Community discussions

MUM Europe 2020
 
kvan64
Member Candidate
Member Candidate
Topic Author
Posts: 186
Joined: Tue Apr 10, 2007 1:54 pm
Location: Brisbane Australia
Contact:

MT router under attack?

Sun Oct 07, 2007 12:38 am

Hi, for the last few days, every time I open a new terminal, I see a list of critical login failures of non-existed user-names. Sometimes it appears that there are thousands of those messages (not shown). Am I under some kind of attack? What should I do?
Look below:

MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 3.0rc6 (c) 1999-2007 http://www.mikrotik.com/

(3124 messages not shown)
oct/07/2007 06:23:51 system,error,critical login failure for user httpd from 213
.21.208.164 via ssh
oct/07/2007 06:23:55 system,error,critical login failure for user pop from 213.2
1.208.164 via ssh
oct/07/2007 06:24:00 system,error,critical login failure for user nobody from 21
3.21.208.164 via ssh
oct/07/2007 06:24:03 system,error,critical login failure for user root from 213.
21.208.164 via ssh
oct/07/2007 06:24:12 system,error,critical login failure for user backup from 21
3.21.208.164 via ssh
oct/07/2007 06:24:17 system,error,critical login failure for user info from 213.
21.208.164 via ssh
oct/07/2007 06:24:20 system,error,critical login failure for user shop from 213.
21.208.164 via ssh
oct/07/2007 06:24:24 system,error,critical login failure for user sales from 213
.21.208.164 via ssh
Terminal vt102 detected, using multiline input mode
[admin@MikroTik] >
 
User avatar
Viroslash
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Wed Jun 20, 2007 5:39 am
Location: La Plata, Buenos Aires, Argentina
Contact:

Re: MT router under attack?

Sun Oct 07, 2007 1:49 am

Bruteforce login prevention (FTP and SSH)
From MikroTik Wiki

allows only 10 FTP login incorrect answers per minute
/ip firewall filter

add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop

add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m

add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \
address-list=ftp_blacklist address-list-timeout=3h

This will prevent a SSH brute forcer to be banned for 10 days after repetitive attempts. Change the timeouts as necessary.

/ip firewall filter

add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
Foro MikroTik en Español
http://www.foromikrotik.com.ar
 
steveloomis
newbie
Posts: 49
Joined: Sat Oct 09, 2004 1:56 am
Location: Oklahoma, USA

Re: MT router under attack?

Sun Oct 07, 2007 2:24 am

Simple to fix. In winbox, got to IP tab, then services. Disable all unnecessary services, like HTTP, FTP, Telnet etc, maybe change the port number to non-standard ports. I have done this repeatedly on many of our MT routers and stopped the attempts to log in...
Steve Loomis
 
kvan64
Member Candidate
Member Candidate
Topic Author
Posts: 186
Joined: Tue Apr 10, 2007 1:54 pm
Location: Brisbane Australia
Contact:

Re: MT router under attack?

Sun Oct 07, 2007 7:31 am

Thanks guys, I have added these firewall rules. Hope that It works.
 
kvan64
Member Candidate
Member Candidate
Topic Author
Posts: 186
Joined: Tue Apr 10, 2007 1:54 pm
Location: Brisbane Australia
Contact:

Re: MT router under attack?

Sun Oct 07, 2007 3:04 pm

Viroslash,
I am so glad to see that the bad guy got banned just after three attempts this arvo. I also see his ip address in the blacklist. I was just wondering if I could display a message if black-listed ip addresses attempt to login again? That would be cool.
 
User avatar
Viroslash
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Wed Jun 20, 2007 5:39 am
Location: La Plata, Buenos Aires, Argentina
Contact:

Re: MT router under attack?

Sun Oct 07, 2007 8:05 pm

With this rule you can know who is this trying to login. Put it in previous to the others.
/ip firewall filter
add chain=input protocol=tcp dst-port=20-23 action=add-src-to-address-list address-list=trying_to_login address-list-timeout=1d comment="remote_logins" disabled=no
Foro MikroTik en Español
http://www.foromikrotik.com.ar
 
Repla
just joined
Posts: 7
Joined: Sun Aug 03, 2008 2:24 pm

Re: MT router under attack?

Wed Aug 06, 2008 1:45 am

How they come to know that I just installed a new copy of RouterOS?

Do they search all internet? or my server sends some packets or they learn it from forums???
 
0ldman
Forum Guru
Forum Guru
Posts: 1446
Joined: Thu Jul 27, 2006 5:01 am

Re: MT router under attack?

Wed Aug 06, 2008 5:26 am

Usually just a random port scan. The local cable company was being hammered, and my subnet is just a few digits different, mine was hammered shortly after.
 
User avatar
kameelperdza
Member
Member
Posts: 469
Joined: Thu Nov 27, 2008 11:45 am
Location: Oudtshoorn, South Africa

Re: MT router under attack?

Thu Sep 13, 2012 11:13 am

What i have done is to change critical under logging from echo to disk.
It helps me to keep track on how many times one ip address tries.
Give me some karma
 
User avatar
Hotz1
Member
Member
Posts: 391
Joined: Tue Oct 09, 2007 6:55 am

Re: MT router under attack?

Thu Sep 13, 2012 4:35 pm

If you want to log every subsequent login attempt from a blacklisted address, put this above the "action=drop" rule:
/ip firewall filter
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=log log-prefix=SSH-blacklisted comment="log blacklisted ssh brute forcers" disabled=no
Principal, Engineering
Cape Ann Communications, Inc.
Gloucester, MA, USA
 
User avatar
kameelperdza
Member
Member
Posts: 469
Joined: Thu Nov 27, 2008 11:45 am
Location: Oudtshoorn, South Africa

Re: MT router under attack?

Thu Sep 13, 2012 5:16 pm

If you want to log every subsequent login attempt from a blacklisted address, put this above the "action=drop" rule:
/ip firewall filter
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=log log-prefix=SSH-blacklisted comment="log blacklisted ssh brute forcers" disabled=no
i have also tried similar rule, but it gives me too much information that i dont need. I just want to see the ip address and how many attemps there was.

This is what i wil usually see with the rule you mentioned
Sep/13/2012 16:08:37 route,ospf,debug ssh_blacklist (input): RECV: Hello <- 172.16.0.1 on ether2 (172.16.0.200)
Sep/13/2012 16:08:37 route,ospf,debug,raw ssh_blacklist (input): PACKET:
Sep/13/2012 16:08:37 route,ospf,debug,raw ssh_blacklist (input):     45 C0 00 54 20 97 00 00 01 59 0B E4 AC 10 00 01
Sep/13/2012 16:08:37 route,ospf,debug,raw ssh_blacklist (input):     E0 00 00 05 02 01 00 30 0A 00 00 01 AC 10 00 00
Sep/13/2012 16:08:37 route,ospf,debug,raw ssh_blacklist (input):     00 00 00 02 00 00 01 10 00 00 0B 77 FF FF FF 00
Sep/13/2012 16:08:37 route,ospf,debug,raw ssh_blacklist (input):     00 0A 02 01 00 00 00 28 00 00 00 00 00 00 00 00
Sep/13/2012 16:08:37 route,ospf,debug,raw ssh_blacklist (input):     AC 10 00 C8 B0 6E EF 95 5C 8B 55 2B EE CD 0F 49
Sep/13/2012 16:08:37 route,ospf,debug,raw ssh_blacklist (input):     70 B1 8B 29
Sep/13/2012 16:08:37 route,ospf,debug ssh_blacklist (input):   received options: E
Sep/13/2012 16:08:38 pptp,debug,packet ssh_blacklist (input): rcvd Echo-Request from 10.0.0.2
Sep/13/2012 16:08:38 pptp,debug,packet ssh_blacklist (input):     identifier=15
Sep/13/2012 16:08:38 pptp,debug,packet ssh_blacklist (input): sent Echo-Reply to 10.0.0.2
Sep/13/2012 16:08:38 pptp,debug,packet ssh_blacklist (input):     identifier=15
Sep/13/2012 16:08:38 pptp,debug,packet ssh_blacklist (input):     result-code=1
Sep/13/2012 16:08:38 pptp,debug,packet ssh_blacklist (input):     error-code=0
Give me some karma
 
francisuk24
newbie
Posts: 28
Joined: Tue Mar 18, 2014 12:10 am
Location: United Kingdom
Contact:

Re: MT router under attack?

Tue Mar 18, 2014 12:15 am

Im new to RouterOS and i have a question.

If i wont to input "http://www.spamhaus.org/drop/drop.txt" this list, How do i go about doing it?
RouterBoard RB750R2, RouterOS Level 4
ISP: Zen Internet via VDSL 2 > 74.68Mb Down / 17.84Mb Up
 
User avatar
amt
Long time Member
Long time Member
Posts: 527
Joined: Fri Jan 16, 2015 2:05 pm

Re: MT router under attack?

Fri Jul 01, 2016 1:15 pm

Im new to RouterOS and i have a question.

If i wont to input "http://www.spamhaus.org/drop/drop.txt" this list, How do i go about doing it?
Hi,

Check this
http://joshaven.com/resources/tricks/mi ... ress-list/

Who is online

Users browsing this forum: bpwl, yreks and 29 guests