Community discussions

MUM Europe 2020
 
bino
newbie
Topic Author
Posts: 42
Joined: Thu Jun 17, 2004 4:44 pm

blocking access to ROS box

Thu Apr 08, 2010 4:26 am

Dear All

I have this rule in my filter
[admin@mybox] > /ip fir fil print det
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; Block All tcp to local
     chain=input action=drop protocol=tcp dst-address-type=local src-address-list=!sshok 

 1   ;;; Block All udp to local
     chain=input action=drop protocol=udp dst-address-type=local src-address-list=!sshok 
but when I ssh login from my station, I got this msg :
apr/07/2010 22:52:32 system,error,critical login failure for user root from 89.46.37.118 via ssh
apr/07/2010 22:52:34 system,error,critical login failure for user root from 89.46.37.118 via ssh
apr/07/2010 22:52:34 system,error,critical login failure for user root from 89.46.37.118 via ssh
apr/07/2010 22:52:37 system,error,critical login failure for user root from 89.46.37.118 via ssh
apr/07/2010 22:52:37 system,error,critical login failure for user oracle from 89.46.37.118 via ssh
apr/07/2010 22:52:39 system,error,critical login failure for user oracle from 89.46.37.118 via ssh
apr/07/2010 22:52:39 system,error,critical login failure for user test from 89.46.37.118 via ssh
apr/07/2010 22:52:41 system,error,critical login failure for user test from 89.46.37.118 via ssh
I'm sure that 89.46.37.118 is not in my allowed address list (sshok)

Is it normal ?

Sincerely
-bino-
CERTIFIED CI$CO HATER
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: blocking access to ROS box

Thu Apr 08, 2010 4:37 am

Those rules should work, but something else in the rule set might interfere with them. Can you post the entire ruleset along with the address list?

Also, usually it's easier to just accept traffic that you want and then drop everything else rather than deny specific traffic. Additionally, dst-address-type=local is unnecessary in the 'input' chain since only traffic destined for the router goes into that chain, so a local destination address type is implied.
/ip firewall filter
add chain=input action=accept protocol=tcp src-address-list=sshok 
add chain=input action=accept protocol=udp src-address-list=sshok
add chain=input action=drop
 
bino
newbie
Topic Author
Posts: 42
Joined: Thu Jun 17, 2004 4:44 pm

Re: blocking access to ROS box

Thu Apr 08, 2010 5:24 am

Those rules should work, but something else in the rule set might interfere with them. Can you post the entire ruleset along with the address list?
Do you mean including the mangle rules ?
For the filter, those 2 rules is the only i have in.
Also, usually it's easier to just accept traffic that you want and then drop everything else rather than deny specific traffic.
Well, actualy I only follow suggestion on securing mt box from http://wiki.mikrotik.com/wiki/Securing_your_router
Additionally, dst-address-type=local is unnecessary in the 'input' chain since only traffic destined for the router goes into that chain, so a local destination address type is implied.
Ok I'll try it

Sincerely
-bino-
CERTIFIED CI$CO HATER

Who is online

Users browsing this forum: Google [Bot], MSN [Bot] and 136 guests