MikroTik

Maybe this is old news but I found it fascinating. One of my firewall rules grabs hack attempts on my routers and throws them into an address list for a week. At that point all traffic from that IP is dropped. Over the years the number of IP's in this list has grown and grown to the point that I currently have over 117,000 entries listed from the last week alone. I decided to investigate a few random IP's to see where they were coming from and what they were. Out of the handful I looked at several of them had port 80 open and turned out to be DVRs called PCBOX which I found alarming. So it made me wonder, are the vast majority of these attempts coming from the same model device or does every compromised computer just happen to have one of these things? Obviously I am not going to look at 100k IP's, but if the first few came from the same type of device it must be pretty wide spread.

Best I can tell, these are the guys attacking me.
http://www.pcboxargentina.com.ar/productos/?id=82


Just thought I'd share. If you're using a DVR secure that thing!

Interesting. These devices usually are running a low end linux OS. It is not hard to insert code into ram and then execute it.
Being a part of a security system that allows strangers to get access to cameras is also disturbing.

Define "hack attempt" please. This is interesting.

Its a pretty simple rule that says if connections are made on the input chain of the router to common ports like ssh, telnet, http, etc then put the incoming ip into an address list for a period of time and drop all traffic from those ips.

I just read on cbs that the big ddos attack on the us yesterday included dvr systems. As i saide earlier lately my list of hacker ips has grown a lot.

Its a pretty simple rule that says if connections are made on the input chain of the router to common ports like ssh, telnet, http, etc then put the incoming ip into an address list for a period of time and drop all traffic from those ips.

As a beginner I would really like to see that rule, kind of fail2ban i guess?

//A

The best way to secure your router is to create accept rules for things you want and drop everything else, but I like to have a bit of visibility to see what people are trying to do before dropping them. So the idea is to identify IP's that are making malicious attempts and then drop everything they try to do. Once they are in the list I drop them from the input chain and the forward chain to get rid of them everywhere. I figure if they are trying to poke around with my main router I don't want them poking around at anything beyond the router either. Prior to these rules I have other rules that accept traffic on my input chain from specific IP's that I control. Don't add these rules without that first or you might lock yourself out of your router. One of my rules works like this:

Rule 1
;;; Drop all Traffic from Hackers on Input Chain for 7 Days
chain=input action=drop src-address-list=Hackers log=no log-prefix=""

Rule2
;;; Drop all Traffic from Hackers on Forward Chain
chain=forward action=drop src-address-list=Hackers log=no log-prefix=""

Rule 3
;;; Add Router Hack attempts to Address List for 7 Days
chain=input action=add-src-to-address-list address-list=Hackers address-list-timeout=1w
dst-port=21,22,23,80,443,8291 log=no log-prefix=""

Best I can tell, these are the guys attacking me.
http://www.pcboxargentina.com.ar/productos/?id=82

These guys may not be the ones attacking your system. They, too may just be victims like you. Their hardware are high-jacked by the bad boys.

Confirming. Currently i have 1096 IP's on ACL, but my timeout is 1d. I have checked random 15 addresses and 13 were DVRs.

This is the Mirai botnet (and variants) scanning for new devices to infect. Welcome to the Internet of Terrible Things.

Confirming. Currently i have 1096 IP's on ACL, but my timeout is 1d. I have checked random 15 addresses and 13 were DVRs.

in my case i filter everything except my country ips.

daily my mikrotik blacklist 50-100 ip addresses all from my country (im in a small country)

Thanks jmay, I added "your" rules with just ports 21,22,23,1194 and I got 8 IP:s poking around in just 8 minutes...

Scary indeed!

Rule 1
;;; Drop all Traffic from Hackers on Input Chain for 7 Days
chain=input action=drop src-address-list=Hackers log=no log-prefix=""

Rule2
;;; Drop all Traffic from Hackers on Forward Chain
chain=forward action=drop src-address-list=Hackers log=no log-prefix=""

Rule 3
;;; Add Router Hack attempts to Address List for 7 Days
chain=input action=add-src-to-address-list address-list=Hackers address-list-timeout=1w
dst-port=21,22,23,80,443,8291 log=no log-prefix=""

Do these need to be right at the top of the rules list ?

I should add that you should have some accept rules at the top. Accept traffic to ports from IP's that you control. For example, if you only use winbox to talk to your router and you always do it from the same IP address then accept that port from that IP. Then you can post rules like mine with a drop everything rule at the bottom. This way you are dropping all traffic to the router, but still seeing a bit of what's happening.