MikroTik

Posted: **Tue May 10, 2005 8:10 am**

hey all

i got one of my MT routers being accessed alot by unknown users.

in the log file i am getting

21:05:04 system,error,critical login failure for user anonymous from
67.180.99.136 via telnet
21:05:06 system,error,critical login failure for user anonymous from
67.180.99.136 via ftp

and alot with user names looks like someone trying to access our systems
and guessing at passwords and username.

what is the best solution to this issue

Posted: **Tue May 10, 2005 8:56 am**

Are those IP's from inside or outside your network?

Posted: **Tue May 10, 2005 11:48 am**

the ones that are showing from those users are from outside my network

Posted: **Tue May 10, 2005 4:18 pm**

Have you considered firewall rules in the "input" table to limit access to your own network?

Posted: **Tue May 10, 2005 6:37 pm**

yes, but wasnt sure which rules i should apply.
any suggestions

Randy

Posted: **Tue May 10, 2005 6:52 pm**

I think I'd consider putting in rules to allow routing protocols to work with your upstream providers, maybe allowing pings of the router itself, but blocking everything else. As long as you put it in the "input" chain, is should only effect traffic that terminates at the router, and won't touch transit traffic.

Posted: **Tue May 10, 2005 7:00 pm**

will play with that today ,

see got another bozo trying to access our system

jan/06 17:38:04 system,error,critical login failure for user aron from
62.218.119.62 via ssh
jan/06 17:38:07 system,error,critical login failure for user alex from
62.218.119.62 via ssh
jan/06 17:38:11 system,error,critical login failure for user brett from
62.218.119.62 via ssh
jan/06 17:38:14 system,error,critical login failure for user mike from
62.218.119.62 via ssh
jan/06 17:38:17 system,error,critical login failure for user alan from
62.218.119.62 via ssh
jan/06 17:38:20 system,error,critical login failure for user data from
62.218.119.62 via ssh
jan/06 17:38:23 system,error,critical login failure for user www-data from
62.218.119.62 via ssh
jan/06 17:38:26 system,error,critical login failure for user http from
62.218.119.62 via ssh
jan/06 17:38:29 system,error,critical login failure for user httpd from
62.218.119.62 via ssh
jan/06 17:38:32 system,error,critical login failure for user nobody from
62.218.119.62 via ssh
jan/06 17:38:35 system,error,critical login failure for user root from
62.218.119.62 via ssh
jan/06 17:38:38 system,error,critical login failure for user backup from
62.218.119.62 via ssh
jan/06 17:38:41 system,error,critical login failure for user info from
62.218.119.62 via ssh
jan/06 17:38:45 system,error,critical login failure for user shop from
62.218.119.62 via ssh
jan/06 17:38:48 system,error,critical login failure for user sales from
62.218.119.62 via ssh
jan/06 17:38:51 system,error,critical login failure for user web from
62.218.119.62 via ssh
jan/06 17:38:55 system,error,critical login failure for user www from
62.218.119.62 via ssh
jan/06 17:38:58 system,error,critical login failure for user wwwrun from
62.218.119.62 via ssh
jan/06 17:39:01 system,error,critical login failure for user adam from
62.218.119.62 via ssh
jan/06 17:39:04 system,error,critical login failure for user stephen from
62.218.119.62 via ssh
jan/06 17:39:07 system,error,critical login failure for user richard from
62.218.119.62 via ssh
jan/06 17:39:10 system,error,critical login failure for user george from
62.218.119.62 via ssh
jan/06 17:39:13 system,error,critical login failure for user michael from
62.218.119.62 via ssh
jan/06 17:39:16 system,error,critical login failure for user john from
62.218.119.62 via ssh
jan/06 17:39:19 system,error,critical login failure for user david from
62.218.119.62 via ssh
jan/06 17:39:22 system,error,critical login failure for user paul from
62.218.119.62 via ssh
jan/06 17:39:25 system,error,critical login failure for user news from
62.218.119.62 via ssh
jan/06 17:39:28 system,error,critical login failure for user angel from
62.218.119.62 via ssh
jan/06 17:39:31 system,error,critical login failure for user games from
62.218.119.62 via ssh
jan/06 17:39:35 system,error,critical login failure for user pgsql from
62.218.119.62 via ssh
jan/06 17:39:38 system,error,critical login failure for user pgsql from
62.218.119.62 via ssh
jan/06 17:39:41 system,error,critical login failure for user mail from
62.218.119.62 via ssh
jan/06 17:39:44 system,error,critical login failure for user adm from
62.218.119.62 via ssh
jan/06 17:39:47 system,error,critical login failure for user ident from
62.218.119.62 via ssh
jan/06 17:39:50 system,error,critical login failure for user resin from
62.218.119.62 via ssh
jan/06 17:39:56 system,error,critical login failure for user mikael from
62.218.119.62 via ssh
jan/06 17:39:59 system,error,critical login failure for user mike from
62.218.119.62 via ssh
jan/06 17:40:03 system,error,critical login failure for user suva from
62.218.119.62 via ssh
jan/06 17:40:06 system,error,critical login failure for user webpop from
62.218.119.62 via ssh
jan/06 17:40:09 system,error,critical login failure for user technicom from
62.218.119.62 via ssh
jan/06 17:40:12 system,error,critical login failure for user susan from
62.218.119.62 via ssh
jan/06 17:40:15 system,error,critical login failure for user sunsun from
62.218.119.62 via ssh
jan/06 17:40:18 system,error,critical login failure for user sunny from
62.218.119.62 via ssh
jan/06 17:40:21 system,error,critical login failure for user steven from
62.218.119.62 via ssh
jan/06 17:40:24 system,error,critical login failure for user ssh from
62.218.119.62 via ssh
jan/06 17:40:29 system,error,critical login failure for user search from
62.218.119.62 via ssh
jan/06 17:40:32 system,error,critical login failure for user sara from
62.218.119.62 via ssh
jan/06 17:40:35 system,error,critical login failure for user robert from
62.218.119.62 via ssh
jan/06 17:40:38 system,error,critical login failure for user richard from
62.218.119.62 via ssh
jan/06 17:40:45 system,error,critical login failure for user postmaster from
62.218.119.62 via ssh
jan/06 17:40:48 system,error,critical login failure for user party from
62.218.119.62 via ssh
jan/06 17:40:51 system,error,critical login failure for user michael from
62.218.119.62 via ssh
jan/06 17:40:54 system,error,critical login failure for user amanda from
62.218.119.62 via ssh
jan/06 17:41:01 system,error,critical login failure for user mysql from
62.218.119.62 via ssh
jan/06 17:41:05 system,error,critical login failure for user rpm from
62.218.119.62 via ssh
jan/06 17:41:08 system,error,critical login failure for user operator from
62.218.119.62 via ssh
jan/06 17:41:11 system,error,critical login failure for user sgi from
62.218.119.62 via ssh
jan/06 17:41:14 system,error,critical login failure for user Aaliyah from
62.218.119.62 via ssh
jan/06 17:41:18 system,error,critical login failure for user Aaron from
62.218.119.62 via ssh
jan/06 17:41:21 system,error,critical login failure for user Aba from
62.218.119.62 via ssh
jan/06 17:41:24 system,error,critical login failure for user Abel from
62.218.119.62 via ssh
jan/06 17:41:27 system,error,critical login failure for user Jewel from
62.218.119.62 via ssh
jan/06 17:41:30 system,error,critical login failure for user sshd from
62.218.119.62 via ssh
jan/06 17:41:36 system,error,critical login failure for user users from
62.218.119.62 via ssh
jan/06 17:41:39 system,error,critical login failure for user admins from
62.218.119.62 via ssh
jan/06 17:41:42 system,error,critical login failure for user admins from
62.218.119.62 via ssh
jan/06 20:20:45 system,error,critical login failure for user oracle from
67.169.132.93 via ssh
jan/06 20:20:45 system,error,critical login failure for user oracle from
67.169.132.93 via ssh
jan/06 20:20:50 system,error,critical login failure for user almithnab from
67.169.132.93 via ssh
jan/06 20:20:52 system,error,critical login failure for user almithnab from
67.169.132.93 via ssh
jan/06 20:20:56 system,error,critical login failure for user almithnab from
67.169.132.93 via ssh
jan/06 20:20:57 system,error,critical login failure for user almithnab from
67.169.132.93 via ssh
jan/06 20:20:59 system,error,critical login failure for user almithnab from
67.169.132.93 via ssh
jan/06 20:21:02 system,error,critical login failure for user almithnab from
67.169.132.93 via ssh
jan/06 20:21:03 system,error,critical login failure for user almithnab from
67.169.132.93 via ssh
jan/06 20:21:09 system,error,critical login failure for user root from
67.169.132.93 via ssh
jan/06 20:21:10 system,error,critical login failure for user almithnab from
67.169.132.93 via ssh
jan/06 20:21:11 system,error,critical login failure for user admin from
67.169.132.93 via ssh
jan/06 20:21:12 system,error,critical login failure for user root from
67.169.132.93 via ssh
jan/07 17:05:43 system,error,critical login failure for user anonymous from
217.159.218.70 via ssh
jan/07 17:05:43 system,error,critical login failure for user anonymous from
217.159.218.70 via ssh
jan/07 17:05:51 system,error,critical login failure for user passwd from
217.159.218.70 via ssh
jan/07 17:05:52 system,error,critical login failure for user passwd from
217.159.218.70 via ssh
jan/07 17:05:56 system,error,critical login failure for user chuck from
217.159.218.70 via ssh
jan/07 17:05:57 system,error,critical login failure for user chuck from
217.159.218.70 via ssh
jan/07 17:06:00 system,error,critical login failure for user darkman from
217.159.218.70 via ssh
jan/07 17:06:01 system,error,critical login failure for user darkman from
217.159.218.70 via ssh
jan/07 17:06:04 system,error,critical login failure for user hostmaster from
217.159.218.70 via ssh
jan/07 17:06:08 system,error,critical login failure for user jeffrey from
217.159.218.70 via ssh
jan/07 17:06:19 system,error,critical login failure for user loverd from
217.159.218.70 via ssh
02:42:48 system,error,critical login failure for user admin from
67.180.99.136 via winbox
02:43:02 system,error,critical login failure for user admin from
67.180.99.136 via winbox
02:43:18 system,info,account user admin logged in from 67.180.99.136 via
winbox
02:44:08 system,info,account user admin logged in from 67.180.99.136 via
telnet
02:44:30 system,info,account user admin logged out from 67.180.99.136 via
telnet
02:48:51 system,error,critical login failure for user anonymous from
67.180.99.136 via ftp
02:48:53 system,error,critical login failure for user anonymous from
67.180.99.136 via ftp

Posted: **Tue May 10, 2005 9:30 pm**

it's a brute force attack via a script. As long as you have good passwords and altenative names for your admin, you're fine...I see these frequently. It's hard to block the IPs as they are usually always different. Perhaps you can block access althogether accept from where you need to login from.

Posted: **Tue May 10, 2005 10:06 pm**

Copy the logs to your system. Visit http://www.arin.net and see who the IP address belongs to. Then email their Internet provider, normally something like abuse@?????.com.

Posted: **Tue May 10, 2005 10:11 pm**

jarosoup

so how would i just allow lets say 1.1.1.2 and 3.3.32.2 to access my router and block or drop all others from accessing my MT ftp,winbox,telnet

Randy

Posted: **Tue May 10, 2005 10:17 pm**

Put an accept rule in the "input" rules with the source address being the ones you want to allow and set the interface to your external interface, then after them, put in a drop rule that covers everything else from the external interface. Make sure you also accept input from your peers if you're doing active routing over that interface.

As long as you also specify the interface, you should always be able to get to the box from your internal network no matter what the IP is, you've only limited what gets to the box from the outside.

Posted: **Tue May 10, 2005 10:21 pm**

thanks will try later today

randy

MikroTik

MT admin requests

MT admin requests

Turn them in