Community discussions

MikroTik App
 
ilxans
just joined
Topic Author
Posts: 3
Joined: Tue Feb 23, 2021 7:18 am

help please

Tue Feb 23, 2021 7:21 am

please help. what is it? and what should i do?
You do not have the required permissions to view the files attached to this post.
 
erlinden
Long time Member
Long time Member
Posts: 698
Joined: Wed Jun 12, 2013 1:59 pm

Re: help please

Tue Feb 23, 2021 9:22 am

I read port 25 and 587, looks like someone/something is trying to connect to it. Do you have a mail server behind the router? Unfortunately your screenshot isn't showing the source IP address clearly, therefor can't say who is doing this.

If you are not running a mailserver, you might want to blokck this IP. But looking at the dstnat it looks like a port forward (that is logging).Turning off logging is the easiest way to solve it.
First the problem, then the solution
 
erkexzcx
Member Candidate
Member Candidate
Posts: 177
Joined: Mon Oct 07, 2019 11:42 pm

Re: help please

Tue Feb 23, 2021 10:12 am

There is something you can do:)
  • Whitelist access for your specific IPs. That's what firewalls are for, not just logging.
  • Auto add such attempts to "address-list" and drop such connections from recorded address-list in "/ip raw"
  • Disable logging and forget.
 
erlinden
Long time Member
Long time Member
Posts: 698
Joined: Wed Jun 12, 2013 1:59 pm

Re: help please

Tue Feb 23, 2021 12:00 pm

Though I fully agree, erkexzcx, first we have to know if this is unwanted.
First the problem, then the solution
 
mkx
Forum Guru
Forum Guru
Posts: 5434
Joined: Thu Mar 03, 2016 10:23 pm

Re: help please

Tue Feb 23, 2021 1:16 pm

It seems a whole /24 subnet of source addresses: 45.142.120.0/24 ... and occasionally some other src-address ... if this is gateway to a typical home network, then dst-ports are suspicious: plain sever-to-server SMTP (TCP port 25) and SMTP submission (TCP 587). If OP is not running kind of public email service then he should block these ports (without logging not to clobber the log).
BR,
Metod
 
ilxans
just joined
Topic Author
Posts: 3
Joined: Tue Feb 23, 2021 7:18 am

Re: help please

Tue Feb 23, 2021 3:33 pm

I read port 25 and 587, looks like someone/something is trying to connect to it. Do you have a mail server behind the router? Unfortunately your screenshot isn't showing the source IP address clearly, therefor can't say who is doing this.

If you are not running a mailserver, you might want to blokck this IP. But looking at the dstnat it looks like a port forward (that is logging).Turning off logging is the easiest way to solve it.
yes i am using kerio connect-mail server behind router. thanks for answer. but why there is a different ports in source ip address? like 50178, 14120,58546,10858,64548 and so on every time different ports . please look after source ip 45.142.120.xx
 
mkx
Forum Guru
Forum Guru
Posts: 5434
Joined: Thu Mar 03, 2016 10:23 pm

Re: help please

Tue Feb 23, 2021 3:40 pm

Port numbers are always the same on server's side (and are standard/well known). Port numbers on clients' side (source port in your case) are random and different each time, this is completely normal. What makes thing suspicious is number of clients conecting from same IP subnet, sometimes it indicates some DoS attack or attempts to abuse service. However if you're running service intended for clients in that IP subnet, then even this part is just fine.
Last edited by mkx on Tue Feb 23, 2021 3:41 pm, edited 1 time in total.
BR,
Metod
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6183
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: help please

Tue Feb 23, 2021 3:41 pm

/export hide-sensitive file=anynameyouwish

A view of the config may provide some clues.......
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
ilxans
just joined
Topic Author
Posts: 3
Joined: Tue Feb 23, 2021 7:18 am

Re: help please

Tue Feb 23, 2021 3:49 pm

It seems a whole /24 subnet of source addresses: 45.142.120.0/24 ... and occasionally some other src-address ... if this is gateway to a typical home network, then dst-ports are suspicious: plain sever-to-server SMTP (TCP port 25) and SMTP submission (TCP 587). If OP is not running kind of public email service then he should block these ports (without logging not to clobber the log).
thanks. i misunderstood something. why source ports are all different but in destination the same 25 or 587?? . and how can i block the whole subnet. ?
i just created address list with 45.142.120.0/24 then blocked it with firewall filter forward rule. but same log appears
 
mkx
Forum Guru
Forum Guru
Posts: 5434
Joined: Thu Mar 03, 2016 10:23 pm

Re: help please

Tue Feb 23, 2021 3:54 pm

Filter rules are matched from top to bottom. You want to push your blocking rule high on the list.

I've already explained the ports in my previous post.
BR,
Metod
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6183
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: help please

Tue Feb 23, 2021 5:23 pm

less frigging with your config please so that you can take the 10 seconds to post your config.
Trying to pinpoint a grain of sand on a beach is no fun.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!

Who is online

Users browsing this forum: Adephx, Benzebub, jive74 and 45 guests