There have been constant attempts to login on my router by the generic user "admin" (which doesn't exist).
My router is nowhere near the edge of the network, but it is accessible from every subnet and currently has no firewall rules. In turn, access to the network is guarded by RADIUS, DHCP is static only, ARPWATCH notifies through IM so you actually hear when devices connect. So, the router may be unsecured but it's not exactly not secure, and it's not like you can login without credentials anyway, which is why when I saw it came from winbox and from that specific user (i.e; the preset user in winbox) I was just going to ignore it.
Then I realized a couple of things, 1. the source of the login attempts are the interfaces of the router itself. I have not setup any tunneling or anything like that, but I haven't set up a lot of stuff so perhaps I'm missing something; and 2, the persistence of it is quite high, 38K attempts in a day or two. Those log entries have to be stored somewhere, don't they? I checked the main disk of my system, it's just .3GB, while the other is a little over 1GB. I don't remember moving the logs' storage, I don't even know if it can be done—so I took it as good news for now.
Any idea where do the log in attempts come from?