Community discussions

MikroTik App
 
Arpanet
Member Candidate
Member Candidate
Topic Author
Posts: 281
Joined: Sat Aug 24, 2013 8:26 pm

Torch results to variable

Fri Sep 10, 2021 12:07 am

Hello,
we got a customer that periodically tries to access other network devices (I think he/she gots some good hacking skills since he/she is able to find other customers ip addresses) using ssh or port 8291

I want to prove that is her/his fault by making a script that listens for outgoing ssh/8291 connections.

Basically I want the result of torch command into a variable like:
:set $test [/tool torch interface=ether1 port=ssh]
:if ($test != 0) do {
/log info "Outgoing ssh connection attempt"
}
is it possible?or is there another way to achieve the same result?

thanks
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Torch results to variable

Fri Sep 10, 2021 12:18 am

Use a firewall rule that log the attempt....

Or better use firewall rules for prevent his attempt.
 
Arpanet
Member Candidate
Member Candidate
Topic Author
Posts: 281
Joined: Sat Aug 24, 2013 8:26 pm

Re: Torch results to variable

Fri Sep 10, 2021 1:39 am

thanks, can I have an hint?
such as chain forward and dst port forx example 22?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Torch results to variable

Fri Sep 10, 2021 1:51 am

yes, for log or for DROP is the same:

a firewall filter rule, on forward, src interface = ether1 protocol tcp, dst-port 22,8291
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Torch results to variable

Fri Sep 10, 2021 1:15 pm

It seems that you do not address the real problem.

Do not allow any access your router using SSH or Winbox.. Do always use VPN, and if VPN can not be use follow these rules.

1. Use another port than default.
2. Use port knocking. This prevents someone from seeing open ports.
3. Use a long and good password.
4. Use access list to prevent any random internet from accessing your router.
5. Log everything. (See my signature for example.)
6. Upgrade firmware to latest stable release
7. ++++
 
Arpanet
Member Candidate
Member Candidate
Topic Author
Posts: 281
Joined: Sat Aug 24, 2013 8:26 pm

Re: Torch results to variable

Fri Sep 10, 2021 1:20 pm

yes thanks. I've already known those security suggestions.

The question is about how to log that, not how to secure
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Torch results to variable

Fri Sep 10, 2021 5:22 pm

Just to see that some reach your system at port 8291 or port 22 raise all red flag.

As other write add a filter rule for those port, add logging.

If you like to use a good logging system, see my signature on how to use Mikrotik with Splunk to show all logging.
 
Arpanet
Member Candidate
Member Candidate
Topic Author
Posts: 281
Joined: Sat Aug 24, 2013 8:26 pm

Re: Torch results to variable

Fri Sep 10, 2021 7:35 pm

Just to see that some reach your system at port 8291 or port 22 raise all red flag.

As other write add a filter rule for those port, add logging.

If you like to use a good logging system, see my signature on how to use Mikrotik with Splunk to show all logging.
in my opinion, allowin ssh only from inside lan or "seeing" others IP it is not a security issue. I use port knockinf when I need to access from outside the network.
I personally suggest to use very strong password first
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: Torch results to variable

Fri Sep 10, 2021 11:03 pm

You only need to add a firewall filter rule (in input or forward depending on what you are after) that will log the traffic, then you can still accept it for now and later see if you would want to change it to block.
It is likely that your customer does not have so good hacking skills, but rather he has bad security skills and their router has been hacked and is now trying to find new victims.
Of course it depends on your service relation with customers whether you need to do anything about that. When you manage their routers, you are in trouble.
 
Arpanet
Member Candidate
Member Candidate
Topic Author
Posts: 281
Joined: Sat Aug 24, 2013 8:26 pm

Re: Torch results to variable

Sat Sep 11, 2021 3:29 pm

what about this?
/ip firewall filter
add action=add-src-to-address-list address-list=outgoing_ssh_attempts address-list-timeout=\
    4w2d chain=forward dst-port=22 in-interface=LAN protocol=tcp

Who is online

Users browsing this forum: diamuxin, GoogleOther [Bot] and 21 guests