How i can block this strange(fake?) ssh connections outgoing from my router? And what type of connections it is?
/ip firewall filter
add action=drop chain=input connection-state=invalid
add action=accept chain=input connection-state=established,related
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input dst-port=22 protocol=tcp
add action=drop chain=input
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward
add action=accept chain=output
/ip firewall nat
add action=masquerade chain=srcnat
add action=accept chain=input dst-port=22 protocol=tcp
= leave the default firewall rules, and services only on LANreally review your access-policy.
It's ok i do it on purpose. This is my lab router, chr(6.48.3) on VPS. I just want to check how is it going without port change/knocking/cert login/etc. I'm logging all brute force(no one yet trying my ssh login name) so i don't think this router is compromised(thats why i ask about ssh outgoing connection), but maybe im wrong.You accept VPN, WinBox and SSH (all on default ports!) from all the world:I'm not surprised if someone has take the control of your routerboard and use it for DDoS/Brute Force attacks or port scanCode: Select alladd action=accept chain=input dst-port=22 protocol=tcp
You accept VPN...
...and SSH (all on default ports!)
Please... I know the differencies, The reply is for OP, not for you...Not just "VPN," but PPTPYou accept VPN...
Yourself reply: "kiddies are lazy" :PI don't know why anyone is still teaching how to set it up
It's ok i do it on purpose. This is my lab router, chr(6.48.3) on VPS.
Login and password was changed on the beginning.Password meet MikroTIk's recommended security minimumIt's ok i do it on purpose. This is my lab router, chr(6.48.3) on VPS.
Even if it weren't immoral to provide an insecure public IP redirecting gateway, being against the public good, it's probably directly against your VPS provider's ToS.
I'll make a couple of observations about your original log:
First, those are mostly China Telecom and China Mobile destination addresses. This strongly supports the idea that your CHR is under active attack. Whether it's compromised yet, I don't think we can say yet, but you do need to be concerned.
Second, why is the source port 22? Those aren't inbound connections to your CHR, they're coming from your CHR on its SSH port. Why? You haven't got SSH port forwarding enabled, have you?
/ip ssh print
forwarding-enabled: no
always-allow-password-login: no
strong-crypto: no
allow-none-crypto: no
host-key-size: 2048