Community discussions

MikroTik App
 
tabate47
Long time Member
Long time Member
Topic Author
Posts: 510
Joined: Wed Mar 13, 2013 5:23 am
Location: Los Angeles

Mikrotik Errors

Tue Aug 06, 2013 6:50 pm

Every time I log into my terminal, I have many errors. Here is the current list:

(1405 messages not shown)
aug/06/2013 07:57:06 system,error,critical login failure for user debug from 182.1
8.18.197 via ssh
aug/06/2013 07:57:09 system,error,critical login failure for user baby from 182.18
.18.197 via ssh
aug/06/2013 07:57:13 system,error,critical login failure for user science from 182
.18.18.197 via ssh
aug/06/2013 07:57:16 system,error,critical login failure for user technology from
182.18.18.197 via ssh
aug/06/2013 07:57:19 system,error,critical login failure for user biology from 182
.18.18.197 via ssh
aug/06/2013 07:57:22 system,error,critical login failure for user chemistry from 1
82.18.18.197 via ssh
aug/06/2013 07:57:25 system,error,critical login failure for user math from 182.18
.18.197 via ssh
aug/06/2013 07:57:28 system,error,critical login failure for user lab from 182.18.
18.197 via ssh

What are these? Is someone trying to get in? How do I protect myself against it if they are?

Thanks.
 
jaykay2342
Member
Member
Posts: 336
Joined: Tue Dec 04, 2012 2:49 pm
Location: /Vigor/LocalGroup/Milky Way/Earth/Europe/Germany

Re: Mikrotik Errors

Tue Aug 06, 2013 6:58 pm

looks like your ssh is open for the world. is common to get those scans for users with "insecure" password once your ssh is reachable from the internet. you should limit ssh access a bit. for example with firewall rules.
 
tabate47
Long time Member
Long time Member
Topic Author
Posts: 510
Joined: Wed Mar 13, 2013 5:23 am
Location: Los Angeles

Re: Mikrotik Errors

Tue Aug 06, 2013 7:09 pm

Ok. I understand. Do I need to have ssh open at all?

What is the best way to secure ssh?
 
efaden
Forum Guru
Forum Guru
Posts: 1708
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: Mikrotik Errors

Tue Aug 06, 2013 7:33 pm

Ok. I understand. Do I need to have ssh open at all?

What is the best way to secure ssh?
Drop the connections with the firewall from the WAN interface to the router that you don't need. Personally I have a default drop and only allow certain connections to the router (e.g. VPN).
 
User avatar
mahnet
Long time Member
Long time Member
Posts: 654
Joined: Tue Jul 07, 2009 9:11 pm

Re: Mikrotik Errors

Tue Aug 06, 2013 7:45 pm

change the ssh service port from default
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Mikrotik Errors

Wed Aug 07, 2013 10:43 am

Follow the advice here, to protect your router from such attacks: http://wiki.mikrotik.com/wiki/Bruteforc ... prevention
 
tabate47
Long time Member
Long time Member
Topic Author
Posts: 510
Joined: Wed Mar 13, 2013 5:23 am
Location: Los Angeles

Re: Mikrotik Errors

Fri Aug 09, 2013 11:57 pm

I added this:

add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

to my firewall. Right now I have some accept rules and a general deny rule. Where should these new rules be located? Above the deny, above the accept, in the middle? Thanks.
 
tabate47
Long time Member
Long time Member
Topic Author
Posts: 510
Joined: Wed Mar 13, 2013 5:23 am
Location: Los Angeles

Re: Mikrotik Errors

Sun Aug 11, 2013 4:00 pm

Does it matter where I place the ssh programming language in my firewall?
 
AlArenal
Member Candidate
Member Candidate
Posts: 131
Joined: Thu Aug 01, 2013 5:24 pm
Location: Iserlohn, Germany

Re: Mikrotik Errors

Sun Aug 11, 2013 4:25 pm

Does it matter where I place the ssh programming language in my firewall?
When processing a chain, rules are taken from the chain in the order they are listed there from top to bottom. If a packet matches the criteria of the rule, then the specified action is performed on it, and no more rules are processed in that chain (the exception is the passthrough action). If a packet has not matched any rule within the chain, then it is accepted.
see: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter
 
tabate47
Long time Member
Long time Member
Topic Author
Posts: 510
Joined: Wed Mar 13, 2013 5:23 am
Location: Los Angeles

Re: Mikrotik Errors

Mon Aug 12, 2013 5:00 am

I understand the text that is written, but I don't understand how the script is processed, so that is why I was asking where the language needs to be placed in the firewall. If anyone knows, I would appreciate it.

Who is online

Users browsing this forum: lktompkins and 74 guests