MikroTik

Community discussions
https://forum.mikrotik.com/

Is somebody hacking my system?

https://forum.mikrotik.com/viewtopic.php?t=4849

Page 1 of 1

Is somebody hacking my system?

Posted: Sat Oct 08, 2005 4:20 pm
by goddy
Hi,when I logged in today this is what I got.Is someone trying to hack into my system?And whst do I do?This the message I got:

(193 messages not shown)
oct/07/2005 12:08:02 system,error,critical login failure for user amanda from 21
0.125.133.51 via ssh
oct/07/2005 12:08:08 system,error,critical login failure for user amazing from 2
10.125.133.51 via ssh
oct/07/2005 12:08:15 system,error,critical login failure for user amber from 210
.125.133.51 via ssh
oct/07/2005 12:08:21 system,error,critical login failure for user american from
210.125.133.51 via ssh
oct/07/2005 12:08:28 system,error,critical login failure for user amit from 210.
125.133.51 via ssh
oct/07/2005 12:08:35 system,error,critical login failure for user amy from 210.1
25.133.51 via ssh
oct/07/2005 12:08:41 system,error,critical login failure for user anand from 210
.125.133.51 via ssh
oct/07/2005 12:08:48 system,error,critical login failure for user anderson from
210.125.133.51 via ssh

SSH attack

Posted: Sat Oct 08, 2005 7:50 pm
by joshkuo
Looks you have SSH setup as a public-accessible service, and someone is trying to get in. This type of attack has become more and more popular recently with SSH.

My recommendation to you is to set up SSH so only the necessary hosts can access it. You would usually do this in /ip firewall rule input, and set up some rules like this:
Code: Select all
1  ;;; accept ssh from my first server
   in-interface=External src-address=xx.xx.xx.xx dst-address=:22 protocol=tcp action=accept 

2  ;;; allow HTTPS connection from my other server
   in-interface=External src-address=yy.yy.yy.yy dst-address=:443 protocol=tcp action=accept

... (some other rules)

10  ;;; drop everything else
    in-interface=External protocol=tcp action=drop
Also, you might want to inform the administer of the attacking host, and have him/her stop the attack. A simple 'whois' will tell you who owns that block of IP addresses, complete with contact information.

Hope this helps.

Posted: Sat Oct 08, 2005 8:03 pm
by changeip
Best option is to change the ssh port from 22 to something like 222 or 2222 or 65522.

Posted: Sun Oct 09, 2005 4:40 am
by GJS
Hmm...I also get this on my 2.9 routers but I never had it and still don't get it on 2.8. Is this just because it is not being logged by default on 2.8?

Also, if this is a brute force attack, why does the username change every time, why not just the password? Surely that would have a better chance of success?

Posted: Sun Oct 09, 2005 12:16 pm
by andrewluck
Guy

If you've got port 22 open to the Internet then you'll be getting this even if it's not logged.

The program that does this has a list of common user names and passwords. Most are oriented towards Unix systems e.g. root:root, root:god, mysql:mysql etc...etc...etc. I've even had this from an Italian system that used a list of Italian names so not much chance of success running that against a UK system!

Provided you have suitably complex passwords and are not allowing root to log in using SSH then it's an annoyance rather than a serious threat.

Regards

Andrew

Posted: Sun Oct 09, 2005 12:45 pm
by GJS
Thanks for the advice, Andrew.

I was also able to find out a little more about this type of attack here:

http://www.whitedust.net/article/27/Rec ... 20Attacks/

Cheers.
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/