static entries in your dhcp server lease list).

The above last Drop rule will stop all other traffic from occurring to or from the router, clean and simple.

{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="default configuration" \
connection-state=established,related,untracked
add action=drop chain=forward comment="default configuration" \
connection-state=invalid
ADD RULES FOR USERS TO ACCESS INTERNET (all users LAN to WAN etc.)
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
[add any other rules for allowing traffic needed]
add action=drop chain=input comment="Drop everything else"

2frogs · Sat Mar 20, 2021 2:51 pm

You are seeing all of those log messages because of this firewall rule:

add action=drop chain=forward comment=\
    "Drop packets from SMTP spammer address list." log=yes src-address-list=\
    "SMTP spammer"

The devices you see in the logs have been caught by the SMTP Spammer rules and all of their traffic is now being dropped. With out direct control of all devices in your network or without the means to deal with support issues, I believe it best not to try and filter any connections. If you have a mix of guest and official devices, it is best to separate the two using vlans. There is no reason why the latest default firewall rules should be sufficient for your needs.

/interface list
add name=WAN comment="defconf"
add name=LAN comment="defconf"

/interface list member
add list=LAN interface=bridge1 comment="defconf"
add list=WAN interface=ether1_Spectrum WAN comment="defconf"
           
/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"

Compromised clients / Firewall question

Compromised clients / Firewall question

Re: Compromised clients / Firewall question

Re: Compromised clients / Firewall question

Re: Compromised clients / Firewall question

Who is online