Hello.
Wanted to ask If my IP address is compromised. Getting a lot of calls to 61473 port (Can't tell what it is even used for) and some outputs are just straight up look like ports scans. Do I need to call my ISP and report this or I can make some firewall rules to block these kind of things?
I'm currently blocking tcp 21,22,23,80,8291,61473 ports if they are not from LAN because I became suspicious.
Also disabled every IP service, but ssh and winbox (and they are only accessible from routers subnet).
Also wanted to know why (default mikrotik rules) drop all not incoming from LAN supersede drop from wan not dstnated? It does not matter what order are they in, drop not dstnated is just not working. I also have hairpin NAT, might that be a problem?
Am I being port scanned?
You do not have the required permissions to view the files attached to this post.
Re: Am I being port scanned?
Default firewall rule set blocks everything not explicitly allowed from WAN side (i.e. anything not DST-NATed or not allowed to hit router itself). So it would block the connections you're doing explicitly. And you'd see it works on the "drop from WAN not DST-NATed" rule statistics (not in log though).
I'd say that yes, what you see is a "normal" behaviour, there will always be some hosts port scanning ... either randomly sweeping address space or targeting hosts which are seen in some (unrelated) activity ... for example, if you're running some bittorrent client (even if with perfectly legitimate contents), then your WAN IP address will be widely known as "alive". It could be that you're seeing larger number of (UDP) connection attempts towards port which was recently used by bittorrent client (many clients can be configured to use random port each time they start), and this could be legitimate bittorrent clients (which received your IP address/port from trackers).
So my advice: make your firewall setup as tight as possible, but don't look at logs of blocked attempts (they are already blocked so no new information is provided; it only makes you dizzy).
I'd say that yes, what you see is a "normal" behaviour, there will always be some hosts port scanning ... either randomly sweeping address space or targeting hosts which are seen in some (unrelated) activity ... for example, if you're running some bittorrent client (even if with perfectly legitimate contents), then your WAN IP address will be widely known as "alive". It could be that you're seeing larger number of (UDP) connection attempts towards port which was recently used by bittorrent client (many clients can be configured to use random port each time they start), and this could be legitimate bittorrent clients (which received your IP address/port from trackers).
So my advice: make your firewall setup as tight as possible, but don't look at logs of blocked attempts (they are already blocked so no new information is provided; it only makes you dizzy).
Re: Am I being port scanned?
As a general statement, if you have an Internet facing port for very long you WILL be port scanned and have attempts on many of the common ports. You ISP will either laugh in your face, or at least laugh at you after ending the phone call if you ask them to fix that "problem". You need to stop those with your firewall rules - which it looks like you are doing.
As for your firewall rules question, rules are always processed in order. If an earlier rule is not doing anything, presumably it is not filtering what you think it should be. Beyond that, we would need to see your configuration to be able to answer. Post your configuration and ask your questions. To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". Then open the files section and right click on the filename you created and select download in order to download the file to your computer. It will be a text file with whatever name you saved to with an extension of .rsc. Suggest you then open the .rsc file in your favorite text editor and redact any sensitive information. Then in your message here, click the code display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.
As for your firewall rules question, rules are always processed in order. If an earlier rule is not doing anything, presumably it is not filtering what you think it should be. Beyond that, we would need to see your configuration to be able to answer. Post your configuration and ask your questions. To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". Then open the files section and right click on the filename you created and select download in order to download the file to your computer. It will be a text file with whatever name you saved to with an extension of .rsc. Suggest you then open the .rsc file in your favorite text editor and redact any sensitive information. Then in your message here, click the code display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.
Re: Am I being port scanned?
There is a difference between the input chain (access to your router) and the forward chain (access to the devices behind the router).Also wanted to know why (default mikrotik rules) drop all not incoming from LAN supersede drop from wan not dstnated? It does not matter what order are they in, drop not dstnated is just not working. I also have hairpin NAT, might that be a problem?
I decided (which is actually a very good approach) to block everything and allow what I want. Very different approach, in my opinion better from a conceptual perspective.
If you want to have a check on your current firewall (and give us a good laugh from time to time....might not be in your case), just share it with us:
Code: Select all
/ip/firewall exportRe: Am I being port scanned?
Ahh man. For the torrent, you were right. As for not dstnat, if I shouldn't expect logs, then why atleast byte counter does not work to ensure blocking of every port that is not dstnated?Default firewall rule set blocks everything not explicitly allowed from WAN side (i.e. anything not DST-NATed or not allowed to hit router itself). So it would block the connections you're doing explicitly. And you'd see it works on the "drop from WAN not DST-NATed" rule statistics (not in log though).
I'd say that yes, what you see is a "normal" behaviour, there will always be some hosts port scanning ... either randomly sweeping address space or targeting hosts which are seen in some (unrelated) activity ... for example, if you're running some bittorrent client (even if with perfectly legitimate contents), then your WAN IP address will be widely known as "alive". It could be that you're seeing larger number of (UDP) connection attempts towards port which was recently used by bittorrent client (many clients can be configured to use random port each time they start), and this could be legitimate bittorrent clients (which received your IP address/port from trackers).
So my advice: make your firewall setup as tight as possible, but don't look at logs of blocked attempts (they are already blocked so no new information is provided; it only makes you dizzy).
Re: Am I being port scanned?
I basically use the default config, just setup hairnat for game servers and some servers or services on raspberry pi:As a general statement, if you have an Internet facing port for very long you WILL be port scanned and have attempts on many of the common ports. You ISP will either laugh in your face, or at least laugh at you after ending the phone call if you ask them to fix that "problem". You need to stop those with your firewall rules - which it looks like you are doing.
As for your firewall rules question, rules are always processed in order. If an earlier rule is not doing anything, presumably it is not filtering what you think it should be. Beyond that, we would need to see your configuration to be able to answer. Post your configuration and ask your questions. To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". Then open the files section and right click on the filename you created and select download in order to download the file to your computer. It will be a text file with whatever name you saved to with an extension of .rsc. Suggest you then open the .rsc file in your favorite text editor and redact any sensitive information. Then in your message here, click the code display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.
Code: Select all
# jul/10/2024 17:09:14 by RouterOS 6.49.15
#
# model = RB750Gr3
/interface bridge
add admin-mac=************ auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge lease-time=1d \
name=defconf
/queue type
add kind=sfq name=sfq-default sfq-perturb=10
/system logging action
set 1 disk-file-count=3 disk-file-name=disk1/log
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=none lldp-med-net-policy-vlan=1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.88.0/24 list=LAN-RANGE
/ip firewall filter
add action=drop chain=input dst-port=******,******,******,******,****** in-interface-list=!LAN \
log=yes log-prefix="blocked unauthorized" protocol=tcp
add action=drop chain=forward disabled=yes out-interface=ether1 src-address=\
192.168.88.195 src-address-list=""
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
dst-port=!****** in-interface-list=!LAN log=yes log-prefix="Not from LAN" \
protocol=tcp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat dst-address=192.168.88.0/24 out-interface=\
bridge src-address=192.168.88.0/24
add action=dst-nat chain=dstnat comment="For any game server." dst-address=\
!192.168.88.0/24 dst-address-type=local dst-port=****** protocol=tcp \
to-addresses=192.168.88.2 to-ports=******
add action=dst-nat chain=dstnat dst-address=!192.168.88.0/24 \
dst-address-type=local dst-port=****** protocol=udp to-addresses=\
192.168.88.195 to-ports=******
add action=dst-nat chain=dstnat comment=OwnCloud dst-address=!192.168.88.0/24 \
dst-address-type=local dst-port=****** protocol=udp to-addresses=\
192.168.88.65 to-ports=****
add action=dst-nat chain=dstnat dst-address=!192.168.88.0/24 \
dst-address-type=local dst-port=****** protocol=tcp to-addresses=\
192.168.88.65 to-ports=******
add action=dst-nat chain=dstnat comment="Plex Media Server" dst-address=\
!192.168.88.0/24 dst-address-type=local dst-port=****** protocol=tcp \
to-addresses=192.168.88.65 to-ports=******
add action=dst-nat chain=dstnat comment=Grafana dst-address=!192.168.88.0/24 \
dst-address-type=local dst-port=****** protocol=tcp to-addresses=\
192.168.88.65 to-ports=******
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.88.0/24 port=******
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
/system logging
set 0 action=disk
set 1 action=disk
set 2 action=disk
set 3 action=disk
add action=disk topics=firewall
add action=disk topics=system
/system scheduler
add interval=1w name="Run backup" on-event=Backup policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jul/10/2024 start-time=00:00:00
/system script
add dont-require-permissions=no name=Backup owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"/system backup save name=\"/disk1/backup\""
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
Re: Am I being port scanned?
The WWW is being constantly scanned by bots, so consider life is normal.
Open ports attract more flies, one thing you can do is
- ensure you have source address list for all those externally accessing your server
a. users should either have fixed static WANIPs
OR
b. they should be able to use DYNDSN URLS from providers, there are plenty of free ones.
Hence you simply add src-address-list=ExternalUsers to each dstnat rule.
Prior to change
- any ports in dstnat rules appear on the internet as visible but closed
After the chaine
- any ports in dstnat rules do not appear on scans (not visible).
+++++++++++++++++++++++++++++++++++++++
Since its been clear to me from day one, that servers were an issue and there is no decrease in people with servers anytime soon,,,,
I recommended to Mikrotik that they provide as an options package ........for those with long memory.............
A zerotrust cloudflare package in ROS.
However the clowns in management think that stating it can be used in a container, is the right approach.
Sorry way to complex and limiting to those with expertise beyond normal and in hardware that can even use containers.........
My recommendation was for the ability for novice to medium users to safely setup their servers via their Mikrotik products.
Due to the limited space in older devices especially, it would not make sense to make this a core part of RoS unless it was trivial.
It still is valid capability to provide, but just like first post process, blinders go on when its not their idea..............
Open ports attract more flies, one thing you can do is
- ensure you have source address list for all those externally accessing your server
a. users should either have fixed static WANIPs
OR
b. they should be able to use DYNDSN URLS from providers, there are plenty of free ones.
Hence you simply add src-address-list=ExternalUsers to each dstnat rule.
Prior to change
- any ports in dstnat rules appear on the internet as visible but closed
After the chaine
- any ports in dstnat rules do not appear on scans (not visible).
+++++++++++++++++++++++++++++++++++++++
Since its been clear to me from day one, that servers were an issue and there is no decrease in people with servers anytime soon,,,,
I recommended to Mikrotik that they provide as an options package ........for those with long memory.............
A zerotrust cloudflare package in ROS.
However the clowns in management think that stating it can be used in a container, is the right approach.
Sorry way to complex and limiting to those with expertise beyond normal and in hardware that can even use containers.........
My recommendation was for the ability for novice to medium users to safely setup their servers via their Mikrotik products.
Due to the limited space in older devices especially, it would not make sense to make this a core part of RoS unless it was trivial.
It still is valid capability to provide, but just like first post process, blinders go on when its not their idea..............
Re: Am I being port scanned?
If you are worried with security, you might want to reconsider this:
Ports are scanned, up to you if you want to have it logged...or not.
Code: Select all
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=externalRe: Am I being port scanned?
Yup, no reason normally to have UPNP enabled............
Re: Am I being port scanned?
Thank you. I disabled it, don't know why I had it in the first place. Probably something with gaming and P2P networking.If you are worried with security, you might want to reconsider this:
Ports are scanned, up to you if you want to have it logged...or not.Code: Select all/ip upnp set enabled=yes /ip upnp interfaces add interface=ether1 type=external
Who is online
Users browsing this forum: steamy and 9 guests