Community discussions

 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1264
Joined: Sun Sep 18, 2011 7:00 pm

is there anyway to know password mistake?

Mon Feb 03, 2014 11:32 am

I can see that someone is try to enter the router using ssh2
but all I can see is with which user he is trying
can I know also in which pass is he trying?
like it the img
u can see that some one is trying to enter using user:root,postmaster,postfix....
can I know also what pass is he trying to enter?
You do not have the required permissions to view the files attached to this post.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: is there anyway to know password mistake?

Mon Feb 03, 2014 11:33 am

no, there is no way to get the actual password, that would be major security issue if it was allowed.
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1264
Joined: Sun Sep 18, 2011 7:00 pm

Re: is there anyway to know password mistake?

Mon Feb 03, 2014 11:36 am

why is that?
It will only show the wrong ones
 
User avatar
dasiu
Trainer
Trainer
Posts: 232
Joined: Fri Jan 30, 2009 11:41 am
Location: Reading, UK
Contact:

Re: is there anyway to know password mistake?

Mon Feb 03, 2014 12:30 pm

You can:
1. Do a port redirection - dst-nat for ssh port to a server on a separate linux machine you have in your network for sniffing passwords (ex. a Raspberry Pi machine) for connections coming from an address list (and you just add the "suspicious" IP to the list - to be redirected to the fake server)
2. Sniff passwords from the linux machine (see http://blog.vpetkov.net/2013/01/29/snif ... rver-side/ )

edit: I've just tested, it works for me! :)
Process 20987 attached - interrupt to quit
write(4, "\0\0\0\23\v", 5)              = 5
write(4, "\0\0\0\16$ecreTP2$$w0rd", 18) = 18
write(3, "*\373\fAPK\365B\243\220\\\"7(\321\24\216J}g^\2411\3555\27n\352\377\23B\22"..., 64) = 64
write(4, "\0\0\0\26\v", 5)              = 5
write(4, "\0\0\0\21An0ther$ecretP@ss", 21) = 21
write(3, "\231\315\3v\306\206\337\213\367\220\245\354\245\36x\317C\262O\37$Q\0218\330\230\364/\363\344\343\232"..., 64) = 64
write(4, "\0\0\0\22\v", 5)              = 5
write(4, "\0\0\0\rM2ybeThi$0ne?", 17)   = 17
write(3, "\214do\325\307\26~\240\372\260\261\346aK\323\237P\373,\322H\243.\17\177X\225\333\25MT\260"..., 64) = 64
write(8, "\0\0\0+\0\0\0\3\0\0\0#Connection closed by"..., 47) = 47
Process 20987 detached
So:
write(4, "\0\0\0\16$ecreTP2$$w0rd", 18) = 18
write(4, "\0\0\0\21An0ther$ecretP@ss", 21) = 21
write(4, "\0\0\0\rM2ybeThi$0ne?", 17) = 17
It works! :)

All you need is:
1. On your MikroTik:
/ip firewall nat add chain=dstnat action=dst-nat protocol=tcp dst-port=22 src-address-list=sniff_ssh dst-address=<MikroTik'sIPAddress> to-addresses=<LinuxSnifferMachineIPAddress>
/ip firewall address-list add list=sniff_ssh address=<Attacker'sIPAddress>
2. On your Linux sniffer:
root@sniffer:~# while [ 1 ]; do newpid=`ps aux | grep ssh | grep net | awk {' print $2'}`; if [ -n "$newpid" ]; then strace -q -e write -p $newpid; fi; done
- And wait.

I'm sure it's worth at least 1 karma :).
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1264
Joined: Sun Sep 18, 2011 7:00 pm

Re: is there anyway to know password mistake?

Tue Feb 04, 2014 1:08 pm

seem great
my only problem is that I don't have separate linux machine.

Thanks anyway
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: is there anyway to know password mistake?

Tue Feb 04, 2014 1:20 pm

Have you tried something like this?
http://wiki.mikrotik.com/wiki/Bruteforc ... prevention

Or have you considered blocking that ip?
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1264
Joined: Sun Sep 18, 2011 7:00 pm

Re: is there anyway to know password mistake?

Tue Feb 04, 2014 2:42 pm

I can't block the IP because it's changing .

but i have done this (as you told )
/ip firewall filter
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

but where do I see\change the timeout?

thanks ,
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: is there anyway to know password mistake?

Tue Feb 04, 2014 2:46 pm

If you mean the 10 day timeout, here. Change the address-list-timeout value.
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no
 
User avatar
bysard
Member Candidate
Member Candidate
Posts: 295
Joined: Thu Apr 22, 2010 2:53 pm

Re: is there anyway to know password mistake?

Tue Feb 04, 2014 3:09 pm

Have you considered blocking SSH al together if you don't need it?
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1264
Joined: Sun Sep 18, 2011 7:00 pm

Re: is there anyway to know password mistake?

Tue Feb 04, 2014 5:51 pm

Thanks , it's very helpful

I need SSH service - and I don't always from witch computer I will try to enter it.(this is why I don't block the IP )
 
Petzl
Member Candidate
Member Candidate
Posts: 207
Joined: Sun Jun 30, 2013 12:14 pm

Re: is there anyway to know password mistake?

Tue Feb 04, 2014 6:48 pm

Thanks , it's very helpful

I need SSH service - and I don't always from witch computer I will try to enter it.(this is why I don't block the IP )

Then use a other port than de default port
 
User avatar
bysard
Member Candidate
Member Candidate
Posts: 295
Joined: Thu Apr 22, 2010 2:53 pm

Re: is there anyway to know password mistake?

Thu Feb 06, 2014 1:08 pm

...or use "port knocking".
 
efaden
Forum Guru
Forum Guru
Posts: 1711
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: is there anyway to know password mistake?

Thu Feb 06, 2014 2:06 pm

Port knocking or a vpn

Sent from my SCH-I545 using Tapatalk
 
User avatar
Caci99
Forum Guru
Forum Guru
Posts: 1064
Joined: Wed Feb 21, 2007 2:26 pm
Location: Tirane
Contact:

Re: is there anyway to know password mistake?

Thu Feb 06, 2014 2:33 pm

Thanks , it's very helpful

I need SSH service - and I don't always from witch computer I will try to enter it.(this is why I don't block the IP )
Port knocking as some already mentioned or you can use some filter rules which you can find on the wiki, like these for example:
/ip firewall filter
add action=drop chain=input comment="drop ssh brute force login" disabled=no \
    dst-port=22 protocol=tcp src-address-list=ssh_blaclist
add action=add-src-to-address-list address-list=ssh_blaclist \
    address-list-timeout=1w3d chain=input comment="" connection-state=new \
    disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=5m chain=input comment="" connection-state=new \
    disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input comment="" connection-state=new \
    disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input comment="" connection-state=new \
    disabled=no dst-port=22 protocol=tcp
The above rules would allow connections from one IP on ssh three times, if all these attempts fail, then that IP will be banned for 10 days.
-Toni-
Don't crash the ambulance, whatever you do
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1264
Joined: Sun Sep 18, 2011 7:00 pm

Re: is there anyway to know password mistake?

Thu Feb 06, 2014 5:45 pm

from what I have seen from the last few days
the first rules you gave me work just fine :
/ip firewall filter print 
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; Aviod to enter from the WiFi 
     chain=forward action=drop src-address=10.0.0.0/24 dst-address=159.158.157.0/29 

 1   ;;; drop ssh brute forcers
     chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22 

 2   chain=input action=add-src-to-address-list connection-state=new protocol=tcp 
     src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=1w3d 
     dst-port=22 

 3   chain=input action=add-src-to-address-list connection-state=new protocol=tcp 
     src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m dst-port=22 

 4   chain=input action=add-src-to-address-list connection-state=new protocol=tcp 
     src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-port=22 

 5   chain=input action=add-src-to-address-list connection-state=new protocol=tcp 
     address-list=ssh_stage1 address-list-timeout=1m dst-port=22 
[admin@Koren-ADSL] > 
 
efaden
Forum Guru
Forum Guru
Posts: 1711
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: is there anyway to know password mistake?

Thu Feb 06, 2014 10:56 pm

Thanks , it's very helpful

I need SSH service - and I don't always from witch computer I will try to enter it.(this is why I don't block the IP )
Port knocking as some already mentioned or you can use some filter rules which you can find on the wiki, like these for example:
/ip firewall filter
add action=drop chain=input comment="drop ssh brute force login" disabled=no \
    dst-port=22 protocol=tcp src-address-list=ssh_blaclist
add action=add-src-to-address-list address-list=ssh_blaclist \
    address-list-timeout=1w3d chain=input comment="" connection-state=new \
    disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=5m chain=input comment="" connection-state=new \
    disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input comment="" connection-state=new \
    disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input comment="" connection-state=new \
    disabled=no dst-port=22 protocol=tcp
The above rules would allow connections from one IP on ssh three times, if all these attempts fail, then that IP will be banned for 10 days.

The only issue is that it won't reset when a good connection is established right?.... it would seem that it would be cool to remove the IP from the list when a valid connection is established. The only way I can think of to do that however is to have the SSH server use the API to remove the entry....

Thoughts?
 
User avatar
Caci99
Forum Guru
Forum Guru
Posts: 1064
Joined: Wed Feb 21, 2007 2:26 pm
Location: Tirane
Contact:

Re: is there anyway to know password mistake?

Fri Feb 07, 2014 11:35 am

The only issue is that it won't reset when a good connection is established right?
What do you mean by reset? A valid connection will connect at first attempt and the source IP will be part of the stage1 list which has a time out of 1m. Obviously, you would not attempt a second connection and after one minute the IP will not be any more on any list. Anyway, you still have three attempts to make a successful connection, and only if you fail those three attempts the IP will be part of the ssh black list. You can add attempts though if you like.
-Toni-
Don't crash the ambulance, whatever you do
 
efaden
Forum Guru
Forum Guru
Posts: 1711
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: is there anyway to know password mistake?

Fri Feb 07, 2014 2:50 pm

Unless you open multiple terminals. I'm just saying that those rules so not only pick up invalid attempts. They pick up valid and invalid. So if you opened multiple valid connections you could also get blocked.

Sent from my SCH-I545 using Tapatalk
 
jaykay2342
Member
Member
Posts: 335
Joined: Tue Dec 04, 2012 2:49 pm
Location: /Vigor/LocalGroup/Milky Way/Earth/Europe/Germany

Re: is there anyway to know password mistake?

Sat Feb 08, 2014 9:40 pm

Why do you have ssh on a router open for everyone? I usually manage all devices from my office, via vpn or from a jump box at the datacenter. Therefor only those IP(ranges) are allowed to access the routers via ssh.

If it's possible i would limit the access to as few as possible IPs.
9-5 Job: Securityanalyst at a major MSSP.
Free time volunteer: Networkadmin and founder at a small non-profit WISP.
Certifications: ITILv3, GCIA
 
efaden
Forum Guru
Forum Guru
Posts: 1711
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: is there anyway to know password mistake?

Sat Feb 08, 2014 11:24 pm

Why do you have ssh on a router open for everyone? I usually manage all devices from my office, via vpn or from a jump box at the datacenter. Therefor only those IP(ranges) are allowed to access the routers via ssh.

If it's possible i would limit the access to as few as possible IPs.
+1

Sent from my SCH-I545 using Tapatalk
 
sanitycheck
newbie
Posts: 47
Joined: Wed Nov 16, 2011 6:03 am
Location: USA

Re: is there anyway to know password mistake?

Sun Feb 09, 2014 9:30 pm

Don't forget certificates. I import a certificate for a new user I add (I don't use a password on the account, but I do on the certificate). I put that new user in a new group I create that has only SSH access. I remove the SSH privilege from admin group. I then put SSH on a random, high-numbered port as someone else suggested.

That setup doesn't eliminate the possibility of continued brute-force attacks, but the non-standard port makes it much less likely, and the certificate reduces the chance of success to just about zero. Even if someone could gain access through the ssh-only user account, there's not much they can do unless they can launch a second session as admin through the ssh connection.

If for some reason a certificate could not be used, I would still make the other changes above, but change the name of the account with ssh privilege to something difficult to guess. That way guessing the username is as difficult as guessing the password.

VPN is a great idea but not possible if you manage multiple routers not owned by the same person or company. Plus, having ssh as a back door is nice if the VPN breaks. That's a real possibility with firmware updates, but ssh is simple enough that it always seems to work.

Who is online

Users browsing this forum: No registered users and 88 guests