MikroTik

Community discussions
https://forum.mikrotik.com/

Hacking problem?

https://forum.mikrotik.com/viewtopic.php?t=109503

Page 1 of 1

Hacking problem?

Posted: Mon Jun 20, 2016 10:15 pm
by tvecis
Hi.

At the beginning I realised that someone is brute forcing my SSH and Telnet password.
Then I do this >>> http://wiki.mikrotik.com/wiki/Bruteforc ... prevention

After that

Image
But when I blocking this MAC, starts this
Image
Image
and the Internet is going down.

Is this hacking problem? If yes, What can I do against this hacker?

Re: Hacking problem?

Posted: Mon Jun 20, 2016 10:58 pm
by ZeroByte
Don't use the MAC address because the MAC address on the WAN side will always be the ISP's router, no matter what IP address the packet contains.
Basically, you're blocking communications that go through the ISP's router, which obviously will disconnect you from the Internet.

I recommend that you just block ssh and telnet from the WAN interface entirely, and that will solve your problem.

Re: Hacking problem?

Posted: Mon Jun 20, 2016 11:04 pm
by BartoszP
Forget MAC :-)

Make rule to add source addresses of offending traffic to ssh port to the "blacksshlist" list and the second rule to block these addresses.

Re: Hacking problem?

Posted: Mon Jun 20, 2016 11:07 pm
by tvecis
Yes you are right. I realised that this is ISP cisco router mac :)

Re: Hacking problem?

Posted: Tue Jun 21, 2016 10:02 am
by tvecis
Hmm...

Image

Now Just turned off SSH&Telnet services :(
P.S.
Is this going from my ISP internet to my AP, or from the hacker's computer directly to my AP?

Re: Hacking problem?

Posted: Tue Jun 21, 2016 10:27 am
by BartoszP
For SSH, TELNET and FTP try this .. 4 h blocking window for attacker.
Code: Select all
/ip firewall filter
add action=add-src-to-address-list address-list=ATTACK_SSH address-list-timeout=4h chain=input comment=ATTACK_SSH dst-port=21,22,23 in-interface=ETH1-WAN protocol=tcp src-address-list=!MYPRECIOUSIPS
add action=drop chain=input comment="DROP ATTACK_SSH" in-interface=ETH1-WAN src-address-list=ATTACK_SSH
Same for DNS DDOS - block all WAN side traffic to DNS server:
Code: Select all
/ip firewall filter
add action=add-src-to-address-list address-list=DDOS_DNS address-list-timeout=4h chain=input comment=DDOS_DNS dst-port=53 in-interface=ETH1-WAN protocol=udp
add action=drop chain=input comment="DROP DNS DDOS" in-interface=ETH1-WAN src-address-list=DDOS_DNS
Do not forget to accept traffic from your own address if you want to connect via 21,22,23 ports from WAN side ... just put them into MYPRECIOUSIPS address list.
Code: Select all
/ip firewall address-list
add address=x.x.x.x  comment=HomeSweetHome list=MYPRECIOUSIPS
add address=y.y.y.y comment=OfficeSweetOffice list=MYPRECIOUSIPS

Re: Hacking problem?

Posted: Tue Jun 21, 2016 11:54 am
by tvecis
Thanks! Added this rules. Hope this helpsĀ  :)
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/