Community discussions

 
cylent
Member
Member
Topic Author
Posts: 383
Joined: Sun May 28, 2006 10:30 am

server acting up.

Fri Feb 01, 2008 5:27 pm

i am noticing this in my log after adding a few rules from the wiki for firewall filter protection

18:26:05 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 217.145.213.53:1369->82.211.190.34:56392, len 48 
18:26:15 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 77.64.9.67:55709->82.211.190.34:56392, len 48 
18:26:15 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 82.173.78.231:1866->82.211.190.34:135, len 48 
18:26:24 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 82.204.176.30:4123->82.211.190.34:135, len 48 
18:26:33 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 213.178.229.236:63293->82.211.190.34:2233, len 48 
18:26:35 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 87.109.107.92:3038->82.211.190.34:56392, len 48 
18:26:38 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 87.109.107.92:3038->82.211.190.34:56392, len 48 
18:26:42 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 213.178.229.236:63293->82.211.190.34:2233, len 48 
18:26:44 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 87.109.107.92:3038->82.211.190.34:56392, len 48 
18:26:46 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 89.250.245.8:4955->82.211.190.34:56392, len 48 
18:26:50 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 217.145.213.53:1369->82.211.190.34:56392, len 48 
18:26:51 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 213.178.229.236:63293->82.211.190.34:2233, len 48 
18:26:53 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 87.109.107.92:3038->82.211.190.34:56392, len 48 
18:27:09 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 82.204.176.30:4123->82.211.190.34:135, len 48 
18:27:12 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 213.178.229.236:63293->82.211.190.34:2233, len 48 
18:27:14 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 87.109.107.92:3038->82.211.190.34:56392, len 48 
18:27:51 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 89.250.245.8:1173->82.211.190.34:56392, len 48 
18:27:54 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 89.250.245.8:1173->82.211.190.34:56392, len 48 
18:27:57 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 213.178.229.236:63293->82.211.190.34:2233, len 48 
18:27:59 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 87.109.107.92:3038->82.211.190.34:56392, len 48 
18:28:00 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 89.250.245.8:1173->82.211.190.34:56392, len 48 
[/size]

this mac address isnt from my lan or anyone connected to me

now my firewall filters:
Flags: X - disabled, I - invalid, D - dynamic 
 0 X ;;; place hotspot rules here
     chain=unused-hs-chain action=passthrough 

 1   ;;; Allow ICMP
     chain=RouterServices action=accept protocol=icmp 

 2   ;;; Allow DHCP
     chain=RouterServices action=accept dst-port=67-68 protocol=udp 

 3   ;;; Allow DNS
     chain=RouterServices action=accept dst-port=53 protocol=udp 

 4   ;;; Allow MAC-Winbox
     chain=RouterServices action=accept dst-port=20561 protocol=udp 

 5   ;;; Allow Winbox
     chain=RouterServices action=accept dst-port=8291 protocol=tcp 

 6   ;;; Allow NTP
     chain=RouterServices action=accept src-port=123 protocol=udp 

 7   ;;; allow ntp server
     chain=RouterServices action=accept dst-port=123 protocol=udp 

 8 X ;;; Allow OSPF
     chain=RouterServices action=accept protocol=ospf 

 9 X ;;; Allow RIP
     chain=RouterServices action=accept src-port=520-521 protocol=udp 

10 X ;;; Allow RIP
     chain=RouterServices action=accept fragment=no psd=21,3s,3,1 src-address-type="" dst-address-type="" src-port=520-521 protocol=tcp 
     time=0s-23h59m,sun,mon,tue,wed,thu,fri,sat 

11   chain=forward action=accept src-address-list=spammer dst-port=25 protocol=tcp 

12   chain=forward action=add-src-to-address-list address-list="" address-list-timeout=0s dst-port=25 protocol=tcp connection-limit=30,32 limit=50,5 

13   ;;; BLOCK SPAMMERS OR INFECTED USERS
     chain=forward action=drop src-address-list=spammer dst-port=25 protocol=tcp 

14   ;;; DETECT and all-list smtp virus or spammer
     chain=forward action=add-src-to-address-list address-list=spammer address-list-timeout=1d24m dst-port=25 protocol=tcp connection-limit=30,32 limit=50,5 

15   ;;; Accept established connections
     chain=input action=accept connection-state=established 

16   ;;; Accept related connections
     chain=input action=accept connection-state=related 

17   ;;; Drop invalid connections
     chain=input action=drop connection-state=invalid 

18   ;;; UDP
     chain=input action=accept protocol=udp 

19   ;;; Allow limited pings
     chain=input action=accept protocol=icmp limit=50/5s,2 

20   ;;; Drop excess pings
     chain=input action=drop protocol=icmp 

21   ;;; SSH for secure shell
     chain=input action=accept dst-port=22 protocol=tcp 

22   ;;; winbox
     chain=input action=accept dst-port=8291 protocol=tcp 

23   ;;; From Mikrotikls network
     chain=input action=accept src-address=172.16.0.0/16 

24   ;;; From our private LAN
     chain=input action=accept src-address=172.16.0.0/16 

25   ;;; Log everything else
     chain=input action=log log-prefix="DROP INPUT" 

26   ;;; Drop everything else
     chain=input action=drop 

27   ;;; From Mikrotikls network
     chain=input action=accept src-address=192.168.0.0/16 

28   ;;; From our private LAN
     chain=input action=accept src-address=192.168.0.0/16 

29   ;;; detect and drop port scan connections
     chain=input action=drop psd=21,3s,3,1 protocol=tcp 

30   ;;; suppress DoS attack
     chain=input action=tarpit src-address-list=black_list protocol=tcp connection-limit=3,32 

31   ;;; detect DoS attack
     chain=input action=add-src-to-address-list address-list=black_list address-list-timeout=1d protocol=tcp connection-limit=10,32 

32   ;;; jump to chain ICMP
     chain=input action=jump jump-target=ICMP protocol=icmp 

33   ;;; jump to chain services
     chain=input action=jump jump-target=services 

34   ;;; 0:0 and limit for 5pac/s
     chain=ICMP action=accept icmp-options=0:0-255 protocol=icmp limit=5,5 

35   ;;; 3:3 and limit for 5pac/s
     chain=ICMP action=accept icmp-options=3:3 protocol=icmp limit=5,5 

36   ;;; 3:4 and limit for 5pac/s
     chain=ICMP action=accept icmp-options=3:4 protocol=icmp limit=5,5 

37   ;;; 8:0 and limit for 5pac/s
     chain=ICMP action=accept icmp-options=8:0-255 protocol=icmp limit=5,5 

38   ;;; 11:0 and limit for 5pac/s
     chain=ICMP action=accept icmp-options=11:0-255 protocol=icmp limit=5,5 

39   ;;; Drop everything else
     chain=ICMP action=drop protocol=icmp 

40   ;;; accept localhost
     chain=services action=accept dst-address=127.0.0.1 src-address-list=127.0.0.1 

41   ;;; allow MACwinbox 
     chain=services action=accept dst-port=20561 protocol=udp 

42   ;;; Bandwidth server
     chain=services action=accept dst-port=2000 protocol=tcp 

43   ;;;  MT Discovery Protocol
     chain=services action=accept dst-port=5678 protocol=udp 

44 X ;;; allow SNMP
     chain=services action=accept dst-port=161 protocol=tcp 

45 X ;;; Allow BGP
     chain=services action=accept dst-port=179 protocol=tcp 

46 X ;;; allow BGP
     chain=services action=accept dst-port=5000-5100 protocol=udp 

47 X ;;; Allow NTP
     chain=services action=accept dst-port=123 protocol=udp 

48 X ;;; Allow PPTP
     chain=services action=accept dst-port=1723 protocol=tcp 

49 X ;;; allow PPTP and EoIP
     chain=services action=accept protocol=gre 

50 X ;;; allow DNS request
     chain=services action=accept dst-port=53 protocol=tcp 

51 X ;;; Allow DNS request
     chain=services action=accept dst-port=53 protocol=udp 

52 X ;;; UPnP
     chain=services action=accept dst-port=1900 protocol=udp 

53 X ;;; UPnP
     chain=services action=accept dst-port=2828 protocol=tcp 

54 X ;;; allow DHCP
     chain=services action=accept dst-port=67-68 protocol=udp 

55 X ;;; allow Web Proxy
     chain=services action=accept dst-port=8080 protocol=tcp 

56 X ;;; allow IPIP
     chain=services action=accept protocol=ipencap 

57 X ;;; allow https for Hotspot
     chain=services action=accept dst-port=443 protocol=tcp 

58 X ;;; allow Socks for Hotspot
     chain=services action=accept dst-port=1080 protocol=tcp 

59 X ;;; allow IPSec connections
     chain=services action=accept dst-port=500 protocol=udp 

60 X ;;; allow IPSec
     chain=services action=accept protocol=ipsec-esp 

61 X ;;; allow IPSec
     chain=services action=accept protocol=ipsec-ah 

62 X ;;; allow RIP
     chain=services action=accept dst-port=520-521 protocol=udp 
63 X ;;; allow OSPF
     chain=services action=accept protocol=ospf 

64   chain=services action=return 
can someone help me figure out what those log messages are?
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6616
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: server acting up.

Fri Feb 01, 2008 9:11 pm

25 ;;; Log everything else
chain=input action=log log-prefix="DROP INPUT"

As you are logging traffic going to router.
This is router address,
82.211.190.34
Isn't it ?

00:60:43:81:37:61 most likely this MAC-address belongs to your router's gateway.
 
cylent
Member
Member
Topic Author
Posts: 383
Joined: Sun May 28, 2006 10:30 am

Re: server acting up.

Fri Feb 01, 2008 10:53 pm

ya but what is it actually dropping?

ya. that ip is the router.

for example

00:02:52 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 148.122.184.98:1267->82.211.190.34:2093, len 48

that first ip is a foreign ip. why is it dropping its input?

like i said i am noticing the server being sluggish.
is this a cause?
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6616
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: server acting up.

Mon Feb 04, 2008 8:25 am

This traffic is going to router (chain=input).

Actually, it is not dropped, it is just logged with prefix DROP INPUT
25   ;;; Log everything else
     chain=input action=log log-prefix="DROP INPUT"
Log-prefix adds information to log entry,
18:28:00 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 89.250.245.8:1173->82.211.190.34:56392, len 48
It could be dropped by the rule you have added after log rule,
26   ;;; Drop everything else
     chain=input action=drop 
This traffic is being dropped, because it does not match previous rules, that are responsible for traffic that should be send directly TO router.
 
cylent
Member
Member
Topic Author
Posts: 383
Joined: Sun May 28, 2006 10:30 am

Re: server acting up.

Mon Feb 04, 2008 12:15 pm

so in other words, do these filters cause damage or good to the router and LAN?
Keep them ON or off?
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6616
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: server acting up.

Mon Feb 04, 2008 12:16 pm

This filter should not cause any damage to router.
It is just filtering packets, that are going to the router.
 
User avatar
dunga
Member Candidate
Member Candidate
Posts: 254
Joined: Fri Jan 23, 2009 9:51 am
Location: Nigeria

Re: server acting up.

Fri Oct 30, 2009 10:03 am

This is the error i am getting from my router OS when i want to block some worm ports.

[admin@installer] ip firewall filter> add chain=forward protocol=tcp dst-p
ort=135-139, 445, 1434, 4444 action=drop comment="Drop TCP \
\"... Worms" disabled=no
no such argument (445,)
[admin@installer] ip firewall filter> add chain=forward protocol=udp dst-p
ort=135-139,445,1434,4444 action=drop comment="Drop UDP \
\"... Worms" disabled=no
invalid value 139,445,1434,4444 for max, an integer required

I added the following filter to block those ports, for my router os but i get these error messages. how do i go about it.

Plz your assitance is needed.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8319
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: server acting up.

Sun Nov 01, 2009 1:17 pm

v2.9 doesn't support this, I think. v4.1 - works flawlessly
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
dunga
Member Candidate
Member Candidate
Posts: 254
Joined: Fri Jan 23, 2009 9:51 am
Location: Nigeria

Re: server acting up.

Tue Nov 03, 2009 12:45 pm

Are u suggesting for me to add then one after the other, since i cannot add all the firewall at once.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8319
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: server acting up.

Tue Nov 03, 2009 9:00 pm

yes, in v2.9 you cannot set port range, you need to add one rule per port
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
dunga
Member Candidate
Member Candidate
Posts: 254
Joined: Fri Jan 23, 2009 9:51 am
Location: Nigeria

Re: server acting up.

Thu Nov 12, 2009 6:34 pm

(91 messages not shown)
Hello,
Please, i do see the logs when i open a new terminal on my MT box.

How do i stop or block this people from doing this thing cus they are not ip from my source rather from unknown source.

nov/12/2009 16:22:33 system,error,critical login failure for user info from 161.
53.67.193 via ssh
nov/12/2009 16:22:41 system,error,critical login failure for user shop from 161.
53.67.193 via ssh
nov/12/2009 16:22:48 system,error,critical login failure for user sales from 161
.53.67.193 via ssh
nov/12/2009 16:22:54 system,error,critical login failure for user web from 161.5
3.67.193 via ssh
nov/12/2009 16:23:01 system,error,critical login failure for user www from 161.5
3.67.193 via ssh
nov/12/2009 16:23:07 system,error,critical login failure for user wwwrun from 16
1.53.67.193 via ssh
nov/12/2009 16:23:14 system,error,critical login failure for user adam from 161.
53.67.193 via ssh
nov/12/2009 16:23:24 system,error,critical login failure for user stephen from 1
61.53.67.193 via ssh


your help is appreciated
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8319
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: server acting up.

Thu Nov 12, 2009 10:32 pm

Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
dunga
Member Candidate
Member Candidate
Posts: 254
Joined: Fri Jan 23, 2009 9:51 am
Location: Nigeria

Re: server acting up.

Fri Nov 13, 2009 10:58 am

Chupka, can u help explain to me each script line by line.

Bruteforce login prevention
From MikroTik Wiki
(Redirected from Bruteforce login prevention (FTP & SSH)
Jump to: navigation, search
These are 2 basic scripts I use frequently that are from the forum (written by other users)

allows only 10 FTP login incorrect answers per minute

in /ip firewall filter

add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \
comment="drop ftp brute forcers"

add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m

add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \
address-list=ftp_blacklist address-list-timeout=3h


This will prevent a SSH brute forcer to be banned for 10 days after repetitive attempts. Change the timeouts as necessary.


in /ip firewall filter

add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

Who is online

Users browsing this forum: No registered users and 71 guests