server acting up.

cylent · Fri Feb 01, 2008 5:27 pm

i am noticing this in my log after adding a few rules from the wiki for firewall filter protection

18:26:05 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 217.145.213.53:1369->82.211.190.34:56392, len 48 
18:26:15 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 77.64.9.67:55709->82.211.190.34:56392, len 48 
18:26:15 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 82.173.78.231:1866->82.211.190.34:135, len 48 
18:26:24 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 82.204.176.30:4123->82.211.190.34:135, len 48 
18:26:33 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 213.178.229.236:63293->82.211.190.34:2233, len 48 
18:26:35 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 87.109.107.92:3038->82.211.190.34:56392, len 48 
18:26:38 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 87.109.107.92:3038->82.211.190.34:56392, len 48 
18:26:42 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 213.178.229.236:63293->82.211.190.34:2233, len 48 
18:26:44 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 87.109.107.92:3038->82.211.190.34:56392, len 48 
18:26:46 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 89.250.245.8:4955->82.211.190.34:56392, len 48 
18:26:50 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 217.145.213.53:1369->82.211.190.34:56392, len 48 
18:26:51 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 213.178.229.236:63293->82.211.190.34:2233, len 48 
18:26:53 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 87.109.107.92:3038->82.211.190.34:56392, len 48 
18:27:09 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 82.204.176.30:4123->82.211.190.34:135, len 48 
18:27:12 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 213.178.229.236:63293->82.211.190.34:2233, len 48 
18:27:14 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 87.109.107.92:3038->82.211.190.34:56392, len 48 
18:27:51 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 89.250.245.8:1173->82.211.190.34:56392, len 48 
18:27:54 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 89.250.245.8:1173->82.211.190.34:56392, len 48 
18:27:57 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 213.178.229.236:63293->82.211.190.34:2233, len 48 
18:27:59 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 87.109.107.92:3038->82.211.190.34:56392, len 48 
18:28:00 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 89.250.245.8:1173->82.211.190.34:56392, len 48

[/size]

this mac address isnt from my lan or anyone connected to me

now my firewall filters:

Flags: X - disabled, I - invalid, D - dynamic 
 0 X ;;; place hotspot rules here
     chain=unused-hs-chain action=passthrough 

 1   ;;; Allow ICMP
     chain=RouterServices action=accept protocol=icmp 

 2   ;;; Allow DHCP
     chain=RouterServices action=accept dst-port=67-68 protocol=udp 

 3   ;;; Allow DNS
     chain=RouterServices action=accept dst-port=53 protocol=udp 

 4   ;;; Allow MAC-Winbox
     chain=RouterServices action=accept dst-port=20561 protocol=udp 

 5   ;;; Allow Winbox
     chain=RouterServices action=accept dst-port=8291 protocol=tcp 

 6   ;;; Allow NTP
     chain=RouterServices action=accept src-port=123 protocol=udp 

 7   ;;; allow ntp server
     chain=RouterServices action=accept dst-port=123 protocol=udp 

 8 X ;;; Allow OSPF
     chain=RouterServices action=accept protocol=ospf 

 9 X ;;; Allow RIP
     chain=RouterServices action=accept src-port=520-521 protocol=udp 

10 X ;;; Allow RIP
     chain=RouterServices action=accept fragment=no psd=21,3s,3,1 src-address-type="" dst-address-type="" src-port=520-521 protocol=tcp 
     time=0s-23h59m,sun,mon,tue,wed,thu,fri,sat 

11   chain=forward action=accept src-address-list=spammer dst-port=25 protocol=tcp 

12   chain=forward action=add-src-to-address-list address-list="" address-list-timeout=0s dst-port=25 protocol=tcp connection-limit=30,32 limit=50,5 

13   ;;; BLOCK SPAMMERS OR INFECTED USERS
     chain=forward action=drop src-address-list=spammer dst-port=25 protocol=tcp 

14   ;;; DETECT and all-list smtp virus or spammer
     chain=forward action=add-src-to-address-list address-list=spammer address-list-timeout=1d24m dst-port=25 protocol=tcp connection-limit=30,32 limit=50,5 

15   ;;; Accept established connections
     chain=input action=accept connection-state=established 

16   ;;; Accept related connections
     chain=input action=accept connection-state=related 

17   ;;; Drop invalid connections
     chain=input action=drop connection-state=invalid 

18   ;;; UDP
     chain=input action=accept protocol=udp 

19   ;;; Allow limited pings
     chain=input action=accept protocol=icmp limit=50/5s,2 

20   ;;; Drop excess pings
     chain=input action=drop protocol=icmp 

21   ;;; SSH for secure shell
     chain=input action=accept dst-port=22 protocol=tcp 

22   ;;; winbox
     chain=input action=accept dst-port=8291 protocol=tcp 

23   ;;; From Mikrotikls network
     chain=input action=accept src-address=172.16.0.0/16 

24   ;;; From our private LAN
     chain=input action=accept src-address=172.16.0.0/16 

25   ;;; Log everything else
     chain=input action=log log-prefix="DROP INPUT" 

26   ;;; Drop everything else
     chain=input action=drop 

27   ;;; From Mikrotikls network
     chain=input action=accept src-address=192.168.0.0/16 

28   ;;; From our private LAN
     chain=input action=accept src-address=192.168.0.0/16 

29   ;;; detect and drop port scan connections
     chain=input action=drop psd=21,3s,3,1 protocol=tcp 

30   ;;; suppress DoS attack
     chain=input action=tarpit src-address-list=black_list protocol=tcp connection-limit=3,32 

31   ;;; detect DoS attack
     chain=input action=add-src-to-address-list address-list=black_list address-list-timeout=1d protocol=tcp connection-limit=10,32 

32   ;;; jump to chain ICMP
     chain=input action=jump jump-target=ICMP protocol=icmp 

33   ;;; jump to chain services
     chain=input action=jump jump-target=services 

34   ;;; 0:0 and limit for 5pac/s
     chain=ICMP action=accept icmp-options=0:0-255 protocol=icmp limit=5,5 

35   ;;; 3:3 and limit for 5pac/s
     chain=ICMP action=accept icmp-options=3:3 protocol=icmp limit=5,5 

36   ;;; 3:4 and limit for 5pac/s
     chain=ICMP action=accept icmp-options=3:4 protocol=icmp limit=5,5 

37   ;;; 8:0 and limit for 5pac/s
     chain=ICMP action=accept icmp-options=8:0-255 protocol=icmp limit=5,5 

38   ;;; 11:0 and limit for 5pac/s
     chain=ICMP action=accept icmp-options=11:0-255 protocol=icmp limit=5,5 

39   ;;; Drop everything else
     chain=ICMP action=drop protocol=icmp 

40   ;;; accept localhost
     chain=services action=accept dst-address=127.0.0.1 src-address-list=127.0.0.1 

41   ;;; allow MACwinbox 
     chain=services action=accept dst-port=20561 protocol=udp 

42   ;;; Bandwidth server
     chain=services action=accept dst-port=2000 protocol=tcp 

43   ;;;  MT Discovery Protocol
     chain=services action=accept dst-port=5678 protocol=udp 

44 X ;;; allow SNMP
     chain=services action=accept dst-port=161 protocol=tcp 

45 X ;;; Allow BGP
     chain=services action=accept dst-port=179 protocol=tcp 

46 X ;;; allow BGP
     chain=services action=accept dst-port=5000-5100 protocol=udp 

47 X ;;; Allow NTP
     chain=services action=accept dst-port=123 protocol=udp 

48 X ;;; Allow PPTP
     chain=services action=accept dst-port=1723 protocol=tcp 

49 X ;;; allow PPTP and EoIP
     chain=services action=accept protocol=gre 

50 X ;;; allow DNS request
     chain=services action=accept dst-port=53 protocol=tcp 

51 X ;;; Allow DNS request
     chain=services action=accept dst-port=53 protocol=udp 

52 X ;;; UPnP
     chain=services action=accept dst-port=1900 protocol=udp 

53 X ;;; UPnP
     chain=services action=accept dst-port=2828 protocol=tcp 

54 X ;;; allow DHCP
     chain=services action=accept dst-port=67-68 protocol=udp 

55 X ;;; allow Web Proxy
     chain=services action=accept dst-port=8080 protocol=tcp 

56 X ;;; allow IPIP
     chain=services action=accept protocol=ipencap 

57 X ;;; allow https for Hotspot
     chain=services action=accept dst-port=443 protocol=tcp 

58 X ;;; allow Socks for Hotspot
     chain=services action=accept dst-port=1080 protocol=tcp 

59 X ;;; allow IPSec connections
     chain=services action=accept dst-port=500 protocol=udp 

60 X ;;; allow IPSec
     chain=services action=accept protocol=ipsec-esp 

61 X ;;; allow IPSec
     chain=services action=accept protocol=ipsec-ah 

62 X ;;; allow RIP
     chain=services action=accept dst-port=520-521 protocol=udp 
63 X ;;; allow OSPF
     chain=services action=accept protocol=ospf 

64   chain=services action=return

can someone help me figure out what those log messages are?

Fri Feb 01, 2008 9:11 pm

25 ;;; Log everything else
chain=input action=log log-prefix="DROP INPUT"

As you are logging traffic going to router.
This is router address,
82.211.190.34
Isn't it ?

00:60:43:81:37:61 most likely this MAC-address belongs to your router's gateway.

cylent · Fri Feb 01, 2008 10:53 pm

ya but what is it actually dropping?

ya. that ip is the router.

for example

00:02:52 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 148.122.184.98:1267->82.211.190.34:2093, len 48

that first ip is a foreign ip. why is it dropping its input?

like i said i am noticing the server being sluggish.
is this a cause?

Mon Feb 04, 2008 8:25 am

This traffic is going to router (chain=input).

Actually, it is not dropped, it is just logged with prefix DROP INPUT

25   ;;; Log everything else
     chain=input action=log log-prefix="DROP INPUT"

Log-prefix adds information to log entry,

18:28:00 firewall,info DROP INPUT input: in:IN-NET out:(none), src-mac 00:60:43:81:37:61, proto TCP (SYN), 89.250.245.8:1173->82.211.190.34:56392, len 48

It could be dropped by the rule you have added after log rule,

26   ;;; Drop everything else
     chain=input action=drop

This traffic is being dropped, because it does not match previous rules, that are responsible for traffic that should be send directly TO router.

cylent · Mon Feb 04, 2008 12:15 pm

so in other words, do these filters cause damage or good to the router and LAN?
Keep them ON or off?

Mon Feb 04, 2008 12:16 pm

This filter should not cause any damage to router.
It is just filtering packets, that are going to the router.

dunga · Fri Oct 30, 2009 10:03 am

This is the error i am getting from my router OS when i want to block some worm ports.

[admin@installer] ip firewall filter> add chain=forward protocol=tcp dst-p
ort=135-139, 445, 1434, 4444 action=drop comment="Drop TCP \
\"... Worms" disabled=no
no such argument (445,)
[admin@installer] ip firewall filter> add chain=forward protocol=udp dst-p
ort=135-139,445,1434,4444 action=drop comment="Drop UDP \
\"... Worms" disabled=no
invalid value 139,445,1434,4444 for max, an integer required

I added the following filter to block those ports, for my router os but i get these error messages. how do i go about it.

Plz your assitance is needed.

Chupaka · Sun Nov 01, 2009 1:17 pm

v2.9 doesn't support this, I think. v4.1 - works flawlessly

dunga · Tue Nov 03, 2009 12:45 pm

Are u suggesting for me to add then one after the other, since i cannot add all the firewall at once.

Chupaka · Tue Nov 03, 2009 9:00 pm

yes, in v2.9 you cannot set port range, you need to add one rule per port

dunga · Thu Nov 12, 2009 6:34 pm

(91 messages not shown)
Hello,
Please, i do see the logs when i open a new terminal on my MT box.

How do i stop or block this people from doing this thing cus they are not ip from my source rather from unknown source.

nov/12/2009 16:22:33 system,error,critical login failure for user info from 161.
53.67.193 via ssh
nov/12/2009 16:22:41 system,error,critical login failure for user shop from 161.
53.67.193 via ssh
nov/12/2009 16:22:48 system,error,critical login failure for user sales from 161
.53.67.193 via ssh
nov/12/2009 16:22:54 system,error,critical login failure for user web from 161.5
3.67.193 via ssh
nov/12/2009 16:23:01 system,error,critical login failure for user www from 161.5
3.67.193 via ssh
nov/12/2009 16:23:07 system,error,critical login failure for user wwwrun from 16
1.53.67.193 via ssh
nov/12/2009 16:23:14 system,error,critical login failure for user adam from 161.
53.67.193 via ssh
nov/12/2009 16:23:24 system,error,critical login failure for user stephen from 1
61.53.67.193 via ssh

your help is appreciated

Chupaka · Thu Nov 12, 2009 10:32 pm

http://wiki.mikrotik.com/wiki/Bruteforc ... P_%26_SSH)

dunga · Fri Nov 13, 2009 10:58 am

Chupka, can u help explain to me each script line by line.

Bruteforce login prevention
From MikroTik Wiki
(Redirected from Bruteforce login prevention (FTP & SSH)
Jump to: navigation, search
These are 2 basic scripts I use frequently that are from the forum (written by other users)

allows only 10 FTP login incorrect answers per minute

in /ip firewall filter

add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \
comment="drop ftp brute forcers"

add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m

add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \
address-list=ftp_blacklist address-list-timeout=3h

This will prevent a SSH brute forcer to be banned for 10 days after repetitive attempts. Change the timeouts as necessary.

in /ip firewall filter

add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

server acting up.

server acting up.

Re: server acting up.

Re: server acting up.

Re: server acting up.

Re: server acting up.

Re: server acting up.

Re: server acting up.

Re: server acting up.

Re: server acting up.

Re: server acting up.

Re: server acting up.

Re: server acting up.

Re: server acting up.

Who is online