Page 1 of 1
Please Help me im being attacked RIGHT NOW
Posted: Fri Dec 23, 2016 5:36 pm
by zipvault
please help me im being attacked
how can i prevent this
help me find them?
this was just now..
log print
dec/24 00:33:46 system,error,critical login failure for user administrator from 190.82.77.203 via telnet
dec/24 00:33:47 system,error,critical login failure for user root from 85.11.22.132 via telnet
dec/24 00:33:48 system,error,critical login failure for user root from 190.82.77.203 via telnet
Re: Please Help me im being attacked RIGHT NOW
Posted: Fri Dec 23, 2016 5:43 pm
by pe1chl
Why do you allow login from internet?
Did you configure a PPPoE interface using some shady Youtube video instead of the official method?
What is your firewall right now? Does it drop all new incoming traffic from your internet interface?
Re: Please Help me im being attacked RIGHT NOW
Posted: Fri Dec 23, 2016 5:55 pm
by greek
Go to IP - Services menu, click telnet and click Disable-button (with red cross)
Re: Please Help me im being attacked RIGHT NOW
Posted: Fri Dec 23, 2016 6:04 pm
by zipvault
i had turned of the remote login option...
Yes i turned of the telnet service now,
Are you only meant to enable telnet when u want to use it or
can i block telnet so only my mac address can access??
How do i set my local address book to only access??
Yes i have about 80 firewall rules at the moment
Should i reset and start build again??
Re: Please Help me im being attacked RIGHT NOW
Posted: Fri Dec 23, 2016 6:13 pm
by zipvault
I thought i had setup the brute force rule on mikrotik wiki also???
The one if an ip gets three wrong entries then they
Get put on a list
And if they stay on the list for 1 minute
Then they get put on a block list
Can any one shine some light on a script that does this
Because obviously the one i did is not working..
Re: Please Help me im being attacked RIGHT NOW
Posted: Fri Dec 23, 2016 6:55 pm
by todayheads
i am gonna advice you with something
allow accessing webfig online from ur network only not global
Re: Please Help me im being attacked RIGHT NOW
Posted: Fri Dec 23, 2016 6:57 pm
by todayheads
and please next time you don't have to paste whole log
Re: Please Help me im being attacked RIGHT NOW
Posted: Fri Dec 23, 2016 7:25 pm
by dhapollo
Go to the ip> firewall> filter's rules> add a new one. Chain input port 23, Action drop
if this works?
Re: Please Help me im being attacked RIGHT NOW
Posted: Fri Dec 23, 2016 7:43 pm
by zipvault
i am gonna advice you with something
allow accessing webfig online from ur network only not global
what is the best way you would advise to do this?
Re: Please Help me im being attacked RIGHT NOW
Posted: Fri Dec 23, 2016 8:04 pm
by mpreissner
Add a firewall rule on the INPUT chain that only allows WinBox, SSH, and HTTPS from one of your internal networks. Then add a firewall rule right below that to drop all traffic to your device. These two rules ensure that ONLY traffic from you is allowed to go directly to your device.
Re: Please Help me im being attacked RIGHT NOW
Posted: Fri Dec 23, 2016 8:53 pm
by zipvault
okay,
i had over 85 firewall rules earlier,
i have cut it back to 30 now,
how do i specify a specific ip
for instance earlier i had a mangement address book
and i allowed only one ip address to access the webconf
but i deleted it now im unsure how to reinstate this local only method
or single ip access management access rule?
Re: Please Help me im being attacked RIGHT NOW
Posted: Fri Dec 23, 2016 8:57 pm
by zipvault
Add a firewall rule on the INPUT chain that only allows WinBox, SSH, and HTTPS from one of your internal networks. Then add a firewall rule right below that to drop all traffic to your device. These two rules ensure that ONLY traffic from you is allowed to go directly to your device.
i can use something like this does this look good??? ->
/ip firewall address-list
add list=management-servers address=192.168.00.000
/ip firewall filter
add chain=input src-address-list=management-servers protocol=tcp dst-port=21,22,23,80,443,8291 action=accept
add chain=input protocol=tcp dst-port=21,22,23,80,443,8291 action=drop
im only new to mikrotik only being using it a few days????
Re: Please Help me im being attacked RIGHT NOW
Posted: Fri Dec 23, 2016 9:22 pm
by mpreissner
If you write firewall rules like that, you'll end up missing things.
Best practice is to create a rule that allows your management access, and then create a DROP ALL rule at the bottom of the chain. As you find you need to allow additional traffic, you simply add a rule above the DROP ALL rule. You need to make sure you also order the rules correctly to minimize processing overhead, so put the most frequently matched rules at the top, since rules are processed from the top down. Here's my INPUT chain, which is pretty well locked down.
/ip firewall filter
add action=accept chain=input comment="Accept related/established from internal networks" connection-state=\
established,related in-interface=!ether1-gateway log=yes log-prefix=gateway-accept-est-rel-internal
add action=accept chain=input comment=\
"default configuration - Accept inbound related/established" connection-state=\
established,related in-interface=ether1-gateway log=yes log-prefix=accept-inbound-rel-est
add action=accept chain=input comment="Accept inbound for SSTP VPN" dst-port=443 in-interface=ether1-gateway log=yes \
log-prefix=accept-inbound-SSTP-VPN protocol=tcp
add action=accept chain=input comment="Accept inbound L2TP/IPsec VPN" dst-port=1701,500,4500 in-interface=\
ether1-gateway log=yes log-prefix=accept-inbound-l2tp-ipsec-vpn protocol=udp
add action=drop chain=input comment="default configuration - drop unsolicited inbound WAN traffic" in-interface=\
ether1-gateway log=yes log-prefix=drop-inbound-unsolicited
add action=accept chain=input comment="Accept broadcast traffic from internal networks" dst-address-type=\
broadcast,multicast in-interface=!ether1-gateway log-prefix=accept-input-bcast/mcast
add action=accept chain=input comment="default configuration - accept icmp on all interfaces" protocol=icmp
add action=accept chain=input comment="Allow MGMT access from internal networks" dst-address=172.16.0.30 dst-port=\
22,8291 in-interface=!ether1-gateway log-prefix=mgmt-accept-internal protocol=tcp
add action=accept chain=input comment="Accept DHCP on all interfaces" dst-port=67 log-prefix=log-dhcp protocol=udp
add action=drop chain=input comment="drop and log all inbound traffic not matching previous rules" log=yes \
log-prefix=drop-and-log-input
Re: Please Help me im being attacked RIGHT NOW
Posted: Fri Dec 23, 2016 9:36 pm
by blajah
Well, if you are allowing mgmt from specific pool of ip addresses there is no need to create access list , you can do it directly via firewall rule. It is easier to read if you have access list but at the end its up to you.
/ip firewall address-list
add list=management-servers address=192.168.0.0[b]/24[/b]
bold text was missing
Also, in rule itserlf, you do not need to overcomplicate with ports/services definitions.
It will work also this way:
/ip firewall filter
add chain=input src-address-list=management-servers action=accept
to allow mgmt from your pool
and to deny rest
/ip firewall filter
add chain=input in-interface=YourWAN action=drop
regarding IP, services itself, you have option to define "available form" where you can specify what service is available from .
I do not have any issues with things you followed to secure your router, but in 70% tutorials rules are overcomplicated without real reason.
One elegant way to drop all these "service-hunters" is like this:
add action=add-src-to-address-list address-list=@Services_Phase1 address-list-timeout=30m chain=input comment=IN-Services1 dst-port=21,22,23,69,80,443,8080 \
in-interface=YourWAN protocol=tcp
add action=add-src-to-address-list address-list=@Services_Phase2 address-list-timeout=30m chain=input comment=IN-Services2 dst-port=21,22,23,69,80,443,8080 protocol=tcp \
src-address-list=@Services_Phase1
add action=add-src-to-address-list address-list=@Services_Phase3 address-list-timeout=1w chain=input comment=IN-Services3 dst-port=21,22,23,69,80,443,8080 protocol=tcp \
src-address-list=@Services_Phase2
Then in RAW firewall drop @Services_Phase3:
add action=drop chain=prerouting src-address-list=@Services_Phase3
Re: Please Help me im being attacked RIGHT NOW
Posted: Sat Dec 24, 2016 4:45 am
by zipvault
Thankyou i really appreciate your input it makes sense
If i do not specify ports in the rule does it just apply to all ports?
One question i have
What is phase 1, 2 and 3 services?
Re: Please Help me im being attacked RIGHT NOW
Posted: Sun Dec 25, 2016 2:27 pm
by blajah
If i do not specify ports in the rule does it just apply to all ports?
Yes
What is phase 1, 2 and 3 services?
Just names of access lists who are created by firewall rules. You can change names whatever you like.
One more note, as you see there are no DNS rules involved in this rule-set. You need to take care of that also.
Re: Please Help me im being attacked RIGHT NOW
Posted: Sun Dec 25, 2016 3:10 pm
by zipvault
One more note, as you see there are no DNS rules involved in this rule-set. You need to take care of that also.
my dns always changes is there a way for me to still make better dns rules that auto update??
Re: Please Help me im being attacked RIGHT NOW
Posted: Mon Dec 26, 2016 2:22 pm
by blajah
Well, i'm not sure what do you mean by "my dns changes"? Is your ISP changing IP's of DNS or there is something else?
Securing your DNS ( disabling DNS amplification attacks from your router) can be done by various methods, but maybe easiest to maintain is to create access list with IP's of your DNS servers, and create firewall rule ( even better RAW firewall rule) which will drop port 53 from all IP addresses except from IP's residing on access list. Something like this:
chain=input action=drop protocol=udp src-address-list=!DNS in-interface=WAN dst-port=53 log=no log-prefix=""
This means, drop udp traffic on WAN interface targeted to router itself on port 53 where source addresses are not from DNS list. Because your DNS changes, its easier for you to maintain access list then changing rule all over again ( with every change of your DNS).
Advice:
If you have some 100% correct rules, try to move them from IP firewall to RAW firewall, just to decrease load on CPU, because all statements in RAW firewall are considered on routing level, or to be more precise, before packets enter inside of your router.
Re: Please Help me im being attacked RIGHT NOW
Posted: Mon Dec 26, 2016 7:22 pm
by zipvault
Ur a legend blajah raw FIRE
I made it tcp also
Does dns only resolve on 53? Learn something new everyday
Re: Please Help me im being attacked RIGHT NOW
Posted: Tue Dec 27, 2016 1:34 pm
by blajah
Yeah, only on port 53, mainly UDP, but if data is bigger then 512 bytes, then it switches to TCP.
Re: Please Help me im being attacked RIGHT NOW
Posted: Wed Dec 28, 2016 3:16 pm
by zipvault
dec/24 00:33:46 system,error,critical login failure for user administrator from 190.82.77.203 via telnet
dec/24 00:33:47 system,error,critical login failure for user root from 85.11.22.132 via telnet
dec/24 00:33:48 system,error,critical login failure for user root from 190.82.77.203 via telnet
[/quote]
Hi @normis i intentionally posted the whole log to give people the chance to block those ips if they needed
Do we have a global running block list
Someone should make one..
Re: Please Help me im being attacked RIGHT NOW
Posted: Wed Dec 28, 2016 3:30 pm
by normis
This is useless. The addresses will never repeat them. Read up on how DDoS works. These are disposable victims of trojans and other bugs, cameras, infected PCs etc.
Re: Please Help me im being attacked RIGHT NOW
Posted: Wed Dec 28, 2016 3:47 pm
by zipvault
WAN interface targeted to router itself on port 53 .
your probably going to laugh at me but i have a dumb questions which one is my wan interface in picture attached..
Screen Shot 2016-12-28 at 11.43.24 PM.png
Re: Please Help me im being attacked RIGHT NOW
Posted: Wed Dec 28, 2016 3:48 pm
by normis
We can't know that. WAN is the one where your ISP is plugged in
Re: Please Help me im being attacked RIGHT NOW
Posted: Wed Dec 28, 2016 3:55 pm
by BartoszP
Probably PPoE one as ISP wants authentication.
Re: Please Help me im being attacked RIGHT NOW
Posted: Wed Dec 28, 2016 4:23 pm
by zipvault
This is useless. The addresses will never repeat them. Read up on how DDoS works. These are disposable victims of trojans and other bugs, cameras, infected PCs etc.
Currently with my arp and nat im hoping no random address can even access
But reading about things like shodan
Im wondering if it is worthwhile to create a gloabl attack list updated from shodan as a resource for example if it updated in real time
the one that attacked me for instance i noticed the traceroute was coming from the same 4 or 5 ips
One was traced to chile another sweden.
My theory is
If someone is attacking through series of static set ips and it doesnt work on one router the router can update a global list to prevent any other mikrotik being attacked from those address or macs within a timeframe
Does this make sense? Tell me im crazy if u will
Re: Please Help me im being attacked RIGHT NOW
Posted: Wed Dec 28, 2016 4:25 pm
by normis
You will never be able to firewall each "bad" IP individually. The reverse approach is much easier - drop everything and allow only yourself and only on non-standard ports. Implement multiple layers of security if needed, but again - drop everything first.
Re: Please Help me im being attacked RIGHT NOW
Posted: Wed Dec 28, 2016 4:33 pm
by zipvault
You will never be able to firewall each "bad" IP individually. The reverse approach is much easier - drop everything and allow only yourself and only on non-standard ports. Implement multiple layers of security if needed, but again - drop everything first.
Yes you Makes perfect sense
maybe ten years from now routers will have this system in place
I have been droping everything last not first,
My understanding was firewall rule ran from top being first and bottom last?
Re: Please Help me im being attacked RIGHT NOW
Posted: Wed Dec 28, 2016 4:37 pm
by normis
MikroTik routers already have such firewall.
First add rule for your own IP addresses with action accept. Add as many known IP addresses as you need (your home, office, etc). Then change your telnet and ssh ports to something other than standard, you can do this in the "system -> services" menu. Disable telnet if you don't use it.
Then add rule to drop everything (chain input, action drop). First rules will allow your access, next rules will drop everything that is not allowed in previous rules.
Re: Please Help me im being attacked RIGHT NOW
Posted: Wed Dec 28, 2016 4:49 pm
by zipvault
Got it thanks for clarification
Drop last
Re: Please Help me im being attacked RIGHT NOW
Posted: Wed Dec 28, 2016 6:55 pm
by pe1chl
We can't know that. WAN is the one where your ISP is plugged in
When even you say that, small wonder that so many users get confused about that!
The dangerous truth is that when you have a PPPoE interface, as he has, and it is the link to the ISP, the
firewall has to be configured with the pppoe-out1 interface as the input interface that is blocked by
default, not the ether1 interface which has this rule by default.
We have discussed it before. I think this is another example of a user who was attacked and would
probably later become victim of a DNS reflection DDoS abuse, just because of this default-accept
policy in the MikroTik firewall. It should really be reversed, drop everything except from the interfaces
that are known to be trusted (LAN, WiFi, bridge-local, that kind of thing).
Re: Please Help me im being attacked RIGHT NOW
Posted: Thu Dec 29, 2016 2:47 am
by zipvault
Ppoe is coming through ether1
My rules are set to ether1
So ur saying i should have set to ppoe interface?
Or i can try to set for both?
Does raw firewall or prerouting happen before the ppoe virtual interface???
Re: Please Help me im being attacked RIGHT NOW
Posted: Thu Dec 29, 2016 3:23 am
by bennn
So ur saying i should have set to ppoe
Potentially, yes. I agree that this is normal operation for me too. I found this when dst-nat rules were not working when I set them to ether1 but did work when set to the pppoe interface.
Or i can try to set for both?
You can, but this shouldn't be necessary if configured correctly.
The best thing to do is for you to try to connect to your Mikrotik from an external internet source (mobile data maybe?) and test access.
Re: Please Help me im being attacked RIGHT NOW
Posted: Thu Dec 29, 2016 4:20 am
by zipvault
The best thing to do is for you to try to connect to your Mikrotik from an external internet source (mobile data maybe?) and test access.
Hi ben i have firewall and arp and nat and local management only set up
Remote access is off and telnet is off so im pretty sure i have covered all bases regarding remote access management, thanks for ur help
In the interest of this forum post getting to long
Can we continue the similar conversation but regarding fast track here:
http://forum.mikrotik.com/viewtopic.php?f=13&t=116258
Re: Please Help me im being attacked RIGHT NOW
Posted: Thu Dec 29, 2016 8:07 am
by normis
when you have a PPPoE interface, as he has, and it is the link to the ISP.
Is it? I can't tell just from the name. It could be a local test network. Also, I can't be sure that if his connection drops, that his router becomes open to whatever other connections that can reach his router at that moment. You should probably have some basic rules on the interface itself as well.
Yes, if PPPoE interface in that photo is actually connected to your ISP and the connection goes through it, all the rules should be configured on the PPPoE interface.