This has happened twice in the last week, so obviously we're open to someone messing with our APs.
How did they do this (presume it wasn't via WinBox or ssh, but rather from the wlan)?
How do we prevent it?
THANKS for your help - it is truly appreciated.
Happy New Year!
Kind regards/ldv
-
-
wildbill442
Forum Guru
- Posts: 1055
- Joined:
- Location: Sacramento, CA
Re: IDIOT's guide to how did they do this?
How did they do what?
Re: IDIOT's guide to how did they do this?
My edit appears to have hit /dev/nullHow did they do what?
The original post should have mentioned that the following references to 192.168 appeared unexpectedly in a MikroTik AP (2.9.46) mid afternoon:
Code: Select all
[operator@dd-ap4] > /ip route print
1 AD 0.0.0.0/0 r 192.168.1.1 0 bridge1
[operator@dd-ap4] /ip address print
2 D 192.168.1.102/24 192.168.1.0 192.168.1.255 wlan1
Code: Select all
Jan 3 15:40:52 ap4 dhcp,critical,error,warning,info,debug dhcp alert on wlan1: discovered unknown dhcp server, mac 00:05:9E:82:86:17,
ip 192.168.1.1
Jan 3 15:40:52 ap4 firewall,info BOGON_DROPPED log-and-drop-bogo: in:bridge1 out:bridge1, src-mac 00:05:9e:82:86:17, proto UDP, 192.168.1.1:67->255.255.255.255:68, len 576
Jan 3 15:40:52 ap4 firewall,info BOGON_DROPPED log-and-drop-bogo: in:bridge1 out:(none), src-mac 00:05:9e:82:86:17, proto UDP, 192.168.1.1:67->255.255.255.255:68, len 576
Jan 3 15:40:52 ap4 firewall,info BOGON_DROPPED log-and-drop-bogo: in:bridge1 out:bridge1, src-mac 00:05:9e:82:86:17, proto UDP, 192.168.1.1:67->255.255.255.255:68, len 576
Jan 3 15:40:52 ap4 firewall,info BOGON_DROPPED log-and-drop-bogo: in:bridge1 out:(none), src-mac 00:05:9e:82:86:17, proto UDP, 192.168.1.1:67->255.255.255.255:68, len 576
Jan 3 15:40:52 ap4 dhcp,info,debug dhcp-client on wlan1 got IP address 192.168.1.102
Jan 3 15:40:52 ap4 system,info dns changed
Thanks for the help.
rgds/ldv
Re: IDIOT's guide to how did they do this?
Please critique this code, invoked from the input and forward chains in an AP:
THANKS/regards/ldv
Code: Select all
add chain=log-and-drop-rogue-dhcp action=log in-interface=wlan1 src-port=67 \
dst-port=68 protocol=udp log-prefix="DROP_ROGUE_DHCP" comment="Log and \
drop rogue DHCPOFFERS" disabled=no
add chain=log-and-drop-rogue-dhcp action=drop in-interface=wlan1 src-port=67 \
dst-port=68 protocol=udp comment="Log and drop rogue DHCPOFFERS" \
disabled=no
Re: IDIOT's guide to how did they do this?
As closure of this thread, whether it was an inside or an outside job, the problem turned out to be that this particular AP had a dhcp-client listening on wlan1My edit appears to have hit /dev/nullHow did they do what?
The original post should have mentioned that the following references to 192.168 appeared unexpectedly in a MikroTik AP (2.9.46) mid afternoon:
Code: Select all[operator@dd-ap4] > /ip route print 1 AD 0.0.0.0/0 r 192.168.1.1 0 bridge1 [operator@dd-ap4] /ip address print 2 D 192.168.1.102/24 192.168.1.0 192.168.1.255 wlan1
rgds/ldv
Who is online
Users browsing this forum: alibloke and 14 guests