Hi. I'm pretty new on Mikrotik Device. I use RB951Ui-2HnD on my house.
After I finished setting up my Mikrotik for a few days, After that I log in into my device and see this
..
http://postimg.org/image/tzplasuyj/

What should I do ? Ignore it or do something.

Thank you
Sorry for my bad english

It's quite normal if you've left the ports open. Actually not heavy at all (I can show you some massive brute force logs)

Best bet is to set up firewalls so people can't access those services from your WAN interface, and if you need to be able to access them set it up with either VPN, whitelist of IP's, or port knocking to allow yourself access remotely.

What should I do ? Ignore it or do something.

Do you have PPPoE for your internet connection?
How did you install it? Following the official manual and the Wizard on the startpage or using some
guide you found on the internet?

Most guides for setting up PPPoE on MikroTik you find on internet are flawed.
They forget to explain how to change the firewall so those external connections are blocked.
You have to go to the IP->Firewall screen and change the DROP rule you find there that has in.interface set to ether1-gateway.
You must change that in.interface to your PPPoE interface.

It's quite normal if you've left the ports open. Actually not heavy at all (I can show you some massive brute force logs)

Best bet is to set up firewalls so people can't access those services from your WAN interface, and if you need to be able to access them set it up with either VPN, whitelist of IP's, or port knocking to allow yourself access remotely.

Oh. I don't know anything about firewall yet, it looks very complicate, But I'll learn It.
looks like this device have so many features to play with it.

Thank you for your replied.

hai benz,

in my opinion, if you dont use any ssh port to login into your mikrotik, you could just disable the port you dont need to in mikrotik services, in winbox go to /ip services and disable the ssh port, so no one could access your router via ssh.

What should I do ? Ignore it or do something.

Do you have PPPoE for your internet connection?
How did you install it? Following the official manual and the Wizard on the startpage or using some
guide you found on the internet?

Most guides for setting up PPPoE on MikroTik you find on internet are flawed.
They forget to explain how to change the firewall so those external connections are blocked.
You have to go to the IP->Firewall screen and change the DROP rule you find there that has in.interface set to ether1-gateway.
You must change that in.interface to your PPPoE interface.

Yeah, I have PPPoE for my internet connection.
I followed many guides in internet. So I should follow the guides that Mikrotik provided on The Wiki?
I have basic skill about network, Should I learn more about it?

Sounds likes a lot to learn lol.

btw: I'll try your method, right now there're many people using my internet

Thank you for your replied.

I got the same in my log after setup, I could see from the IPs they where "local" and originated from my ISP, but I stopped services I didn't need and made "stupid" firewall filters that solved the login attempts, I did as you describe find solution for a specific issue hence making "stupid" filter .

User Zerobyte helped me with "correct" filter so my "stupid" but working filter got changed and simplified.

But basic I stopped services I didn't need and have the following firewall filter:
0 an 5 is the basic, 3 disable ICMP/ping from WAN. 1,2 and 4 is my own madness.

The services:
And when I look at it it seems that firewall filter 2 is not needed as I have LAN IPs on the service WinBox, hopefully Zerobyte sees this post and answers

And searching for security related to RB I found out that, RB router that has been "hacked", is done in the first 10 minutes of online time if you did not set a password and/or changed the std. user.

hai benz,

in my opinion, if you dont use any ssh port to login into your mikrotik, you could just disable the port you dont need to in mikrotik services, in winbox go to /ip services and disable the ssh port, so no one could access your router via ssh.

Ohhh Wowww Huge Thanks for you . That's simplest way for me.
I tried and It worked . Right now there's no one try to log in my device, So thanks again.

I got the same in my log after setup, I could see from the IPs they where "local" and originated from my ISP, but I stopped services I didn't need and made "stupid" firewall filters that solved the login attempts, I did as you describe find solution for a specific issue hence making "stupid" filter .

User Zerobyte helped me with "correct" filter so my "stupid" but working filter got changed and simplified.

But basic I stopped services I didn't need and have the following firewall filter:

Code: Select all

 0    chain=input action=accept connection-state=established,related log=no log-prefix="" 

 1    ;;; Blocked Netflix adresser TV stue
      chain=forward action=drop src-address=192.168.1.201 dst-address-list=Blocked Netflix log=no log-prefix="" 

 2    ;;; Adgang til Router fra Interne IP
      chain=input action=accept src-address-list=Interne_IP log=no log-prefix="" 

 3    ;;; Disable ICMP 
      chain=input action=drop protocol=icmp in-interface=internet icmp-options=8:0-255 log=no log-prefix="" 

 4    ;;; Adgang til swich fra WAN
      chain=forward action=drop dst-address=192.168.1.254 in-interface=internet log=no log-prefix="" 

 5    chain=input action=drop log=yes log-prefix=""

0 an 5 is the basic, 3 disable ICMP/ping from WAN. 1,2 and 4 is my own madness.

The services:

Code: Select all

Flags: X - disabled, I - invalid 
 #   NAME                               PORT ADDRESS                                                              CERTIFICATE                             
 0 XI telnet                               23
 1 XI ftp                                  21
 2 XI www                                  80
 3 XI ssh                                  22
 4 XI www-ssl                             443                                                                          none                                    
 5 XI api                                8728
 6   winbox                             8291 192.168.0.0/24                                                          
                                             192.168.1.0/24                                                          
                                             192.168.2.0/24                                                          
                                             192.168.3.0/24                                                          
 7 XI api-ssl                            8729                                                                          none

And when I look at it it seems that firewall filter 2 is not needed as I have LAN IPs on the service WinBox, hopefully Zerobyte sees this post and answers

And searching for security related to RB I found out that, RB router that has been "hacked", is done in the first 10 minutes of online time if you did not set a password and/or changed the std. user.

Those IPs that tried to log in my device aren't from my country. I assume There's someone tried to hack my device.
I disabled all unused port like ssh,telnet,ftp. So there's no problem at this moment.

And searching for security related to RB I found out that, RB router that has been "hacked", is done in the first 10 minutes of online time if you did not set a password and/or changed the std. user.

This part is scared to me, cause my company that I work with, They will buy Mikrotik device and I'll have to look after it.
lol


Thanks for info and solution makp.

The solution shown above is the correct one: allow established/related, allow certain internal IP's, drop everything else.
Unfortunately the default MikroTik setting is to drop only what comes in on the ether1-gateway interface which
is presumed to be the internet interface. However when you add another internet interface like a PPPoE this
has to be changed. There has been discussion that this default has to be changed to be more like what is shown
above, but MikroTik won't do it. So you have to look after this yourself.

However, when you don't follow those internet guides and instead use the setup wizard that you see when you
connect the router, and set it to PPPoE there, it works OK. Apparently lots of people don't do that, and they
end up in the situation you have seen.
(there is another problem as well: your DNS service will be available from the internet and will be abused when
the firewall is not changed. fortunately it is secure now)

This part is scared to me, cause my company that I work with, They will buy Mikrotik device and I'll have to look after it.
lol


Thanks for info and solution makp.

Just remember to set password og change/add user BEFORE connecting to internet, its not RouterOS that is the culprit, the culprit is error 40 cm or error 15" from the screen

Mikrotik RouterOS

CVE-2016-85005

A long standing problem in the Mikrotik RouterOS is the default username and password. All versions including the 6.34 release have default user of “admin” with no password. While some folks change this, many devices are compromised within the first few hours of it being put on line. During our tests, a device with the username “admin” and no password was compromised within 15 minutes and had 9 unique pieces of malware running within 20 minutes. While not having a password can be helpful for initial setup, it should not be allowed to complete setup nor allow SSH access without a password.

http://blog.cari.net/carisirt-defaultin ... -security/
Okay you have 15 minutes not 10 to secure RB

Send your "love" to ZeroByte and users as pe1chl I am just sucking knowledge of them

The solution shown above is the correct one: allow established/related, allow certain internal IP's, drop everything else.
Unfortunately the default MikroTik setting is to drop only what comes in on the ether1-gateway interface which
is presumed to be the internet interface. However when you add another internet interface like a PPPoE this
has to be changed. There has been discussion that this default has to be changed to be more like what is shown
above, but MikroTik won't do it. So you have to look after this yourself.

However, when you don't follow those internet guides and instead use the setup wizard that you see when you
connect the router, and set it to PPPoE there, it works OK. Apparently lots of people don't do that, and they
end up in the situation you have seen.
(there is another problem as well: your DNS service will be available from the internet and will be abused when
the firewall is not changed. fortunately it is secure now)

I have heard about "layer 2.5" I dont have PPPoE connection, but maybe it should be communicated better, I find the wiki a bit confusing - and If I do others certainly have to also , but ZeroByte gave advices on the config.

When I first connected to my RB1100AHx2 there where no wizard, I updated it as the first think, even here the wiki' where a bit useless, as the upgraded when through on the first and second RB, but second RB was bricked after reboot so I hat to do the netclient upgrade, leaving me crying yelling and almost beating the wife, followed the guides, but wait on the RB1100 you have to do it on ether13 i did not find that info on any official MikroTik site, but i think it was youtube where a Malaysian guy hat a guide - i dont speek or read Malaysian but i know how to watch video

hai benz,

in my opinion, if you dont use any ssh port to login into your mikrotik, you could just disable the port you dont need to in mikrotik services, in winbox go to /ip services and disable the ssh port, so no one could access your router via ssh.

Ohhh Wowww Huge Thanks for you . That's simplest way for me.
I tried and It worked . Right now there's no one try to log in my device, So thanks again.

Hai Benz,

glad it could help you, and one more think if not done it yet. you should make new firewall filter rules to block outer people to attack your DNS if you thick the allow remote request on dns setting.

/ip firewall filter
add action=drop chain=forward in-interface=ether1 port=53 protocol=udp
add action=drop chain=forward in-interface=ether1 port=53 protocol=tcp

*ether1 is your WAN port.

hope it will help you.

you should make new firewall filter rules to block outer people to attack your DNS if you thick the allow remote request on dns setting.

This is not the best approach. Much better is (as shown above) to block everything, not specific ports.