Page 1 of 1

Security Issue

Posted: Thu Mar 09, 2006 9:22 am
by teemx
I have a few iGate running with Version 2.9.14.

I found in the log always have "system error critical" "login failure for user root from xxx.xxx.xxx.xxx via ssh"

What is this and how to prevent this?

Posted: Thu Mar 09, 2006 9:44 am
by cabana
I don't think you can say its a security issue. As soon as you put something on the Internet it will be scrutinised. To prevent what you are seeing in your log ensure that your passwords are difficult, close port 22 (and 23) or change the port 22 to something else....or of course limit port 22 to specific ips that you use

Posted: Thu Mar 09, 2006 10:45 pm
by vklimovs
It is a virus, which tries to connect to port 22 of random IPs and uses some predefined login/password combinations to login. Even if it does, it expects Linux to be there, it knows nothing about MT and MT console commands. But if you are disturbed by this, you may change ssh port on your box:
/ip service set ssh port=50022
Or you may limit access to ssh, by allowing only internal network:
/ip service set ssh address=192.168.0.0/24
You may do it by firewall also. Good luck!

Posted: Wed Mar 15, 2006 9:55 am
by mag
just an idea:
/ip firewall filter
add chain=input protocol=tcp dst-port=22 limit=1/10s,2 action=accept comment="Accept limited SSH" disabled=no 
add chain=input protocol=tcp dst-port=22 action=drop comment="Drop excess SSH" disabled=no 

Posted: Wed Mar 15, 2006 12:28 pm
by lastguru
well... i do not like that idea, since not alwas you will be the first of that one per 10 seconds... in other words, you may block yourself that way.

Posted: Wed Mar 15, 2006 1:14 pm
by mag
ok, i see.
a little improvement might be:
/ip firewall filter 
add chain=input in-interface=<internet> protocol=tcp dst-port=22 limit=1/10s,2 action=accept comment="Accept limited SSH" disabled=no 

add chain=input in-interface=<internet> protocol=tcp dst-port=22 action=add-src-to-address-list address-list="attackers" address-list-timeout=1d comment="Excess SSH to list" 

add chain=input src-address-list="attackers" action=drop comment="Drop attackers" disabled=no
it would be much better, if the limit rule could match a particular src-address, but i found only dst-limit in the manual.

BTW, i'am using actually a VPN to connect to the router.

Posted: Wed Mar 15, 2006 1:24 pm
by lastguru
i hope it will not put you in that list... (it actually might, as you cannot predict timing)

Posted: Wed Mar 15, 2006 1:33 pm
by mag
it did, of course, while testing it ;-)

i don't think that problem could be solved, if trying to use ssh from internet AND trying to avoid ssh-attacks both. but i see these attacks mostly at night time and tend more and more using VPN-tunnels for management.

Posted: Wed Mar 15, 2006 4:53 pm
by cmit
You could do tricky things. Like "door-knocking":

If you open a connection to (all examples) port 1234 on your MikroTik, put the source address in an address-list "list_a" (by a firewall rule) with a short timeout of say 15 seconds.

Then if you open a connection to port 2345 on your MikroTik AND your source address already is in address list "list_a", add the source address to address-list "list_b", with a longer timeout (maybe 2 hours).

Then create a firewall rule to only accept SSH sessions from source addresses in address-list "list_b".

To put this as console commands:
/ip firewall filter add chain=input protocol=tcp dst-port=1234 action=add-src-to-address-list address-list=list_a address-list-timeout=15s
/ip firewall filter add chain=input protocol=tcp dst-port=2345 src-address-list=list_a action=add-src-to-address-list address-list=list_b address-list-timeout=2h
/ip firewall filter add chain=input protocol=tcp dst-port=22 src-address-list=list_b action=accept

So you would have to telnet to port 1234 from "somewhere on the internet", then to port 2345 during the next 15 seconds and would THEN be granted access to SSH from this source address for the next two hours.

Just an idea. You can come up with really weird usages for address-lists ;)

Best regards,
Christian Meis

Posted: Thu Mar 16, 2006 4:05 am
by Freman
: Auto block after 3 new connection attempts in a 5 minute window (give or take)

I use the top one at work when I ssh from home, it very rarely causes me a problem

First sample will allow you to protect a gateway machine and all the routable clients behind it.
/ip firewall filter add chain=AutoFirewall protocol=tcp dst-port=22-23 connection-state=new src-address-list=AutoFirewall-Stage3 action=reject reject-with=tcp-reset comment="Autofirewall SSH - Block/Log" disabled=no 
/ip firewall filter add chain=AutoFirewall protocol=tcp dst-port=22-23 connection-state=new src-address-list=AutoFirewall-Stage2 action=add-src-to-address-list address-list=AutoFirewall-Stage3 address-list-timeout=5m comment="Autofirewall SSH - Stage3" disabled=no 
/ip firewall filter add chain=AutoFirewall protocol=tcp dst-port=22-23 connection-state=new src-address-list=AutoFirewall-Stage1 action=add-src-to-address-list address-list=AutoFirewall-Stage2 address-list-timeout=1m comment="Autofirewall SSH - Stage2" disabled=no 
/ip firewall filter add chain=AutoFirewall protocol=tcp dst-port=22-23 connection-state=new action=add-src-to-address-list address-list=AutoFirewall-Stage1 address-list-timeout=1m comment="Autofirewall SSH - Stage1" disabled=no 
/ip firewall filter add chain=input protocol=tcp dst-port=22-23 connection-state=new action=jump jump-target=AutoFirewall comment="" disabled=no 
/ip firewall filter add chain=forward protocol=tcp dst-port=22-23 connection-state=new dst-address-list=ProtectedAddressSpace action=jump jump-target=AutoFirewall comment="" disabled=no 
/ ip firewall address-list add list=ProtectedAddressSpace address=aa.bb.cc.dd/zz comment="" disabled=no 
/ ip firewall address-list add list=ProtectedAddressSpace address=aa.bb.cc.ee/zz comment="" disabled=no 
Second sample will only protect the gateway machine
/ip firewall filter add chain=AutoFirewall protocol=tcp dst-port=22-23 connection-state=new src-address-list=AutoFirewall-Stage3 action=reject reject-with=tcp-reset comment="Autofirewall SSH - Block/Log" disabled=no 
/ip firewall filter add chain=AutoFirewall protocol=tcp dst-port=22-23 connection-state=new src-address-list=AutoFirewall-Stage2 action=add-src-to-address-list address-list=AutoFirewall-Stage3 address-list-timeout=5m comment="Autofirewall SSH - Stage3" disabled=no 
/ip firewall filter add chain=AutoFirewall protocol=tcp dst-port=22-23 connection-state=new src-address-list=AutoFirewall-Stage1 action=add-src-to-address-list address-list=AutoFirewall-Stage2 address-list-timeout=1m comment="Autofirewall SSH - Stage2" disabled=no 
/ip firewall filter add chain=AutoFirewall protocol=tcp dst-port=22-23 connection-state=new action=add-src-to-address-list address-list=AutoFirewall-Stage1 address-list-timeout=1m comment="Autofirewall SSH - Stage1" disabled=no 
/ip firewall filter add chain=input protocol=tcp dst-port=22-23 connection-state=new action=jump jump-target=AutoFirewall comment="" disabled=no