Greetings ,for the last days, every time I open the log, I see a list of critical login failures via ssh and telnet and the source ip belongs to my network. Is possible someone has copied this ip, placed in a device and be trying invade the routerboard?
Sorry for my bad English , but I am worried about this.
-
-
suporteitanet
just joined
- Posts: 19
- Joined:
SSH attack
Last edited by suporteitanet on Thu Apr 30, 2015 11:24 pm, edited 2 times in total.
Re: SSH attack
You can block the access for SSH disable SSH if you don't need SSH
Or you can make that you IP-address can connect with SSH
Go to "IP" "services"
Doubbleclick on the line SSH
Than give you a IP-address from the PC that can login with SSH
Or you can make that you IP-address can connect with SSH
Go to "IP" "services"
Doubbleclick on the line SSH
Than give you a IP-address from the PC that can login with SSH
You do not have the required permissions to view the files attached to this post.
-
-
IntrusDave
Forum Guru
- Posts: 1286
- Joined:
- Location: Rancho Cucamonga, CA
Re: SSH attack
I use this solution... Allow a few attempts, then filter the IP.
Code: Select all
/ip firewall filter
add action=drop chain=input src-address-list=blacklist
add action=log chain=input connection-state=new dst-port=22 \
log-prefix="SSH Brute Force Blocked" protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=blacklist \
address-list-timeout=4w chain=input comment="Block SSH 4th Attemp" \
connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input comment="Log SSH 3rd Attemp" \
connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input comment="Log SSH 2st Attemp" \
connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input comment="Log SSH 1st Attemp" \
connection-state=new dst-port=22 protocol=tcp
-
-
suporteitanet
just joined
- Posts: 19
- Joined:
Re: SSH attack
Ty everyone , for the fast response. I will close the topic.
Re: SSH attack
@intrusdave
Why all the lists?
Looks like you are blocking anyway after multiple tries.
Could be blocked from the start?
Actually I get it. Upon successful connection the first time. Source Ip is only listed in 1stage list.
Only endup in blacklist upon multiple failed tries
Why all the lists?
Looks like you are blocking anyway after multiple tries.
Could be blocked from the start?
Actually I get it. Upon successful connection the first time. Source Ip is only listed in 1stage list.
Only endup in blacklist upon multiple failed tries
-
-
IntrusDave
Forum Guru
- Posts: 1286
- Joined:
- Location: Rancho Cucamonga, CA
Re: SSH attack
Exactly. You get 3 attempts, then blocked.
Re: SSH attack
I am no Mikrotik guru but I would say it is easier to use a different port for SSH. We use a 5 digit port number (same one of course) on every one of our servers. Never got broken into. We used PF on the Servers (running FreeBSD). IThen you can use the firewall rule the person above said to use for the new ssh port. Just not sure if you can block port scans but I suspect one can do that too.
Re: SSH attack
personally I would use the firewall to limit access to the ssh port from known good locations.
All you need it 4-5 rsync's and scps and ssh's to put yourself on the blacked list.
If you limit to known good internal ip address, and your on the internet, use a VPN to get inside and then connect outside.
security by obscurity is not the best.
All you need it 4-5 rsync's and scps and ssh's to put yourself on the blacked list.
If you limit to known good internal ip address, and your on the internet, use a VPN to get inside and then connect outside.
security by obscurity is not the best.
Last bumped by suporteitanet on Thu Apr 30, 2015 11:19 pm.