Community discussions

MikroTik App
 
User avatar
deadManN
newbie
Topic Author
Posts: 32
Joined: Thu Jan 21, 2016 9:18 am

look like someone trying to access my router,...

Sat Apr 14, 2018 11:49 pm

[admin@MikroTik] > 
22:45:34 echo: system,error,critical login failure for user service from 177.45.14
9.205 via telnet
[admin@MikroTik] > 
22:45:36 echo: system,error,critical login failure for user ubnt from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:45:41 echo: system,error,critical login failure for user admin from 177.45.149.
205 via telnet
22:45:41 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:45:43 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
22:45:43 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:45:44 echo: system,error,critical login failure for user admin from 177.45.149.
205 via telnet
[admin@MikroTik] > 
22:45:49 echo: system,error,critical login failure for user ubnt from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:45:49 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:45:50 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:45:51 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:45:52 echo: system,error,critical login failure for user admin from 177.45.149.
205 via telnet
[admin@MikroTik] > 
22:45:53 echo: system,error,critical login failure for user admin from 177.45.149.
205 via telnet
[admin@MikroTik] > 
22:45:57 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:45:58 echo: system,error,critical login failure for user admin from 177.45.149.
205 via telnet
[admin@MikroTik] > 
22:45:59 echo: system,error,critical login failure for user admin from 177.45.149.
205 via telnet
[admin@MikroTik] > 
22:46:01 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
22:46:01 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:46:02 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:46:06 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:46:08 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:46:10 echo: system,error,critical login failure for user admin from 177.45.149.
205 via telnet
[admin@MikroTik] > 
22:46:15 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:46:17 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
22:46:17 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:46:18 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:46:19 echo: system,error,critical login failure for user admin from 177.45.149.
205 via telnet
[admin@MikroTik] > 
22:46:20 echo: system,error,critical login failure for user admin from 177.45.149.
205 via telnet
[admin@MikroTik] > 
22:46:22 echo: system,error,critical login failure for user admin from 181.171.128
.65 via telnet
[admin@MikroTik] > 
22:46:24 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
22:46:24 echo: system,error,critical login failure for user root from 181.171.128.
65 via telnet
[admin@MikroTik] > 
22:46:26 echo: system,error,critical login failure for user guest from 177.45.149.
205 via telnet
[admin@MikroTik] > 
22:46:26 echo: system,error,critical login failure for user root from 181.171.128.
65 via telnet
22:46:26 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:46:28 echo: system,error,critical login failure for user Administrator from 177
.45.149.205 via telnet
[admin@MikroTik] > 
22:46:28 echo: system,error,critical login failure for user supervisor from 177.45
.149.205 via telnet
[admin@MikroTik] > 
22:46:30 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:46:33 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
22:46:33 echo: system,error,critical login failure for user mother from 181.171.12
8.65 via telnet
[admin@MikroTik] > 
22:46:35 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
22:46:35 echo: system,error,critical login failure for user root from 181.171.128.
65 via telnet
[admin@MikroTik] > 
22:46:35 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:46:36 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:46:37 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:46:38 echo: system,error,critical login failure for user root from 181.171.128.
65 via telnet
[admin@MikroTik] > 
22:46:39 echo: system,error,critical login failure for user guest from 177.45.149.
205 via telnet
[admin@MikroTik] > 
22:46:42 echo: system,error,critical login failure for user admin from 177.45.149.
205 via telnet
[admin@MikroTik] > 
22:46:43 echo: system,error,critical login failure for user 888888 from 181.171.12
8.65 via telnet
22:46:43 echo: system,error,critical login failure for user admin from 177.45.149.
205 via telnet
[admin@MikroTik] > 
22:46:44 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:46:45 echo: system,error,critical login failure for user admin from 177.45.149.
205 via telnet
22:46:45 echo: system,error,critical login failure for user 666666 from 181.171.12
8.65 via telnet
[admin@MikroTik] > 
22:46:46 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:46:48 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
22:46:48 echo: system,error,critical login failure for user root from 181.171.128.
65 via telnet
[admin@MikroTik] > 
22:46:50 echo: system,error,critical login failure for user 666666 from 177.45.149
.205 via telnet
[admin@MikroTik] > 
22:46:52 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:46:53 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:46:54 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:46:55 echo: system,error,critical login failure for user admin from 177.45.149.
205 via telnet
22:46:55 echo: system,error,critical login failure for user root from 181.171.128.
65 via telnet
[admin@MikroTik] > 
22:46:57 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:46:57 echo: system,error,critical login failure for user guest from 181.171.128
.65 via telnet
[admin@MikroTik] > 
22:46:59 echo: system,error,critical login failure for user admin from 181.171.128
.65 via telnet
[admin@MikroTik] > 
22:46:59 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:47:01 echo: system,error,critical login failure for user service from 177.45.14
9.205 via telnet
[admin@MikroTik] > 
22:47:02 echo: system,error,critical login failure for user admin from 177.45.149.
205 via telnet
[admin@MikroTik] > 
22:47:03 echo: system,error,critical login failure for user admin from 177.45.149.
205 via telnet
[admin@MikroTik] > 
22:47:04 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:47:05 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:47:06 echo: system,error,critical login failure for user root from 181.171.128.
65 via telnet
[admin@MikroTik] > 
22:47:08 echo: system,error,critical login failure for user root from 181.171.128.
65 via telnet
[admin@MikroTik] > 
22:47:09 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:47:10 echo: system,error,critical login failure for user supervisor from 181.17
1.128.65 via telnet
22:47:11 echo: system,error,critical login failure for user admin from 177.45.149.
205 via telnet
[admin@MikroTik] > 
22:47:11 echo: system,error,critical login failure for user guest from 177.45.149.
205 via telnet
[admin@MikroTik] > 
22:47:12 echo: system,error,critical login failure for user admin from 177.45.149.
205 via telnet
[admin@MikroTik] > 
22:47:14 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:47:15 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:47:18 echo: system,error,critical login failure for user root from 181.171.128.
65 via telnet
[admin@MikroTik] > 
22:47:20 echo: system,error,critical login failure for user administrator from 181
.171.128.65 via telnet
[admin@MikroTik] > 
22:47:20 echo: system,error,critical login failure for user 888888 from 177.45.149
.205 via telnet
[admin@MikroTik] > 
22:47:22 echo: system,error,critical login failure for user root from 181.171.128.
65 via telnet
22:47:22 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
22:47:22 echo: system,error,critical login failure for user tech from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:47:24 echo: system,error,critical login failure for user mother from 177.45.149
.205 via telnet
22:47:24 echo: system,error,critical login failure for user administrator from 177
.45.149.205 via telnet
[admin@MikroTik] > 
22:47:26 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:47:28 echo: system,error,critical login failure for user root from 181.171.128.
65 via telnet
[admin@MikroTik] > 
22:47:30 echo: system,error,critical login failure for user admin from 177.45.149.
205 via telnet
22:47:30 echo: system,error,critical login failure for user admin from 181.171.128
.65 via telnet
[admin@MikroTik] > 
22:47:31 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
22:47:32 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:47:32 echo: system,error,critical login failure for user admin from 181.171.128
.65 via telnet
[admin@MikroTik] > 
22:47:33 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:47:34 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:47:35 echo: system,error,critical login failure for user 666666 from 177.45.149
.205 via telnet
[admin@MikroTik] > 
22:47:38 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:47:39 echo: system,error,critical login failure for user root from 181.171.128.
65 via telnet
[admin@MikroTik] > 
22:47:40 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
22:47:41 echo: system,error,critical login failure for user mother from 177.45.149
.205 via telnet
22:47:41 echo: system,error,critical login failure for user admin1 from 181.171.12
8.65 via telnet
[admin@MikroTik] > 
22:47:42 echo: system,error,critical login failure for user admin from 177.45.149.
205 via telnet
[admin@MikroTik] > 
22:47:43 echo: system,error,critical login failure for user root from 181.171.128.
65 via telnet
22:47:43 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:47:45 echo: system,error,critical login failure for user admin from 177.45.149.
205 via telnet
[admin@MikroTik] > 
22:47:47 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:47:49 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
22:47:49 echo: system,error,critical login failure for user admin from 181.171.128
.65 via telnet
[admin@MikroTik] > 
22:47:51 echo: system,error,critical login failure for user admin from 177.45.149.
205 via telnet
22:47:51 echo: system,error,critical login failure for user ubnt from 181.171.128.
65 via telnet
[admin@MikroTik] > 
22:47:53 echo: system,error,critical login failure for user user from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:47:54 echo: system,error,critical login failure for user admin from 181.171.128
.65 via telnet
[admin@MikroTik] > 
22:47:54 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:47:56 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:47:57 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:47:59 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:48:00 echo: system,error,critical login failure for user guest from 181.171.128
.65 via telnet
[admin@MikroTik] > 
22:48:02 echo: system,error,critical login failure for user admin1 from 177.45.149
.205 via telnet
[admin@MikroTik] > 
22:48:02 echo: system,error,critical login failure for user admin from 181.171.128
.65 via telnet
[admin@MikroTik] > 
22:48:04 echo: system,error,critical login failure for user admin from 181.171.128
.65 via telnet
[admin@MikroTik] > 
22:48:08 echo: system,error,critical login failure for user admin from 177.45.149.
205 via telnet
[admin@MikroTik] > 
22:48:09 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:48:10 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:48:11 echo: system,error,critical login failure for user root from 181.171.128.
65 via telnet
[admin@MikroTik] > 
22:48:11 echo: system,error,critical login failure for user supervisor from 177.45
.149.205 via telnet
[admin@MikroTik] > 
22:48:12 echo: system,error,critical login failure for user Administrator from 177
.45.149.205 via telnet
[admin@MikroTik] > 
22:48:13 echo: system,error,critical login failure for user admin from 177.45.149.
205 via telnet
[admin@MikroTik] > 
22:48:15 echo: system,error,critical login failure for user root from 181.171.128.
65 via telnet
[admin@MikroTik] > 
22:48:17 echo: system,error,critical login failure for user root from 181.171.128.
65 via telnet
[admin@MikroTik] > 
22:48:18 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
22:48:18 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:48:20 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:48:20 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:48:22 echo: system,error,critical login failure for user admin from 177.45.149.
205 via telnet
[admin@MikroTik] > 
22:48:23 echo: system,error,critical login failure for user root from 177.45.149.2
05 via telnet
[admin@MikroTik] > 
22:48:23 echo: system,error,critical login failure for user Administrator from 181
.171.128.65 via telnet
[admin@MikroTik] > 

AND SO ON....
i wish to block this such user before it find the access code...
 
JB172
Member
Member
Posts: 306
Joined: Fri Jul 24, 2015 3:12 pm
Location: AWMN

Re: look like someone trying to access my router,...  [SOLVED]

Sun Apr 15, 2018 12:16 am

/ip firewall filter
add action=drop chain=input src-address=177.45.149.205
add action=drop chain=input src-address=181.171.128.65
or you can disable Telnet if you don't use it from IP->Services
Last edited by JB172 on Sun Apr 15, 2018 12:33 am, edited 1 time in total.
 
User avatar
jspool
Member
Member
Posts: 422
Joined: Sun Oct 04, 2009 4:06 am
Location: Oregon

Re: look like someone trying to access my router,...

Sun Apr 15, 2018 12:24 am

Disable unneeded services & properly setup your firewall.

There are many articles that explain the steps. All you have to do is use the search function on this forum or Google it.
Basic setup from https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

/ip firewall filter
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router



Below example enables only Winbox service.

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
 
User avatar
deadManN
newbie
Topic Author
Posts: 32
Joined: Thu Jan 21, 2016 9:18 am

Re: look like someone trying to access my router,...

Sun Apr 15, 2018 12:43 am

thanks folks, although since i need to access my router from outside, as i'm beginner and there are things that i do not understand i need helps for, i go with filtering unwanted address, till allowing specifics...

BTW both ways are the answers

Disable unneeded services & properly setup your firewall.

There are many articles that explain the steps. All you have to do is use the search function on this forum or Google it.
Basic setup from https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

/ip firewall filter
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router



Below example enables only Winbox service.

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
if i disable services, can i still access win box from outside? so these services i always were wonder what are, are access service for configuration...
 
User avatar
NyanSparkle
just joined
Posts: 1
Joined: Mon Feb 13, 2017 5:46 am
Location: México
Contact:

Re: look like someone trying to access my router,...

Sun Apr 15, 2018 1:14 am

thanks folks, although since i need to access my router from outside, as i'm beginner and there are things that i do not understand i need helps for, i go with filtering unwanted address, till allowing specifics...

BTW both ways are the answers
if i disable services, can i still access win box from outside? so these services i always were wonder what are, are access service for configuration...
Nope, you can't if you disable all services, otherwise if you only enable Winbox service you can access, i have no problems with Winbox service enabled, the common ports that can be attacked is telnet, ssh, http and ftp.
If you want more security you can enable "Available from" and define the ip can access.


Image


Also, SSH service is for command line config, FTP is similar to SSH but it's insecure, FTP is for accessing routerboard files, HTTP is the webfig like winbox but you can use in your browser, and HTTP is the same that HTTP but is more secure.
 
User avatar
jspool
Member
Member
Posts: 422
Joined: Sun Oct 04, 2009 4:06 am
Location: Oregon

Re: look like someone trying to access my router,...

Sun Apr 15, 2018 2:08 am

The service is something that is either running or not. If a service is disabled then nothing can connect to the router using that service.

Also the info from JB172 would drop the traffic from the bot or person that is currently attacking your router. However those rules do not protect you router from any other IP's.

Input rules are for traffic to the router. So the idea would be to allow established and related connections and maybe allow pings (ICMP) and drop all other traffic coming in on your WAN interface.

You may choose to allow trusted IP addresses access to Winbox or Webfig etc and you would place those rules above the drop all else rule.
 
Paternot
Forum Veteran
Forum Veteran
Posts: 774
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: look like someone trying to access my router,...

Sun Apr 15, 2018 2:37 am

Don't use telnet through internet. If you want to get to a terminal, use (at least) ssh. Remember to generate the asymmetric keys.

https://wiki.mikrotik.com/wiki/Manual:IP/SSH
 
jaytcsd
Member Candidate
Member Candidate
Posts: 295
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Re: look like someone trying to access my router,...

Sun Apr 15, 2018 6:20 am

Another trick is to change the default port from 8291 to a random one.
Look at port knocking.
https://mum.mikrotik.com/presentations/US10/discher.pdf

https://wiki.mikrotik.com/wiki/Port_Knocking
 
User avatar
deadManN
newbie
Topic Author
Posts: 32
Joined: Thu Jan 21, 2016 9:18 am

Re: look like someone trying to access my router,...

Sun Apr 15, 2018 4:10 pm

thank you every body your tough came handy and useful... i wished i could mark more post as answer
 
User avatar
deadManN
newbie
Topic Author
Posts: 32
Joined: Thu Jan 21, 2016 9:18 am

Re: look like someone trying to access my router,...

Sun Apr 15, 2018 4:50 pm

thanks folks, although since i need to access my router from outside, as i'm beginner and there are things that i do not understand i need helps for, i go with filtering unwanted address, till allowing specifics...

BTW both ways are the answers

Disable unneeded services & properly setup your firewall.

There are many articles that explain the steps. All you have to do is use the search function on this forum or Google it.
Basic setup from https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

/ip firewall filter
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router



Below example enables only Winbox service.

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
if i disable services, can i still access win box from outside? so these services i always were wonder what are, are access service for configuration...
i tried to modify your solution, so when it want to drop, check for tcp+service ports, but no luck... all those hacker tries came back online...
 
User avatar
jspool
Member
Member
Posts: 422
Joined: Sun Oct 04, 2009 4:06 am
Location: Oregon

Re: look like someone trying to access my router,...

Sun Apr 15, 2018 7:48 pm

Can you paste your firewall rules? Its hard to help without seeing your rules.
/ip firewall filter export
 
User avatar
deadManN
newbie
Topic Author
Posts: 32
Joined: Thu Jan 21, 2016 9:18 am

Re: look like someone trying to access my router,...

Mon Apr 16, 2018 10:33 pm

Can you paste your firewall rules? Its hard to help without seeing your rules.
/ip firewall filter export
just as she said, the first three were the very begin attacker, but more IP added up...
[admin@MikroTik] > ip firewall filter export
# apr/16/2018 21:03:05 by RouterOS 6.41.3
# software id = X1C0-TFIQ
#
# model = 951G-2HnD
# serial number = 642E05D4D916
/ip firewall filter
add action=drop chain=input src-address=177.45.149.205
add action=drop chain=input src-address=181.171.128.65
add action=drop chain=input src-address=45.120.103.235
add action=accept chain=input comment="default configuratoin" connection-state=\
    established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input comment="Ping Protocol" protocol=icmp
add action=drop chain=input
[admin@MikroTik] > 
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1127
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: look like someone trying to access my router,...

Tue Apr 17, 2018 4:54 pm

Maybe try something like this for some basic protection? Ensure you edit the $WAN for your WAN interface name though.
/ip firewall filter
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related in-interface="$WAN"
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related in-interface="$WAN"
add action=drop chain=forward comment="DROP invalid" connection-state=invalid in-interface="$WAN"
add action=drop chain=input comment="DROP invalid" connection-state=invalid in-interface="$WAN"
add action=accept chain=input comment="Allow expected input sources" src-address-list=allowed_to_router
add action=accept chain=forward comment="ACCEPT dst-nat connections" connection-nat-state=dst-nat in-interface="$WAN"
add action=accept chain=input comment="ACCEPT ICMP" in-interface="$WAN" protocol=icmp
add action=drop chain=forward comment="DROP ALL FROM WAN" in-interface="$WAN"
add action=drop chain=input comment="DROP ALL" in-interface="$WAN"
It is interesting that your drop input rule is not catching the suspicious login attempts.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
User avatar
deadManN
newbie
Topic Author
Posts: 32
Joined: Thu Jan 21, 2016 9:18 am

Re: look like someone trying to access my router,...

Tue Apr 17, 2018 6:09 pm

Maybe try something like this for some basic protection? Ensure you edit the $WAN for your WAN interface name though.
/ip firewall filter
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related in-interface="$WAN"
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related in-interface="$WAN"
add action=drop chain=forward comment="DROP invalid" connection-state=invalid in-interface="$WAN"
add action=drop chain=input comment="DROP invalid" connection-state=invalid in-interface="$WAN"
add action=accept chain=input comment="Allow expected input sources" src-address-list=allowed_to_router
add action=accept chain=forward comment="ACCEPT dst-nat connections" connection-nat-state=dst-nat in-interface="$WAN"
add action=accept chain=input comment="ACCEPT ICMP" in-interface="$WAN" protocol=icmp
add action=drop chain=forward comment="DROP ALL FROM WAN" in-interface="$WAN"
add action=drop chain=input comment="DROP ALL" in-interface="$WAN"
It is interesting that your drop input rule is not catching the suspicious login attempts.
does $wan make it hide such as sharining windows? or what?
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1127
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: look like someone trying to access my router,...

Tue Apr 17, 2018 9:32 pm

$WAN is a placeholder for you to put your own WAN interface name in. It will only apply to traffic coming up your WAN interface.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
User avatar
deadManN
newbie
Topic Author
Posts: 32
Joined: Thu Jan 21, 2016 9:18 am

Re: look like someone trying to access my router,...

Tue Apr 17, 2018 10:54 pm

$WAN is a placeholder for you to put your own WAN interface name in. It will only apply to traffic coming up your WAN interface.
and for exceptions, like WinBox Service, or Port Forwarding ...
add action=accept chain=input comment="ACCEPT ICMP" in-interface="$WAN" protocol=icmp
i should replace this, put service name instead of ICMP? and tcp/port for others? add it up at the same order around this action...?

Who is online

Users browsing this forum: DarkNate, fremaint, Zdravac and 46 guests