Community discussions

MikroTik App
 
TheLorc
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 18, 2022 4:53 am

Is there a way to see all previous failed logins on Winbox?

Wed Apr 26, 2023 2:37 pm

Hi everyone,

So I think I have (or had) malware on my network on some device.

I can see on my FreePBX phone server a pile of failed logins at 11:09 April 19.

Now when I logged into Winbox today and opened the terminal (I was going to do some VLAN stuff) I see it pops up and showed several failed login attempts for mikrotik router.
apr/19/2023 11:08:28 system,error,critical login failure for user admin from 192.1
68.88.34 via ftp
apr/19/2023 11:08:29 system,error,critical login failure for user guest from 192.1
68.88.34 via ftp
apr/19/2023 11:08:30 system,error,critical login failure for user root from 192.16
8.88.34 via ftp
apr/19/2023 11:08:31 system,error,critical login failure for user admin from 192.1
68.88.34 via ftp
apr/19/2023 11:08:33 system,error,critical login failure for user root from 192.16
8.88.34 via ftp
apr/19/2023 11:08:34 system,error,critical login failure for user admin from 192.1
68.88.34 via ftp
apr/19/2023 11:08:35 system,error,critical login failure for user admin from 192.1
68.88.34 via ftp
apr/20/2023 10:16:47 system,error,critical login failure for user admin from 192.1
68.88.250 via winbox
On my FreePBX server you can type a command and see all previous login attempts. Is there a command you can type which lets you see this on Mikrotik? It seems to have the logs, given that it printed them on the terminal when I started up Winbox.

Thank you.

EDIT: The last entry (IP address 192.168.88.250) was me I think, but all the 192.168.88.34 ftp attempts were not. And yes I have changed the admin account to a new named one, 'admin' is disabled now
Last edited by TheLorc on Wed Apr 26, 2023 2:39 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Is there a way to see all previous failed logins on Winbox?

Wed Apr 26, 2023 2:38 pm

/log print
Last edited by rextended on Fri Jun 30, 2023 4:57 pm, edited 3 times in total.
 
TheLorc
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 18, 2022 4:53 am

Re: Is there a way to see all previous failed logins on Winbox?

Wed Apr 26, 2023 2:40 pm

/log print
Thank you rex, do you know is there anyway for it to go back even further? I typed that but the terminal seems to run out of space and so it only shows as far back as yesterday. Or maybe thats all that is stored in its memory?

Seems like it has ran out of space I think. The last log was april 25. I will have to set up a method of saving the logs automatically in the future.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Is there a way to see all previous failed logins on Winbox?

Wed Apr 26, 2023 2:48 pm

Paste this on router:

Add /flash before "/seclog" if your device have flash, or you lost the logs on reboot.
/system logging action
add disk-file-count=10 name=SaveToDisk target=disk disk-file-name=/seclog
/system logging
add action=SaveToDisk prefix=SEC topics=system,error,critical
You can't go back because the log is limited to 1000 lines, but with this "addon" your last 10.000 lines are saved on disk, and on future you can see more far.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5317
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Is there a way to see all previous failed logins on Winbox?

Wed Apr 26, 2023 2:51 pm

You can increase the line limit per log file, I use 4096 without any problem.

Ideally these log files are written to disk, even better external disk.
You could also use an external syslog server where all log lines are being sent to (and then you can do what you want).
 
TheLorc
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 18, 2022 4:53 am

Re: Is there a way to see all previous failed logins on Winbox?

Wed Apr 26, 2023 2:55 pm

Hi Rex,

This seems to be what I am getting.
I don't think I have ever entered a command like this before for it to return 'such file name already exists' but it appears I have possibly?
[XXXX@MikroTik] /system/logging> /system logging action
[XXXX@MikroTik] /system/logging/action> add disk-file-count=10 name=SaveToDisk target=disk
failure: disk action with such file name already exists
[XXXX@MikroTik] /system/logging/action> /system logging
[XXXX@MikroTik] /system/logging> add action=SaveToDisk prefix=SEC topics=system,error,critical
input does not match any value of action
Do you know should I change 'SaveToDisk' to a different name in both commands?
 
TheLorc
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 18, 2022 4:53 am

Re: Is there a way to see all previous failed logins on Winbox?

Wed Apr 26, 2023 2:58 pm

Paste this on router:

Add /flash before "/seclog" if your device have flash, or you lost the logs on reboot.
/system logging action
add disk-file-count=10 name=SaveToDisk target=disk disk-file-name=/seclog
/system logging
add action=SaveToDisk prefix=SEC topics=system,error,critical
You can't go back because the log is limited to 1000 lines, but with this "addon" your last 10.000 lines are saved on disk, and on future you can see more far.
How do I know if my router has 'flash'?
 
TheLorc
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 18, 2022 4:53 am

Re: Is there a way to see all previous failed logins on Winbox?

Wed Apr 26, 2023 3:00 pm

You can increase the line limit per log file, I use 4096 without any problem.

Ideally these log files are written to disk, even better external disk.
You could also use an external syslog server where all log lines are being sent to (and then you can do what you want).
Thanks. I will definitely set this up so it saves the logs to a separate hard drive with large storage space (few hundred GB or something) so that I can see all the logs going back. I didn't really know how useful the logs were until now
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Is there a way to see all previous failed logins on Winbox?

Wed Apr 26, 2023 3:07 pm

How do I know if my router has 'flash'?
Check twice what you paste, something is lost on meantime...
after target=disk is present disk-file-name=/seclog

Paste this on terminal, if you obtain 1, is a Flash, if is a 0, is a NAND
:put [:len [/file find where name="flash" and type="disk"]]

After you connect the external disk, just change from (/flash)/seclog to /disk_name_here/seclog on winbox/webfig and you can increase the file number from 10 to what you want.
Do not exceed lines per log, it consume router memory, better have more files.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5317
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Is there a way to see all previous failed logins on Winbox?

Wed Apr 26, 2023 3:41 pm

Do not exceed lines per log, it consume router memory, better have more files.
I don't care with 1Gb on RB5009 :lol:

But yes, valid comment on device with more restricted memory.
 
TheLorc
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 18, 2022 4:53 am

Re: Is there a way to see all previous failed logins on Winbox?

Wed Apr 26, 2023 3:49 pm

How do I know if my router has 'flash'?
Check twice what you paste, something is lost on meantime...
after target=disk is present disk-file-name=/seclog

Paste this on terminal, if you obtain 1, is a Flash, if is a 0, is a NAND
:put [:len [/file find where name="flash" and type="disk"]]
After you connect the external disk, just change from (/flash)/seclog to /disk_name_here/seclog on winbox/webfig and you can increase the file number from 10 to what you want.
Do not exceed lines per log, it consume router memory, better have more files.
Thank you.

I obtained a 0 so therefore it must be NAND.

I also properly entered the commands with disk-file-name=/seclog included.

So now my log file will have 10,000 lines instead of 1000? Does this include when you go to Log via the Winbox menu as opposed to typing it in /log print?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Is there a way to see all previous failed logins on Winbox?

Wed Apr 26, 2023 3:56 pm

Is the same, 1000 per log file, but if you have 10 logs, are 10.000 lines in total.
For se old logs, open old files.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5317
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Is there a way to see all previous failed logins on Winbox?

Wed Apr 26, 2023 3:58 pm

Only thing you need to take into account when using winbox, is setting buffer to disk (Log - right upper field), otherwise you will see double entries (for those entries also being kept in memory).
 
TheLorc
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 18, 2022 4:53 am

Re: Is there a way to see all previous failed logins on Winbox?

Wed Apr 26, 2023 4:05 pm

So now that I have this 'save to disk' command entered, it will save logs to disk. Instead of memory. I assume that means the Mikrotik has a disk / hard drive storage space on it as well as RAM and we are saving to the hard drive now instead of the RAM?

Rex I am not sure what you mean by 'to see old logs check old files'

All I can currently see is /log print or go to Winbox -> Log -> only logs shown are Memory logs. When I select 'save to disk' in the top right it is empty.

edit: Nevermind, it is working. It is just only saving certain logs.
 
TheLorc
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 18, 2022 4:53 am

Re: Is there a way to see all previous failed logins on Winbox?

Wed Apr 26, 2023 4:18 pm

What does it mean that they are trying to log in via FTP?

All the failed logins were via FTP.

I only know two ways to access Mikrotik router, with winbox, or with web access. What does it mean they are accessing it with FTP? How do you access mikrotik with FTP?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Is there a way to see all previous failed logins on Winbox?

Wed Apr 26, 2023 4:24 pm

paste the result of this command on forum:
/ip service export verbose

remove serial number and public IP, if any, but do not remove any other line
 
TheLorc
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 18, 2022 4:53 am

Re: Is there a way to see all previous failed logins on Winbox?

Wed Apr 26, 2023 4:29 pm

paste the result of this command on forum:
/ip service export verbose

remove serial number and public IP, if any, but do not remove any other line

# apr/26/2023 14:26:20 by RouterOS 7.4
# software id = JCY8-AFLA
#
# model = RB2011iL
# serial number = XXXXXXXXXXXXX
/ip service
set telnet address="" disabled=no port=23 vrf=main
set ftp address="" disabled=no port=21
set www address="" disabled=no port=80 vrf=main
set ssh address="" disabled=no port=22 vrf=main
set www-ssl address="" certificate=none disabled=yes port=443 tls-version=any vrf=main
set api address="" disabled=no port=8728 vrf=main
set winbox address="" disabled=no port=8291 vrf=main
set api-ssl address="" certificate=none disabled=no port=8729 tls-version=any vrf=main

 
holvoetn
Forum Guru
Forum Guru
Posts: 5317
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Is there a way to see all previous failed logins on Winbox?

Wed Apr 26, 2023 4:30 pm

Most likely some bot or service on your network trying to scan or even get in.
Some reported this behavior from a virus scanner doing this scanning on the network.

Your FTP service is enabled so a possible entry point.
If not needed, disable.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Is there a way to see all previous failed logins on Winbox?

Wed Apr 26, 2023 4:32 pm

Ahhhhhhh........ all service open......

If you use only winbox and webfig, paste this for close all the open services (to the world?)
(www-ssl on https is useless if you do not have any cert)
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set www-ssl disabled=yes
set api disabled=yes
set api-ssl disabled=yes
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Is there a way to see all previous failed logins on Winbox?

Wed Apr 26, 2023 5:23 pm

I have a script that parses the log looking for logins, and failed logins since the last time the script ran. If it finds any, it sends me an E-Mail. the script is schedule to run every minute. I did not write the original script - just tweeked it for my purposes. If you want that script, just ask and I will post it.
 
TheLorc
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 18, 2022 4:53 am

Re: Is there a way to see all previous failed logins on Winbox?

Wed Apr 26, 2023 5:29 pm

Most likely some bot or service on your network trying to scan or even get in.
Some reported this behavior from a virus scanner doing this scanning on the network.

Your FTP service is enabled so a possible entry point.
If not needed, disable.
It also tried to log into my phone server via SSH. This is the only two things I can find its tried to log into, however other devices on my network don't have logs of failed logins, its probably tried to log into everything..
 
TheLorc
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 18, 2022 4:53 am

Re: Is there a way to see all previous failed logins on Winbox?

Fri Apr 28, 2023 2:06 pm

Most likely some bot or service on your network trying to scan or even get in.
Some reported this behavior from a virus scanner doing this scanning on the network.

Your FTP service is enabled so a possible entry point.
If not needed, disable.
Wait, so this behaviour could be an anti virus scanning the network?

I am trying to figure out how this went on. If you know, how does one attempt to access mikrotik router via ftp? I know how to access with web, and I know winbox. One you use chrome and one you download winbox. But how do you access it with ftp? Is it like an ftp client?
 
User avatar
karlisi
Member
Member
Posts: 433
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: Is there a way to see all previous failed logins on Winbox?

Fri Apr 28, 2023 3:08 pm

Wait, so this behaviour could be an anti virus scanning the network?
Yes. The same experience from other Mikrotik user viewtopic.php?p=988766&#p988766
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2978
Joined: Mon Apr 08, 2019 1:16 am

Re: Is there a way to see all previous failed logins on Winbox?

Fri Apr 28, 2023 4:34 pm

You can increase the line limit per log file, I use 4096 without any problem.

This can be large if you wish .....
Sending all important logs to the hEX with DUDE. DUDE has the syslog function built in.
Filtered DUDElog is written to disk via the log system of the hEX

Here external disk, because of volume and many rewrites.
Rolling set of 900 files with 32000 lines each.
32000 limit, as practical limit, because consultation is via files download over 4G connection.
Klembord-2.jpg
You do not have the required permissions to view the files attached to this post.
 
TheLorc
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 18, 2022 4:53 am

Re: Is there a way to see all previous failed logins on Winbox?

Fri Apr 28, 2023 7:11 pm

Wait, so this behaviour could be an anti virus scanning the network?
Yes. The same experience from other Mikrotik user viewtopic.php?p=988766&#p988766
Thanks. After I saw what holvoe said I thought I would investigate a bit more. I ran two AVG scans on a certain computer which was showing up as trying to log into the server. At that exact time my FreePBX server had a large number of bruteforce attempts on it.

Mikrotik did not seem to, however I think this is because I followed rextended's advice of blocking all protocols except for Winbox and web.

So it seems AVG was the problem. It caused me a lot of problems because I also actually got hacked this week on my own PC lol, so i thought it was related but i dont think it was.
 
TheLorc
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 18, 2022 4:53 am

Re: Is there a way to see all previous failed logins on Winbox?

Fri Apr 28, 2023 7:43 pm

You can increase the line limit per log file, I use 4096 without any problem.

This can be large if you wish .....
Sending all important logs to the hEX with DUDE. DUDE has the syslog function built in.
Filtered DUDElog is written to disk via the log system of the hEX

Here external disk, because of volume and many rewrites.
Rolling set of 900 files with 32000 lines each.
32000 limit, as practical limit, because consultation is via files download over 4G connection.

Klembord-2.jpg
I am sort of clueless as to how you log files on a separate HDD. I assume this is what you're doing? So like the storage space on the Mikrotik is very small, so you connect a hard drive to it, and store the logs on that hard drive? Is that what you're doing? How do you connect the hard drive to the MT Router?
 
holvoetn
Forum Guru
Forum Guru
Posts: 5317
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Is there a way to see all previous failed logins on Winbox?

Fri Apr 28, 2023 7:49 pm

Syslog can be network service on whatever ( virtual machine, raspberry pi, Linux computer, ...).

I use USB drive on RB5009 as external disk, also did this on Hex.
 
TheLorc
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 18, 2022 4:53 am

Re: Is there a way to see all previous failed logins on Winbox?

Fri Apr 28, 2023 7:57 pm

Syslog can be network service on whatever ( virtual machine, raspberry pi, Linux computer, ...).

I use USB drive on RB5009 as external disk, also did this on Hex.
So you plugged a USB drive into your router?

Do all routers come with a USB port on them? I dont think my router (RB2011iL) has one, but it might
 
holvoetn
Forum Guru
Forum Guru
Posts: 5317
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Is there a way to see all previous failed logins on Winbox?

Fri Apr 28, 2023 7:59 pm

No, not all do.
 
TheLorc
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 18, 2022 4:53 am

Re: Is there a way to see all previous failed logins on Winbox?

Fri Apr 28, 2023 8:00 pm

No, not all do.
I don't think my router RB2011iL has one. No mention of it in the data sheet or manual and I can't ever remember seeing one on it. So I will have to find a different way
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2978
Joined: Mon Apr 08, 2019 1:16 am

Re: Is there a way to see all previous failed logins on Winbox?

Fri Apr 28, 2023 9:51 pm

No USB, or microSD slot as in the hEX ... was a problem for extra disk... but now there is the new ROSE

https://help.mikrotik.com/docs/display/ROS/ROSE-storage

NFS mount, SMB client, iSCSI (SAN) disk ... network connected storage, both as initiator (client) and host !

NVMe over TCP is new to me.
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1025
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Is there a way to see all previous failed logins on Winbox?

Sat Apr 29, 2023 12:06 pm

If used correctly, NVMe/TCP (poor man's RDMA) is normally very efficient in terms of latency and throughput compared to eg SCSI.
 
frengo
just joined
Posts: 20
Joined: Fri Jan 20, 2023 12:17 pm

Re: Is there a way to see all previous failed logins on Winbox?

Sat May 20, 2023 9:36 pm

Hi everyone.

Would it be possible to view the log entries that were in the log prior to a power outage?
Unfortunately some RBs are not under UPS and there won't be a chance to get them.

On these, when the power fails, all the registry entries prior to the power failure disappear....

Is it possible to retrieve and view them somehow?

Thanx
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2978
Joined: Mon Apr 08, 2019 1:16 am

Re: Is there a way to see all previous failed logins on Winbox?

Sat May 20, 2023 9:55 pm

Logging to actions "echo" and "memory" ... are gone after power failure or reset/restart.
Logging to actions "disk" and "remote" are still available. ( "disk" is to the flash or other added storage, like USB stick.) ("remote" requires a syslog server, like the one in DUDE)
 
frengo
just joined
Posts: 20
Joined: Fri Jan 20, 2023 12:17 pm

Re: Is there a way to see all previous failed logins on Winbox?

Sat May 20, 2023 10:21 pm

So in a nutshell (since I'm no expert) you are telling me that they are irretrievably lost.

So if, for the next time, I want to save this data, should I use DUDE or an external USB stick?

Could you kindly post me some links describing the detailed procedure to use these tools?
Unfortunately I'm not very fond of the command line and I don't know where to start.

Thank you
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2978
Joined: Mon Apr 08, 2019 1:16 am

Re: Is there a way to see all previous failed logins on Winbox?

Sat May 20, 2023 10:45 pm

That's the second (stronger) option, to send it with "remote" to a SYSLOG like Dude.
Changing logging from action "echo" or "memory" to "disk" would put those logs in the flash file specified, which survives reboots and resets.
You may want to only send some "topics" to flash. All is done in winbox or webfig, no command line needed.

The exemple for DUDE is above viewtopic.php?t=195694#p999017 , where "dudelog" action is just some "disk" action in logging for the topic 'dude'.

("dudelog" is just using the local logging system to store the received logs (which have topic "dude") in permanent storage.)
There is no need for syslog function like in dude or the "remote" action to send it, if you just want to store it locally, in flash or USB drive. Just use "disk" as action.


Just a warning: 'flash' has a limited number of writes before it wears out and fails. Even if that limit is a few million times, if you have 100 lines per second, it will at be the limit rather fast.
(That's the reason fo the USB-stick (similar limits apply!) or USB disk drive) viewtopic.php?t=52789#p272493

Who is online

Users browsing this forum: No registered users and 32 guests