Hello,

I just started using mikrotik recently, when i login to my router, i keep getting this

"apr/18/2019 06:04:07 system,error,critical login failure for user applmgr from 192.169.217.183 via ssh
apr/18/2019 06:04:16 system,error,critical login failure for user support from 103.99.3.201 via ssh
apr/18/2019 06:04:18 system,error,critical login failure for user support from 103.99.3.201 via ssh
apr/18/2019 06:07:14 system,error,critical login failure for user openstack from 165.227.53.51 via ssh
apr/18/2019 06:07:36 system,error,critical login failure for user pi from 217.241.30.150 via ssh
apr/18/2019 06:07:36 system,error,critical login failure for user pi from 217.241.30.150 via ssh


What could be happening...whats the course and how can i stop it.

It seems that you have SSH open to access the router from the outside.
So anyone who tries port tcp/22 will be logged if they have wrong password.

BUT this is some you should not do. Do not open your router Winbox/SSH/Telnet/Web for admin access on outside.

If you need to use SSH from the outside you do not have many option.

1. VPN (best option)

2. Open SSH but:
a. change to other port than 22
b. set an access list to reduce who can access it
c. use port knocking (google it)
d. setup some monitoring. example getting email every time some logs inn
e. create a new user and remove admin user
f. use a very strong password
g. +++

You may use firewall rules to prevent login brute-force: https://wiki.mikrotik.com/wiki/Brutefor ... prevention

With the wiki.. on the : address-list=ssh_blacklist : do we need to create somewhere the ssh_blacklist ? or it will be creating a log or something like that.. ?

And do we just add those action in the firewall filter just before the : :
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

and is just this one can do the same :
add action=drop chain=forward in-interface=bridge1 src-address=!192.168.0.0/24 comment="Drop all that do not match LAN IP"

So with this, can it then make the service port ssh and other less problematic and be leave on .. as only being possible to log via lan ip.?

Thanks

It seems that you have SSH open to access the router from the outside.
So anyone who tries port tcp/22 will be logged if they have wrong password.

BUT this is some you should not do. Do not open your router Winbox/SSH/Telnet/Web for admin access on outside.

If you need to use SSH from the outside you do not have many option.

1. VPN (best option)

2. Open SSH but:
a. change to other port than 22
b. set an access list to reduce who can access it
c. use port knocking (google it)
d. setup some monitoring. example getting email every time some logs inn
e. create a new user and remove admin user
f. use a very strong password
g. +++

i have recent problem..
someone/thing tried to login via winbox but from the router IP itself (172.26.0.1) pics attached..
please, need help..
thank you..

Hopefully, you have already disabled the admin password and only use a trusted one you created. As noted, you should set up access so that only IP addresses from within your LAN can use winbox or HTTP to the router.

i have recent problem..
someone/thing tried to login via winbox but from the router IP itself (172.26.0.1) pics attached..
please, need help..
thank you..

this looks more like TheDude ... Probably added the device and now its trying to log in (enabled by default). find the device and uncheck "router OS" option in the details page.

I had the same symptoms of trying to access hapac2 from local on my windows 10 computer.

I assume that these accesses are from antivirus software to check for vulnerabilities.
Which antivirus software do you use?
I am using the free version of Avast.