Community discussions

MikroTik App
 
teemx
newbie
Topic Author
Posts: 26
Joined: Mon Jun 20, 2005 9:58 am

Security Issue

Thu Mar 09, 2006 9:22 am

I have a few iGate running with Version 2.9.14.

I found in the log always have "system error critical" "login failure for user root from xxx.xxx.xxx.xxx via ssh"

What is this and how to prevent this?
 
cabana
Frequent Visitor
Frequent Visitor
Posts: 71
Joined: Fri Feb 18, 2005 9:18 pm

Thu Mar 09, 2006 9:44 am

I don't think you can say its a security issue. As soon as you put something on the Internet it will be scrutinised. To prevent what you are seeing in your log ensure that your passwords are difficult, close port 22 (and 23) or change the port 22 to something else....or of course limit port 22 to specific ips that you use
 
vklimovs
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Fri Dec 16, 2005 5:37 pm

Thu Mar 09, 2006 10:45 pm

It is a virus, which tries to connect to port 22 of random IPs and uses some predefined login/password combinations to login. Even if it does, it expects Linux to be there, it knows nothing about MT and MT console commands. But if you are disturbed by this, you may change ssh port on your box:
/ip service set ssh port=50022
Or you may limit access to ssh, by allowing only internal network:
/ip service set ssh address=192.168.0.0/24
You may do it by firewall also. Good luck!
 
User avatar
mag
Member
Member
Posts: 378
Joined: Thu Jul 01, 2004 12:32 pm
Location: Cologne, NRW, Germany
Contact:

Wed Mar 15, 2006 9:55 am

just an idea:
/ip firewall filter
add chain=input protocol=tcp dst-port=22 limit=1/10s,2 action=accept comment="Accept limited SSH" disabled=no 
add chain=input protocol=tcp dst-port=22 action=drop comment="Drop excess SSH" disabled=no 
 
User avatar
lastguru
Trainer
Trainer
Posts: 435
Joined: Fri May 28, 2004 9:04 pm
Location: Certified Trainer/Consultant in Riga, Latvia
Contact:

Wed Mar 15, 2006 12:28 pm

well... i do not like that idea, since not alwas you will be the first of that one per 10 seconds... in other words, you may block yourself that way.
 
User avatar
mag
Member
Member
Posts: 378
Joined: Thu Jul 01, 2004 12:32 pm
Location: Cologne, NRW, Germany
Contact:

Wed Mar 15, 2006 1:14 pm

ok, i see.
a little improvement might be:
/ip firewall filter 
add chain=input in-interface=<internet> protocol=tcp dst-port=22 limit=1/10s,2 action=accept comment="Accept limited SSH" disabled=no 

add chain=input in-interface=<internet> protocol=tcp dst-port=22 action=add-src-to-address-list address-list="attackers" address-list-timeout=1d comment="Excess SSH to list" 

add chain=input src-address-list="attackers" action=drop comment="Drop attackers" disabled=no
it would be much better, if the limit rule could match a particular src-address, but i found only dst-limit in the manual.

BTW, i'am using actually a VPN to connect to the router.
Last edited by mag on Wed Mar 15, 2006 1:25 pm, edited 1 time in total.
 
User avatar
lastguru
Trainer
Trainer
Posts: 435
Joined: Fri May 28, 2004 9:04 pm
Location: Certified Trainer/Consultant in Riga, Latvia
Contact:

Wed Mar 15, 2006 1:24 pm

i hope it will not put you in that list... (it actually might, as you cannot predict timing)
International MikroTik Certified Trainer and Consultant form Latvia.
I do RouterOS Training and Certification worldwide!

skype: lastguru
 
User avatar
mag
Member
Member
Posts: 378
Joined: Thu Jul 01, 2004 12:32 pm
Location: Cologne, NRW, Germany
Contact:

Wed Mar 15, 2006 1:33 pm

it did, of course, while testing it ;-)

i don't think that problem could be solved, if trying to use ssh from internet AND trying to avoid ssh-attacks both. but i see these attacks mostly at night time and tend more and more using VPN-tunnels for management.
 
cmit
Forum Guru
Forum Guru
Posts: 1552
Joined: Fri May 28, 2004 12:49 pm
Location: Germany

Wed Mar 15, 2006 4:53 pm

You could do tricky things. Like "door-knocking":

If you open a connection to (all examples) port 1234 on your MikroTik, put the source address in an address-list "list_a" (by a firewall rule) with a short timeout of say 15 seconds.

Then if you open a connection to port 2345 on your MikroTik AND your source address already is in address list "list_a", add the source address to address-list "list_b", with a longer timeout (maybe 2 hours).

Then create a firewall rule to only accept SSH sessions from source addresses in address-list "list_b".

To put this as console commands:
/ip firewall filter add chain=input protocol=tcp dst-port=1234 action=add-src-to-address-list address-list=list_a address-list-timeout=15s
/ip firewall filter add chain=input protocol=tcp dst-port=2345 src-address-list=list_a action=add-src-to-address-list address-list=list_b address-list-timeout=2h
/ip firewall filter add chain=input protocol=tcp dst-port=22 src-address-list=list_b action=accept

So you would have to telnet to port 1234 from "somewhere on the internet", then to port 2345 during the next 15 seconds and would THEN be granted access to SSH from this source address for the next two hours.

Just an idea. You can come up with really weird usages for address-lists ;)

Best regards,
Christian Meis
 
Freman
Frequent Visitor
Frequent Visitor
Posts: 76
Joined: Thu Jul 01, 2004 8:49 am

Thu Mar 16, 2006 4:05 am

: Auto block after 3 new connection attempts in a 5 minute window (give or take)

I use the top one at work when I ssh from home, it very rarely causes me a problem

First sample will allow you to protect a gateway machine and all the routable clients behind it.
/ip firewall filter add chain=AutoFirewall protocol=tcp dst-port=22-23 connection-state=new src-address-list=AutoFirewall-Stage3 action=reject reject-with=tcp-reset comment="Autofirewall SSH - Block/Log" disabled=no 
/ip firewall filter add chain=AutoFirewall protocol=tcp dst-port=22-23 connection-state=new src-address-list=AutoFirewall-Stage2 action=add-src-to-address-list address-list=AutoFirewall-Stage3 address-list-timeout=5m comment="Autofirewall SSH - Stage3" disabled=no 
/ip firewall filter add chain=AutoFirewall protocol=tcp dst-port=22-23 connection-state=new src-address-list=AutoFirewall-Stage1 action=add-src-to-address-list address-list=AutoFirewall-Stage2 address-list-timeout=1m comment="Autofirewall SSH - Stage2" disabled=no 
/ip firewall filter add chain=AutoFirewall protocol=tcp dst-port=22-23 connection-state=new action=add-src-to-address-list address-list=AutoFirewall-Stage1 address-list-timeout=1m comment="Autofirewall SSH - Stage1" disabled=no 
/ip firewall filter add chain=input protocol=tcp dst-port=22-23 connection-state=new action=jump jump-target=AutoFirewall comment="" disabled=no 
/ip firewall filter add chain=forward protocol=tcp dst-port=22-23 connection-state=new dst-address-list=ProtectedAddressSpace action=jump jump-target=AutoFirewall comment="" disabled=no 
/ ip firewall address-list add list=ProtectedAddressSpace address=aa.bb.cc.dd/zz comment="" disabled=no 
/ ip firewall address-list add list=ProtectedAddressSpace address=aa.bb.cc.ee/zz comment="" disabled=no 
Second sample will only protect the gateway machine
/ip firewall filter add chain=AutoFirewall protocol=tcp dst-port=22-23 connection-state=new src-address-list=AutoFirewall-Stage3 action=reject reject-with=tcp-reset comment="Autofirewall SSH - Block/Log" disabled=no 
/ip firewall filter add chain=AutoFirewall protocol=tcp dst-port=22-23 connection-state=new src-address-list=AutoFirewall-Stage2 action=add-src-to-address-list address-list=AutoFirewall-Stage3 address-list-timeout=5m comment="Autofirewall SSH - Stage3" disabled=no 
/ip firewall filter add chain=AutoFirewall protocol=tcp dst-port=22-23 connection-state=new src-address-list=AutoFirewall-Stage1 action=add-src-to-address-list address-list=AutoFirewall-Stage2 address-list-timeout=1m comment="Autofirewall SSH - Stage2" disabled=no 
/ip firewall filter add chain=AutoFirewall protocol=tcp dst-port=22-23 connection-state=new action=add-src-to-address-list address-list=AutoFirewall-Stage1 address-list-timeout=1m comment="Autofirewall SSH - Stage1" disabled=no 
/ip firewall filter add chain=input protocol=tcp dst-port=22-23 connection-state=new action=jump jump-target=AutoFirewall comment="" disabled=no 

Who is online

Users browsing this forum: Google [Bot], spr41178, UniversitOfMurciaNOC and 73 guests