Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Mysterious "denied winbox/dude connect from 117.202.126.x" log

Post Reply
 
trx314
just joined
Topic Author
Posts: 9
Joined: Mon Oct 26, 2020 8:36 pm

Mysterious "denied winbox/dude connect from 117.202.126.x" log

Thu Nov 05, 2020 6:31 pm

Hello TIk community.
I'm new to mikrotik and learning slowly. Few days ago I got a mysterious 3 warning logs: "denied winbox/dude connect from 117.202.126.x". Question is, how the person behind this address has managed to get inside passing my input rules ? Suggestions will be appreciated!
Code: Select all
# nov/04/2020 10:59:45 by RouterOS 6.47.6
# software id = FIED-KZ7Z
# model = RB760iGS
# serial number = A3..........
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.200.0/24
set api disabled=yes
set winbox address=192.168.200.0/24
set api-ssl disabled=yes

/ip firewall address-list
add address=1.1.1.1 comment=shem list=myExtIps
add address=2.2.2.2 comment=ks_pr_hm list=myExtIps

/ip firewall filter
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="Allow WinBox from WAN" dst-port=8291 protocol=tcp src-address-list=myExtIps
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp src-address-list=myExtIps
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=WWW dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=192.168.200.10 to-ports=80
add action=dst-nat chain=dstnat comment=WWWS dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=192.168.200.10 to-ports=443
Top
 
User avatar
karlisi
Member
Member
Posts: 473
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: Mysterious "denied winbox/dude connect from 117.202.126.x" log

Fri Nov 06, 2020 10:47 am

Interface list LAN is empty? Just guess, You posted only partial configuration.
Top
 
WeWiNet
Long time Member
Long time Member
Posts: 618
Joined: Thu Sep 27, 2018 4:11 pm

Re: Mysterious "denied winbox/dude connect from 117.202.126.x" log

Fri Nov 06, 2020 1:20 pm

Code: Select all
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
This is one of your first rule!!!
Man your firewall is wide open...
Top
 
magistryoda
just joined
Posts: 4
Joined: Sat Oct 26, 2019 4:35 pm

Re: Mysterious "denied winbox/dude connect from 117.202.126.x" log

Fri Nov 06, 2020 4:47 pm

Man your firewall is wide open...
your assumption is wrongly based. that is a pretty standard fw rules and there is no errors unless LAN interface list is empty or includes WAN interface as well
topic starter should post full config here or this conversation will stay on guess level
Top
 
trx314
just joined
Topic Author
Posts: 9
Joined: Mon Oct 26, 2020 8:36 pm

Re: Mysterious "denied winbox/dude connect from 117.202.126.x" log

Sun Nov 08, 2020 12:05 am

Thanks, but LAN is not empty.
Code: Select all
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
I doubt the CAPsMAN rule ,,,,, possible ?
Top
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Mysterious "denied winbox/dude connect from 117.202.126.x" log

Sun Nov 08, 2020 10:16 am

I doubt the CAPsMAN rule ,,,,, possible ?
Try ading src-address=127.0.0.1 to this rule as well.
Top
 
trx314
just joined
Topic Author
Posts: 9
Joined: Mon Oct 26, 2020 8:36 pm

Re: Mysterious "denied winbox/dude connect from 117.202.126.x" log

Mon Nov 09, 2020 11:40 pm

I don't use CAPsMAN , so I have disabled it.
My big concern is, that this is the "almost" default config, just with few changes, rules seems correct and safe. No rule that will allow remote WinBox 8291 WAN connection, and all of a sudden, in the middle of the night I get "denied winbox/dude connect" from foreign public address....

So the big question is: How safe is Mikrotik, how safe is default config regarding remote connections, are there any bugs or vulnerabilities...
Thanks
Top
 
magistryoda
just joined
Posts: 4
Joined: Sat Oct 26, 2019 4:35 pm

Re: Mysterious "denied winbox/dude connect from 117.202.126.x" log

Tue Nov 10, 2020 10:26 am

so, if you not willing to put here full config i will suggest you to add something like that to your FW rules on top
Code: Select all
add action=log chain=input dst-port=8291 log=yes log-prefix=WINBOX protocol=tcp
at least you will see some details (like incoming interface)
Top
Post Reply
  4. RouterOS
  5. Beginner Basics