Community discussions

MikroTik App
 
vmajor
just joined
Topic Author
Posts: 8
Joined: Mon Feb 19, 2018 6:14 am

/ip firewall filter drop not dropping IP

Wed Jun 09, 2021 1:31 pm

Hi,

I have a hopefully simple problem. I have a brute force (likely a script) "hacker" trying to log into my router through ssh.

Logs show this:
08:49:08 system,error,critical login failure for user remote from 45.135.232.165 via ssh
08:49:09 system,error,critical login failure for user root from 45.135.232.165 via ssh
08:49:10 system,error,critical login failure for user admin from 45.135.232.165 via ssh
This has been happening for a while and they seem to use only a few fixed IPs for this attack so I decided to make things simple for me and I did this:
/ip firewall filter add chain=input src-address=45.135.232.165 action=drop
However the inbound attempted connections from 45.135.232.165 are not being dropped since the log keeps showing the failed login attempts from 45.135.232.165. Thus my solution is not working.

What should I do instead to block connections from a specific IP, or an entire range in fact? I have no need for anyone to have access to our router from Russia for example.

V.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: /ip firewall filter drop not dropping IP

Wed Jun 09, 2021 1:38 pm

What you should do is post the complete config as you dont know the problem.
/export hide-sensitive file=anynameyouwish
 
vmajor
just joined
Topic Author
Posts: 8
Joined: Mon Feb 19, 2018 6:14 am

Re: /ip firewall filter drop not dropping IP

Wed Jun 09, 2021 1:42 pm

Hm, no. I am not doing that. I had a look at the exported file and there is no chance that I would ever post that on the internet. Any other suggestions? Perhaps I just need to move the drop rule higher up in the sequence so it gets executed before anything else?

V.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: /ip firewall filter drop not dropping IP

Wed Jun 09, 2021 1:53 pm

So you really are that special .................
Suit yourself LOL,
I have better things to do than argue with someone that doesnt have a clue about configs................ prolly refused the vaccine thinking it will change your DNA too,,,,,,,,,,
 
vmajor
just joined
Topic Author
Posts: 8
Joined: Mon Feb 19, 2018 6:14 am

Re: /ip firewall filter drop not dropping IP

Wed Jun 09, 2021 1:56 pm

Sigh.

In any case, for others that may encounter this, I moved the rules to the top and will post an update here. That way you can reduce the risk of running into this basement dweller.
 
johnson73
Member Candidate
Member Candidate
Posts: 173
Joined: Wed Feb 05, 2020 10:07 am

Re: /ip firewall filter drop not dropping IP

Wed Jun 09, 2021 2:22 pm

do you use default rules? Is there a different configuration? You can use this method in the "Input" section.
https://wiki.mikrotik.com/wiki/Brutefor ... prevention
And it would be advisable to turn off all unused services
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: /ip firewall filter drop not dropping IP

Wed Jun 09, 2021 2:28 pm

...thinking it will change your DNA too...
Yes it can happen.
And it can happen even without getting the vaccine and you are infected with covid ... or any other virus ...

Since the dawn of time, it can happen to some people that viruses alter the DNA of the infected (eggs, sperm),
the proof is the hundreds of fragments of various types of "ancient" viruses that are still present in the DNA of all...
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: /ip firewall filter drop not dropping IP

Wed Jun 09, 2021 2:33 pm

@anav
Do not lost time with the "obscure firewall" user from 2019...
he want only attention, do not want solve the problem,
it's too on high for us...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: /ip firewall filter drop not dropping IP

Wed Jun 09, 2021 4:56 pm

...thinking it will change your DNA too...
Yes it can happen.
And it can happen even without getting the vaccine and you are infected with covid ... or any other virus ...

Since the dawn of time, it can happen to some people that viruses alter the DNA of the infected (eggs, sperm),
the proof is the hundreds of fragments of various types of "ancient" viruses that are still present in the DNA of all...
Rextended certainly we can talk about evolution, but what I said was the VACCINE will not change your DNA, as some people think with mRNA vaccines. as mrNA is like a photocopy not the original. Think book in library is the DNA and MRNA is going to the photocopier and copying one page, the book does not change. :-
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: /ip firewall filter drop not dropping IP

Wed Jun 09, 2021 4:58 pm

Understand your (our) point of view :))
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: /ip firewall filter drop not dropping IP

Thu Jun 10, 2021 2:31 pm

@anav + @rextended: Not that I would approve your slightly toxic replies, but technically you are right..

To prove my point to everyone, attached is my main router's config. Export + few CTRL+H = it is safe to publish.
asdf.rsc


@vmajor: really, this is standard practice and nothing dangerous. Its just config with "hide-sensitive" and removed public IP/domains.... If you believe that someone will hack you due to knowledge of your config (because you are following some incorrect practice), you will be hacked sooner or later anyway because bad people scan the whole internet all the time.

re. topic - clearly your "drop" rule is after some other rule allowed the traffic. Rules are evaluated sequentially from the top to the bottom. Once rule is matched, other rules don't do anything (unless it is jump/return rule) However, if someone from russia can access your SSH interface, your router is really badly misconfigured. Personally, I would consider it already breached and do netinstall + start from scratch with default config and modify what you need (without allowing whole world in)
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: /ip firewall filter drop not dropping IP

Thu Jun 10, 2021 4:31 pm

@vercernik87, as long as you had at least one dose of the vaccine, you will be protected from both mine and rextended's toxic nature! ;-P

As for the 'princess' (op), there are probably 10s of thousands of configs on this site by now, and the sky has not fallen.
There is nothing also preventing one from combing through a config prior to posting to replace any uncertain bits with fake numbers for example or remove mac addresses outright.
I am glad to know its fear and ignorance and not arrogance at play here. But I would not ask you to do anything that would put your equipment or network at jeopardy.
The best advice you have been given was to netinstall with a fresh latest long term firmware version.
As for firewall rules make sure you have a drop all else rule at the end of both the input*** chain and forward chain which blocks all traffic automatically that you dont specifically allow in the rules above the drop rule.

** ensure you have an admin access rule in place first on the input chain otherwise a drop rule at the end will logically lock you out!!
 
erlinden
Forum Guru
Forum Guru
Posts: 1900
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: /ip firewall filter drop not dropping IP

Thu Jun 10, 2021 4:39 pm

Lol, being worried about sharing a config and at the same time running SSH publicly.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: /ip firewall filter drop not dropping IP

Thu Jun 10, 2021 4:41 pm

To prove my point to everyone, attached is my main router's config. Export + few CTRL+H = it is safe to publish.
asdf.rsc
@vecernik87
this comments are for you, I put all on "code" format for usability:
for speed I suggest you to set protocol-mode=none of this two:
/interface bridge
add admin-mac=CC:2D:E0:00:1A:12 auto-mac=no name=AAA priority=0x4000 vlan-filtering=yes
add name=loopback

    
allow-fast-path=no is wanted?
/interface gre
add allow-fast-path=no disabled=yes name=gre-tunnel1 remote-address=BBB2.REDACTED-domain.org

better specify mtu also on this:
/interface eoip
add mac-address=02:12:01:E5:88:09 name=eoip-AAA-NAME remote-address=home.REDACTED-domain.org tunnel-id=1087

i suggest you to remove all IP than end with 0 or 255, formerly are perfectly valid, but some device do not work as expected
/ip pool
add name=AAA.guest ranges=172.17.0.10-172.17.255.254
must be like
/ip pool
add name=AAA.guest ranges=172.17.0.10-172.17.0.254,172.17.1.1-172.17.1.254,172.17.2.1-172.17.2.254
etc. etc. etc.

dude right is obsolete, remove from full for stop export this line:
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp"
must be for actual and future versions:
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,!dude,tikapp"

disabled hw offload is wanted?
/interface bridge port
add bridge=bridge2-nbn hw=no interface=ether5-nbn
add bridge=AAA hw=no interface=ether4-AAA

on 6.47+ default value is "static"
/ip neighbor discovery-settings
set discover-interface-list=!dynamic

on this are missing DNS, is wanted?
/ip dhcp-server network
add address=10.1.175.96/27 gateway=10.1.175.97

better change
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
to:
/ip ssh
set allow-none-crypto=no forwarding-enabled=no

why no?    
/ipv6 nd
set [ find default=yes ] advertise-dns=no

something strange here, removed bridge and orphaned ppp profile?
/ppp profile
add bridge=*22 change-tcp-mss=yes name=phone use-encryption=yes

better disable auto-detect, less problem
/system clock
set time-zone-name=Australia/Hobart

it is wanted?
/tool bandwidth-server
set authenticate=no
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: /ip firewall filter drop not dropping IP

Thu Jun 10, 2021 4:47 pm

Hi,

I have a hopefully simple problem. I have a brute force (likely a script) "hacker" trying to log into my router through ssh.
There have been many good comments posted here that you should take as good advise...
Under the /ip -> /services menu, I guess "SSH" is enabled without any "filter" ? So basically you allow SSH from anywhere. This is evaluated before your own firewall rule, hence why a potential hacker(bot/script) still gets a "login prompt" and can give it a try

IF you really have no other option then to allow management across the Internet (and things like VPN are not an option) at least limit the scope to some public IP's of your management.
Changing the default SSH TCP/22 to something like TCP/44021 will probably also reduce already the attempts hugely, most of these scripts use the default known ports for services.
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: /ip firewall filter drop not dropping IP

Fri Jun 11, 2021 1:26 am

@anav:
as long as you had at least one dose of the vaccine
All hail Ausgov... I don't expect to be eligible for another several months



@rextended: My point was to prove there is nothing to be afraid of :D But I can't say I don't appreciate your insight. Most spotted issues are remains of testing (who has time for lab, right?) or deprecated settings:

for speed I suggest you to set protocol-mode=none
Oh, nono, I am not giving up (R)STP on my lan bridge. I know why you suggested that - some switch chips (namely Realtek presented in fancy shiny RB4011) don't support (R)STP with HW offload, but thats not the case for hAP ac2 and Atheros8327. Anyway, I don't really care about speed because the router has plenty of power. I even disabled HW offload on some ports because that makes my life easier when packet sniffing has to occur.
and Loopback is ... I don't even know.. I reckon it is a remain of some uber-genius idea which I abandoned ..

allow-fast-path=no is wanted?
/interface gre add allow-fast-path=no disabled=yes name=gre-tunnel1 remote-address=BBB2.REDACTED-domain.org
Just a remain of some old config when I experimented with GRE. The whole GRE interface is disabled anyway and I should probably delete it.

i suggest you to remove all IP than end with 0 or 255
/ip pool add name=AAA.guest ranges=172.17.0.10-172.17.255.254
wow, good spot! Thanks for that. I made my life easier after hosting a 5k+ event and running out of 253 addresses from a normal /24 network :D I completely forgot that some devices may not understand other than /24 networks.

dude right is obsolete
uhm.. thanks I guess? I should read more about it.

disabled hw offload is wanted?
Absolutely. It does not slow down too much and this device is mainly router. Switching does not need hw speed at all because 99% of the network is behind a single port so the traffic would go to the CPU (to the WAN) anyway. The other port (NBN - our WAN) is in its own single-port bridge because it makes my life easier if I need to change the physical port. Standard practice I started using years ago.

on this are missing DNS, is wanted?
/ip dhcp-server network add address=10.1.175.96/27 gateway=10.1.175.97
If the DNS field is missing, RouterOS will automatically pass through its own DNS. This is a voip network with only ALE 8028 phones operating on L2 - I simply did not bother with setting it up correctly. This device isn't even router/uplink for the voip network. Uplink goes directly to ISP's router.

better change
/ip ssh set allow-none-crypto=yes forwarding-enabled=remote
cool! Thanks. I didn't even looked at that.

why no?
/ipv6 nd set [ find default=yes ] advertise-dns=no
IPv6 isn't active anyway because my ISP's router is misconfigured.

something strange here, removed bridge and orphaned ppp profile?
Correct. During covid lockdown I had to pull receptions phone offsite and created transparent L2 link with L2TP

better disable auto-detect
/system clock set time-zone-name=Australia/Hobart
excellent point!

it is wanted?
/tool bandwidth-server set authenticate=no
Not sure if wanted, but it is intentional. I remember some time ago, I noticed that authenticated results differ from unauthenticated.



@jvanhambelgium:
Under the /ip -> /services menu, I guess "SSH" is enabled without any "filter" ? So basically you allow SSH from anywhere. This is evaluated before your own firewall rule, hence why a potential hacker(bot/script) still gets a "login prompt" and can give it a try
That is very bold claim. I admit I did not test it recently, but unless mikrotik completely broke the packet flow, it can't be true. Firewall rules should be applied before it hits the service (winbox/ssh etc) and it is generally accepted best practice to block "all other" traffic after allowing required flows (e.g. input from lan, input from mgmt vlan etc). That way, no login attempts should occur.

By my experience, if russians are trying to log in, all management interfaces are fully exposed to the whole world and that can't be caused by anything else than seriously misconfigured firewall. Basic (default/factory) firewall is pretty good nowadays but for people who want to go further, mikrotik wrote really nice guide to secure their router
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: /ip firewall filter drop not dropping IP

Fri Jun 11, 2021 1:37 am

...My point was to prove there is nothing to be afraid...
And My is than everyone can suggest something interesting or not noticed... ;)))

If the DNS field is missing, RouterOS will automatically pass through its own DNS. This is a voip network with only ALE 8028 phones operating on L2 - I simply did not bother with setting it up correctly. This device isn't even router/uplink for the voip network. Uplink goes directly to ISP's router.
pre 6.42 do not have this behaviour and I'm still on my old preferred behaviour, I explain here why:
viewtopic.php?f=13&t=175963#p862108

Not sure if wanted, but it is intentional. I remember some time ago, I noticed that authenticated results differ from unauthenticated.
yes, some old version (i do not remember number) have this problem, recently do not longer happen
 
vmajor
just joined
Topic Author
Posts: 8
Joined: Mon Feb 19, 2018 6:14 am

Re: /ip firewall filter drop not dropping IP

Fri Jun 11, 2021 1:42 am

Wow.

Thank you most for the constructive replies. Yes, I do not manage firewalls or networks full time (or most of the time) so I am trying to keep things simple for myself.

The answer to my problem was the rule ordering. Drop rules had to be above other rules that are processing traffic to this port. There have been no attempts to brute force access to my router.

Currently VPN is not an option as I am physically far removed from my router and cannot recover in person.

I understand configuration sharing. You do not know me here so the immediate risk is low. However there is persistence of information and it adds up. It does not need to be parsed manually so the volume of information is not a barrier. I thus judged it simpler for me not to have to worry about this by not sharing everything.

Regarding DNA modification, well, not by the current crop of mRNA vaccines. Viruses, bacteria yes, and modification of the commensal gut flora genomes. Also look into the origin of mitochondria in eurcaryotic cells for some mindblowing stuff.

EDIT: Wellp, this just came out: https://phys.org/news/2021-06-discovery ... ences.html
Last edited by vmajor on Sat Jun 12, 2021 3:45 am, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: /ip firewall filter drop not dropping IP

Fri Jun 11, 2021 1:57 am

...some mindblowing stuff...
was man born first or mitochondrion?

if the mitochondrion is a being in itself, was life born thanks to slavery or to a parasite?

if the mitochondrion is NOT allowed to evolve, the cell does infanticide for species selection?

is the mitochondrion the first form of domestication of a living being?

that perhaps the human being is a monkey modified by some ancient virus that has added parts of its genome to that of the apes and thanks to this such a particular evolution of man has taken place?

the modification of DNA by humans has always been there, just think of cats or dogs, and also agriculture (the most resistant qualities of wheat were sown, for example) and the domestication of animals (they were made always mate the more docile and submissive ones, the others killed first), and to the fauna, such as some types of butterflies that are now blacker than the past because they blend better in the black of the smog than when they were white...
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: /ip firewall filter drop not dropping IP

Fri Jun 11, 2021 8:02 am

@jvanhambelgium:
Under the /ip -> /services menu, I guess "SSH" is enabled without any "filter" ? So basically you allow SSH from anywhere. This is evaluated before your own firewall rule, hence why a potential hacker(bot/script) still gets a "login prompt" and can give it a try
That is very bold claim. I admit I did not test it recently, but unless mikrotik completely broke the packet flow, it can't be true. Firewall rules should be applied before it hits the service (winbox/ssh etc) and it is generally accepted best practice to block "all other" traffic after allowing required flows (e.g. input from lan, input from mgmt vlan etc). That way, no login attempts should occur.
Interesting to know, actually never tried this specific use-case myself, from day 1 I have my services "set" to only be allowed from my internal LAN-range and never "manage" my home-Mikrotik across Internet. Why should I anyway...
If would be nice if these "service rules" would be(come) visible in the GUI, perhaps in some other color so one knows at what "level" they are are set.
Thanks for pointing this out.

Who is online

Users browsing this forum: Bing [Bot], GoogleOther [Bot], johnson73, miks and 76 guests