Community discussions

MikroTik App
 
n21roadie
Forum Guru
Forum Guru
Topic Author
Posts: 1949
Joined: Fri Aug 07, 2009 10:36 pm
Location: Limerick,Ireland

Firewall NAT logging!

Sun May 30, 2021 8:09 pm

( I have edited the info below)
I would like to log on device (10.0.0.1) any activity using
/ip firewall nat
add action=dst-nat chain=dstnat comment=Server01 dst-address=(Public IP) dst-port=1111 protocol=tcp to-addresses=10.0.0.2 to-ports=22

On one of my radius servers I noticed a lot of failed login attempts - The failed login attempts cease when I disable the above nat rule!

May 30 14:02:03 Server01 sshd[10534]: Failed password for invalid user osm from 10.0.0.1 port 63881 ssh2
May 30 14:02:11 Server01 sshd[10546]: Failed password for invalid user css from 10.0.0.1 port 37854 ssh2
May 30 14:02:15 Server01 sshd[10553]: Failed password for invalid user taoj from 10.0.0.1 port 53222 ssh2
May 30 14:02:28 Server01 sshd[10592]: Failed password for invalid user training from 10.0.0.1 port 37326 ssh2
May 30 14:02:35 Server01 sshd[10617]: Failed password for invalid user odoo from 10.0.0.1 port 54818 ssh2
May 30 14:02:36 Server01 sshd[10620]: Failed password for nagios from 10.0.0.1 port 35296 ssh2
May 30 14:02:40 Server01 sshd[10632]: Failed password for invalid user vaishnavi from 10.0.0.1 port 39124 ssh2
May 30 14:02:51 Server01 sshd[10786]: Failed password for invalid user hduser from 10.0.0.1 port 52066 ssh2
May 30 14:02:59 Server01 sshd[10825]: Failed password for invalid user ubuntu from 10.0.0.1 port 44324 ssh2
May 30 14:03:05 Server01 sshd[10838]: Failed password for invalid user laijizheng from 10.0.0.1 port 44216 ssh2
May 30 14:03:11 Server01 sshd[10853]: Failed password for invalid user skrongren from 10.0.0.1 port 46834 ssh2
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Firewall NAT logging!

Sun May 30, 2021 8:19 pm

So somebody from internet (or LAN?) is trying to get into your not-so-well hidden SSH service. As all failed logins appear to originate from your NAT router, you probably have one src-nat too many (or some too greedy src-nat). If you fix that src-nat rule, you'll see actual src addresses of those login attempts.
 
n21roadie
Forum Guru
Forum Guru
Topic Author
Posts: 1949
Joined: Fri Aug 07, 2009 10:36 pm
Location: Limerick,Ireland

Re: Firewall NAT logging!

Sun May 30, 2021 8:39 pm

So somebody from internet (or LAN?) is trying to get into your not-so-well hidden SSH service. As all failed logins appear to originate from your NAT router, you probably have one src-nat too many (or some too greedy src-nat). If you fix that src-nat rule, you'll see actual src addresses of those login attempts.
I had forgotten to close that NAT rule which was for remote assistance to radius server!

Now I am trying to log any such failed attempts when this NAT rule is active!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall NAT logging!

Sun May 30, 2021 8:47 pm

/export hide-sensitive file=anynameyouwish

Really recommend that if a small set of folks need access to the router or SSH etc....
that you at least also create a source address list with their IPs.
 
n21roadie
Forum Guru
Forum Guru
Topic Author
Posts: 1949
Joined: Fri Aug 07, 2009 10:36 pm
Location: Limerick,Ireland

Re: Firewall NAT logging!

Sun May 30, 2021 9:43 pm

/export hide-sensitive file=anynameyouwish

Really recommend that if a small set of folks need access to the router or SSH etc....
that you at least also create a source address list with their IPs.
(1) Accept source address list for tech + software support had been created for me
(2) I had added the remote assistance IP to this list - Disabled
(3) Added the IP to /ip service ssh, winbox - Disabled
(4) Created a temp admin account for them - Disabled

/ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
;;; Permit Router Access From Address List
chain=input action=accept src-address-list=Permit Router Access

As the failed login attempts appear from a NAT router ( unless the address is spoofed !)
(1) Can I ask for advice on setting up NAT logging on NAT router
(2) Any advice to check if possible the failed login source for the radius service which is Linux CentOS7 !
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall NAT logging!

Sun May 30, 2021 9:47 pm

/export hide-sensitive file=anynameyouwish
 
n21roadie
Forum Guru
Forum Guru
Topic Author
Posts: 1949
Joined: Fri Aug 07, 2009 10:36 pm
Location: Limerick,Ireland

Re: Firewall NAT logging!

Sun May 30, 2021 10:25 pm

/ip firewall layer7-protocol
add name=WB regexp="/\\.\\./\\.\\.\?/"
/ip firewall address-list
add address=192.168.0.0/16 list=RFC1918
add address=10.0.0.0/8 list=RFC1918
add address=172.16.0.0/12 list=RFC1918
add address=999.999.999.0/28 comment=" - Management Reserved Prefix" list="Permit Router Access"
add address=1XX.191.159.3 comment="Access RM check" list="Permit Router Access"
add address=666.999.666.0/29 comment=" - ISP link network" list="Permit Router Access"
add address=XX.40.XX.150 comment=DMASoftLab_Access-Temp disabled=yes list="Permit Router Access"
/ip firewall filter
add action=log chain=forward comment=" - TCP logger" connection-state=new protocol=tcp src-address=999.999.999.0-999.999.999.254
add action=log chain=forward comment=" - UDP logger" connection-state=new protocol=udp src-address=999.999.999.0-999.999.999.254
add action=reject chain=output dst-address=139.99.5.202 protocol=tcp
add action=reject chain=output dst-address=181.206.42.252 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=output dst-address=39.42.130.172 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=output dst-address=220.231.69.31 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=output dst-address=14.175.186.183 protocol=tcp reject-with=icmp-network-unreachable
add action=accept chain=forward src-address=10.XXX.20.XX/24
add action=accept chain=forward src-address=10.0.0.0/8
add action=accept chain=forward dst-address=8.8.4.4 src-address=10.0.0.0/8
add action=accept chain=input src-address=10.XXX.20.XX/24
add action=accept chain=input comment=" - Permit established & related" connection-state=established,related
add action=drop chain=input comment=" - Drop all DNS requests to /22 - DDOS Mitigation" dst-port=53 in-interface=VLAN100_Ether1 protocol=udp
add action=accept chain=forward comment=" - Permit established & related" connection-state=established,related
add action=accept chain=forward comment=" - Permit traffic from 999.999.999.0/22" connection-state=new src-address=999.999.999.0/22
add action=drop chain=forward dst-address=999.999.999.0/22 dst-port=53 in-interface=VLAN100_Ether1 protocol=udp
add action=accept chain=forward comment="Permit Dude .22 access to all" dst-port=8291 protocol=tcp src-address=10.XXX.XXX.22
add action=accept chain=forward out-interface=VLAN100_Ether1
add action=accept chain=forward src-address=999.999.999.0
add action=accept chain=input comment=" - Permit Router Access From Address List" src-address-list="Permit Router Access"
add action=accept chain=input comment=" - Permit ICMP" protocol=icmp
add action=drop chain=input in-interface=VLAN100_Ether1
add action=accept chain=forward connection-state=new dst-address-list=RFC1918 protocol=tcp src-address=999.999.999.0/22
add action=accept chain=forward
/ip firewall mangle
add action=add-src-to-address-list address-list=BANIP address-list-timeout=none-dynamic chain=input comment=WB dst-port=8291 layer7-protocol=WB protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat comment=RadiusManager01 disabled=yes dst-address=1XX.XXX.XXX.122 dst-port=1111 protocol=tcp to-addresses=10.XXX.XXX.10 to-ports=22
add action=dst-nat chain=dstnat comment=RadiusManager02 disabled=yes dst-address=1XX.XXX.XXX.122 dst-port=2222 protocol=tcp to-addresses=10.XXX.XXX.12 to-ports=22
add action=accept chain=srcnat comment=" - No SRC NAT for public IPs in WLW Prefix" src-address=999.999.999.0/22
add action=accept chain=srcnat comment=" - No SRC NAT for routable IPs" src-address=666.999.666.0/29
add action=masquerade chain=srcnat comment=" - SRC NAT Remaining RFC1918 addresses on ISP egress" out-interface=VLAN100_Ether1 src-address-list=RFC1918
add action=src-nat chain=srcnat out-interface=VLAN120_Ether3 to-addresses=10.XXX.XXX.101
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Firewall NAT logging!

Sun May 30, 2021 11:01 pm

As the failed login attempts appear from a NAT router ( unless the address is spoofed !)

I don't believe address seen by SSH daemon (on radius server) is spoofed. If it was, the connection would not go farther than to second step of 3-step TCP handshake (server reply with SYN ACK), so you wouldn't see any failed logins (that comes much later, after SSH daemon and client negotiate encryption algorithm and key).

With regard to logging, you could try to add (immediately before the original rule) another rule, otherwise identical to that particular dst-nat rule but setting "action=log" instead ... and see if anything comes out.
 
n21roadie
Forum Guru
Forum Guru
Topic Author
Posts: 1949
Joined: Fri Aug 07, 2009 10:36 pm
Location: Limerick,Ireland

Re: Firewall NAT logging!

Mon May 31, 2021 2:19 am

As the failed login attempts appear from a NAT router ( unless the address is spoofed !)

I don't believe address seen by SSH daemon (on radius server) is spoofed. If it was, the connection would not go farther than to second step of 3-step TCP handshake (server reply with SYN ACK), so you wouldn't see any failed logins (that comes much later, after SSH daemon and client negotiate encryption algorithm and key).

With regard to logging, you could try to add (immediately before the original rule) another rule, otherwise identical to that particular dst-nat rule but setting "action=log" instead ... and see if anything comes out.
I tried adding logging rule before the NAT dst-port=1111 rule and activated but as failed login attempts appeared on the radius server nothing appeared on NAT router logs!
Maybe I have configured the logging rule incorrectly!

/ip firewall nat
add action=log chain=dstnat dst-address=1XX.XXX.XXX.122 log=yes log-prefix=dstnat
add action=dst-nat chain=dstnat comment=RadiusManager01 disabled=no dst-address=1XX.XXX.XXX.122 dst-port=1111 log=yes log-prefix=dstnat protocol=tcp to-addresses=10.XXX.XXX.10 to-ports=22
 
n21roadie
Forum Guru
Forum Guru
Topic Author
Posts: 1949
Joined: Fri Aug 07, 2009 10:36 pm
Location: Limerick,Ireland

Re: Firewall NAT logging!

Mon May 31, 2021 3:54 pm

I did a network scan with Zenmap and one router has port 1723 open !
1723/tcp open pptp
How can i check what is using this port, there is a disabled EoIP tunnel used for remote assistance!

Who is online

Users browsing this forum: Ahrefs [Bot], coreshock, GoogleOther [Bot], johnson73, StephenDig and 69 guests