Block strange outgoing ssh connections
How i can block this strange(fake?) ssh connections outgoing from my router? And what type of connections it is?
You do not have the required permissions to view the files attached to this post.
Re: Block strange outgoing ssh connections
If IS TRUE, or your router is compromised, or you have done a mess with NAT rules.
Re: Block strange outgoing ssh connections
I use one NAT rule just for masquerade and simple FW
All connections are without traffic flow Orig./Repl. Rates 0/0 and bytes 500/0 stay 24/h
Code: Select all
/ip firewall filter
add action=drop chain=input connection-state=invalid
add action=accept chain=input connection-state=established,related
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input dst-port=22 protocol=tcp
add action=drop chain=input
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward
add action=accept chain=output
/ip firewall nat
add action=masquerade chain=srcnat
Re: Block strange outgoing ssh connections
You accept VPN, WinBox and SSH (all on default ports!) from all the world:
I'm not surprised if someone has take the control of your routerboard and use it for DDoS/Brute Force attacks or port scan
Code: Select all
add action=accept chain=input dst-port=22 protocol=tcp-
-
jvanhambelgium
Forum Veteran
- Posts: 989
- Joined:
- Location: Belgium
Re: Block strange outgoing ssh connections
Depending on the RouterOS you run, your device might indeed be compromised. Especially since you have "Winbox" worldwide open...a bad, really bad idea....
RouterOS had some severe security issues in the past where one could gain access without even knowing your login/passwords...
I would perform a complete net-install and start over again. Update to the latest RouterOS before you connect it to the Internet and really review your access-policy.
RouterOS had some severe security issues in the past where one could gain access without even knowing your login/passwords...
I would perform a complete net-install and start over again. Update to the latest RouterOS before you connect it to the Internet and really review your access-policy.
Re: Block strange outgoing ssh connections
= leave the default firewall rules, and services only on LANreally review your access-policy.
Re: Block strange outgoing ssh connections
It's ok i do it on purpose. This is my lab router, chr(6.48.3) on VPS. I just want to check how is it going without port change/knocking/cert login/etc. I'm logging all brute force(no one yet trying my ssh login name) so i don't think this router is compromised(thats why i ask about ssh outgoing connection), but maybe im wrong.You accept VPN, WinBox and SSH (all on default ports!) from all the world:I'm not surprised if someone has take the control of your routerboard and use it for DDoS/Brute Force attacks or port scanCode: Select alladd action=accept chain=input dst-port=22 protocol=tcp
Re: Block strange outgoing ssh connections
I can't write obviously some thing on this forum...
But if you leave open WinBox port...........
Use your imagination..........
But if you leave open WinBox port...........
Use your imagination..........
Re: Block strange outgoing ssh connections
You accept VPN...
Not just "VPN," but PPTP, perhaps the least secure VPN protocol still in use. I don't know why anyone is still teaching how to set it up, nor why it's installed in the default build of RouterOS. It offers several better choices.
...and SSH (all on default ports!)
Yeah, that's bad, especially the default port choice. Although it may be "security through obscurity," moving SSH to a non-default port will cut the amount of attempts on that port by a huge amount, simply because script kiddies are lazy.
@Brans, I won't ask you your SSH password, but at least answer me this: does it meet MikroTIk's recommended security minimums? If they seem overly stringent, they're based on having no connection limiting, which greatly increases the amount of password guesses your attackers get. 8 random characters is enough if you have good limiting. 8 non-random characters is probably insecure even with connection rate limiting.
Re: Block strange outgoing ssh connections
Please... I know the differencies, The reply is for OP, not for you...Not just "VPN," but PPTPYou accept VPN...
Yourself reply: "kiddies are lazy" :PI don't know why anyone is still teaching how to set it up
Re: Block strange outgoing ssh connections
It's ok i do it on purpose. This is my lab router, chr(6.48.3) on VPS.
Even if it weren't immoral to provide an insecure public IP redirecting gateway, being against the public good, it's probably directly against your VPS provider's ToS.
I'll make a couple of observations about your original log:
First, those are mostly China Telecom and China Mobile destination addresses. This strongly supports the idea that your CHR is under active attack. Whether it's compromised yet, I don't think we can say yet, but you do need to be concerned.
Second, why is the source port 22? Those aren't inbound connections to your CHR, they're coming from your CHR on its SSH port. Why? You haven't got SSH port forwarding enabled, have you?
Re: Block strange outgoing ssh connections
Login and password was changed on the beginning.Password meet MikroTIk's recommended security minimumIt's ok i do it on purpose. This is my lab router, chr(6.48.3) on VPS.
Even if it weren't immoral to provide an insecure public IP redirecting gateway, being against the public good, it's probably directly against your VPS provider's ToS.
I'll make a couple of observations about your original log:
First, those are mostly China Telecom and China Mobile destination addresses. This strongly supports the idea that your CHR is under active attack. Whether it's compromised yet, I don't think we can say yet, but you do need to be concerned.
Second, why is the source port 22? Those aren't inbound connections to your CHR, they're coming from your CHR on its SSH port. Why? You haven't got SSH port forwarding enabled, have you?
SSH port forwarding is disabled
Code: Select all
/ip ssh print
forwarding-enabled: no
always-allow-password-login: no
strong-crypto: no
allow-none-crypto: no
host-key-size: 2048
Re: Block strange outgoing ssh connections
Ok, all those is a big novel, but the end is simple:
(With great probability) your router is compromised.
Is virtual?
If you can:
Stop vm, export to disk, backup with 7zip and share the vm on forum for further analysis the file and folder inside the image.
(With great probability) your router is compromised.
Is virtual?
If you can:
Stop vm, export to disk, backup with 7zip and share the vm on forum for further analysis the file and folder inside the image.