MikroTik

Community discussions
https://forum.mikrotik.com/

Hacker trying to log in - firewall default

https://forum.mikrotik.com/viewtopic.php?t=148888

Page 1 of 1

Hacker trying to log in - firewall default

Posted: Tue May 28, 2019 1:55 am
by Docop
Hi
During a full flash of the router and finally getting some better result.. i found out in the winbox terminal lot and lot of Internet hacker or bot trying to access to the router.
Code: Select all
17:37:33 echo: system,error,critical login failure for user user from 165.22.122.201 via
 ssh
[admin@RouterOS] /ip firewall filter> 
17:37:34 echo: system,error,critical login failure for user fliruser from 165.22.122.201
 via ssh
[admin@RouterOS] /ip firewall filter> 
17:37:35 echo: system,error,critical login failure for user root from 165.22.122.201 via
 ssh
[admin@RouterOS] /ip firewall filter> 
17:47:01 echo: system,error,critical login failure for user DUP admin from 165.22.5.131 
via ssh
17:47:01 echo: system,error,critical login failure for user DUP admin from 165.22.5.131 
via ssh
[admin@RouterOS] /ip firewall filter> 
17:47:51 echo: system,error,critical login failure for user DUP admin from 165.22.122.20
1 via ssh
[admin@RouterOS] /ip firewall filter> 
17:47:51 echo: system,error,critical login failure for user DUP admin from 165.22.122.20
1 via ssh
[admin@Rout
I found to go in Ip service list and i turn off ssh. I still have winbox and www at on. Should i closed them too and still be able to log in from lan? But is there any rules that supposed to cover that or put a limit to any login attempt ?
Actually i'm running the default when full restart is made.
Code: Select all
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=Voip disabled=yes dst-port=5060-5061 protocol=\
    tcp
add action=accept chain=input dst-port=1194 protocol=tcp comment="OpenVPN" 
add action=accept chain=input dst-port=1195-1200 protocol=tcp comment="doing nothing no effect softvPN" 
add action=accept chain=forward comment="allow dst-nat connections from WAN" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
Thanks to let me know if something exist.. and not like : putting only a list of approved ip. With any public ip changing it's not feasable. I guess with a openvpn to the mikrotik it can work. But how to limit the attemp..
*funny they don't try to log with : admin. as i never set any password.

Re: Hacker trying to log in - firewall default

Posted: Tue May 28, 2019 2:47 am
by Docop
I did find this to force access to router, only from pc within this specific lan. :

add action=drop chain=forward in-interface=bridge1 src-address=!192.168.0.0/24 comment="Drop all that do not match LAN IP"

So with this, can it then make the service port ssh and other less problematic and be leave on ?

Re: Hacker trying to log in - firewall default

Posted: Tue May 28, 2019 2:59 am
by 2frogs
You do not have the default firewall. It should include the following:
Code: Select all
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked comment="DEFAULT: Accept established, related, and untracked traffic."
add action=drop chain=input connection-state=invalid comment="DEFAULT: Drop invalid traffic."
add action=accept chain=input protocol=icmp comment="DEFAULT: Accept ICMP traffic."
add action=drop chain=input in-interface-list=!LAN comment="DEFAULT: Drop all other traffic not coming from LAN."
With this, just make sure your LAN and VPN are included in the interface-list for LAN.

Also the input chain is for traffic going to the router itself (ssh,winbox,webfig,etc.). Output chain is traffic coming from the router itself. The forward chain is for any traffic that is forward from one interface to another such as WAN to LAN.

Re: Hacker trying to log in - firewall default

Posted: Tue May 28, 2019 3:44 am
by Docop
Indeed, it look to have cut many request. Thanks for that. By default, it was just from the factory reset rule. with 3 additionnal.

So as you said : if i put :
add action=accept chain=input dst-port=1194 protocol=tcp comment="OpenVPN"
This mean it's for the mikrotik router running a vpn server on itself. Used to log from the outside to the router.

And putting :
add action=accept chain=foward dst-port=2000 protocol=tcp comment="Open a port for a lan pc"
this will then pass/ open a port from the internet to the local ip. Then have to do a nat to take the port 2000 and transfer to a destination address. dst-nat: local-ip-pc

right ?

Re: Hacker trying to log in - firewall default

Posted: Tue May 28, 2019 4:38 am
by 2frogs
That is correct, although you do not need the forward rule because your default forward drop rule drops all forwarded traffic unless it is in dst-nat:
Code: Select all
/ip firewall filter
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
You only need to add your NAT rule for it to work.

Order of your rules also matters, once traffic matches a rule it is no longer compared by other rules.
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/