RB2011UAS-2HnD
v5.21

I noticed this message in the Log screen (winbox):
"system error critical login failure for user Administrador from 114.207.246.138 via ftp"

Being an IP address in south korea (geoip) (Hi, yes I'm working on blocking you out), it's not me (being in Australia).

These messages were coming through frequently - close to one every second. Suspecting that they are trying to brute force guess the password, I:
* Disabled the FTP service through IP > Services
* Adding chain=forward action=drop (on their IP address)

Neither of these worked.

I mirrored the traffic from my WAN to my PC and looked at the traffic in Wireshark. I tried to FTP from an external IP, but it didn't work, however I compared the packets between myself and the attacker, and they appear to have spoofed the windowing parameters at the TCP level, having a high sequence number (although it is possible that this is just a natural number, since they have been trying for a while). Either way, I suspect that differences in their packets have allowed access.

Another possibility is that their TCP session was created before my firewall rule and disabling of ftp, and the router is allowing the pre-established session.

Furthermore, another attack from a chinese IP began, attacking the SSH port (I don't know why mikrotik enables these ports externally by default). I simply disabled SSH through IP > Services. Instant result - no more attacks.

So it would seem this is FTP specific. Any help configuration or support would be great (no South-Korean I don't want your help). I'm happy to provide full packets I have captured via wireshark etc..

Following the assumption that it was the pre-established connection which was remaining open, I:
* Restarted the router
* No more attempts were making it through.

Therefore I suggest that you:
* Update the FTP server to close the TCP connection after 3 failed attempts
* Include higher-level security features to automatically block IPs which try to connect to a set of ports (eg. {21 or SSH})

Thanks.

Hi, i also got the same problem These messages were coming through frequently(see attached picture) its an IP from china and after i disabled the ssh port now its fine i'm not seeing these errors

to avoid this all you have to do is block connections to your router (chain=input) on WAN interface. Also, setting /ip services address field will only allow connections from addresses set there

Wiki has a good example how to protect router from brute force attacks
http://wiki.mikrotik.com/wiki/Bruteforc ... P_%26_SSH)

I have firewall rules for blocking by default.

RouterOS would do well to have a more secure default config. A block everything input rule would cover that. Then people could add their specific remote access allows. A wizard configuration option could make it easy to securely setup.

Juniper routers for example won't even forward traffic till you ask it to.

I think the default firewall rules do block all input connections?