I can see that someone is try to enter the router using ssh2
but all I can see is with which user he is trying
can I know also in which pass is he trying?
like it the img
u can see that some one is trying to enter using user:root,postmaster,postfix....
can I know also what pass is he trying to enter?
is there anyway to know password mistake?
You do not have the required permissions to view the files attached to this post.
Re: is there anyway to know password mistake?
no, there is no way to get the actual password, that would be major security issue if it was allowed.
Re: is there anyway to know password mistake?
why is that?
It will only show the wrong ones
It will only show the wrong ones
Re: is there anyway to know password mistake?
You can:
1. Do a port redirection - dst-nat for ssh port to a server on a separate linux machine you have in your network for sniffing passwords (ex. a Raspberry Pi machine) for connections coming from an address list (and you just add the "suspicious" IP to the list - to be redirected to the fake server)
2. Sniff passwords from the linux machine (see http://blog.vpetkov.net/2013/01/29/snif ... rver-side/ )
edit: I've just tested, it works for me!
So:
write(4, "\0\0\0\16$ecreTP2$$w0rd", 18) = 18
write(4, "\0\0\0\21An0ther$ecretP@ss", 21) = 21
write(4, "\0\0\0\rM2ybeThi$0ne?", 17) = 17
It works!
All you need is:
1. On your MikroTik:
2. On your Linux sniffer:
- And wait.
I'm sure it's worth at least 1 karma.
1. Do a port redirection - dst-nat for ssh port to a server on a separate linux machine you have in your network for sniffing passwords (ex. a Raspberry Pi machine) for connections coming from an address list (and you just add the "suspicious" IP to the list - to be redirected to the fake server)
2. Sniff passwords from the linux machine (see http://blog.vpetkov.net/2013/01/29/snif ... rver-side/ )
edit: I've just tested, it works for me!
Code: Select all
Process 20987 attached - interrupt to quit
write(4, "\0\0\0\23\v", 5) = 5
write(4, "\0\0\0\16$ecreTP2$$w0rd", 18) = 18
write(3, "*\373\fAPK\365B\243\220\\\"7(\321\24\216J}g^\2411\3555\27n\352\377\23B\22"..., 64) = 64
write(4, "\0\0\0\26\v", 5) = 5
write(4, "\0\0\0\21An0ther$ecretP@ss", 21) = 21
write(3, "\231\315\3v\306\206\337\213\367\220\245\354\245\36x\317C\262O\37$Q\0218\330\230\364/\363\344\343\232"..., 64) = 64
write(4, "\0\0\0\22\v", 5) = 5
write(4, "\0\0\0\rM2ybeThi$0ne?", 17) = 17
write(3, "\214do\325\307\26~\240\372\260\261\346aK\323\237P\373,\322H\243.\17\177X\225\333\25MT\260"..., 64) = 64
write(8, "\0\0\0+\0\0\0\3\0\0\0#Connection closed by"..., 47) = 47
Process 20987 detachedwrite(4, "\0\0\0\16$ecreTP2$$w0rd", 18) = 18
write(4, "\0\0\0\21An0ther$ecretP@ss", 21) = 21
write(4, "\0\0\0\rM2ybeThi$0ne?", 17) = 17
It works!
All you need is:
1. On your MikroTik:
Code: Select all
/ip firewall nat add chain=dstnat action=dst-nat protocol=tcp dst-port=22 src-address-list=sniff_ssh dst-address=<MikroTik'sIPAddress> to-addresses=<LinuxSnifferMachineIPAddress>
/ip firewall address-list add list=sniff_ssh address=<Attacker'sIPAddress>Code: Select all
root@sniffer:~# while [ 1 ]; do newpid=`ps aux | grep ssh | grep net | awk {' print $2'}`; if [ -n "$newpid" ]; then strace -q -e write -p $newpid; fi; done
I'm sure it's worth at least 1 karma
.Re: is there anyway to know password mistake?
seem great
my only problem is that I don't have separate linux machine.
Thanks anyway
my only problem is that I don't have separate linux machine.
Thanks anyway
Re: is there anyway to know password mistake?
Have you tried something like this?
http://wiki.mikrotik.com/wiki/Bruteforc ... prevention
Or have you considered blocking that ip?
http://wiki.mikrotik.com/wiki/Bruteforc ... prevention
Or have you considered blocking that ip?
Re: is there anyway to know password mistake?
I can't block the IP because it's changing .
but i have done this (as you told )
but where do I see\change the timeout?
thanks ,
but i have done this (as you told )
Code: Select all
/ip firewall filter
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
but where do I see\change the timeout?
thanks ,
Re: is there anyway to know password mistake?
If you mean the 10 day timeout, here. Change the address-list-timeout value.
Code: Select all
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no
Re: is there anyway to know password mistake?
Have you considered blocking SSH al together if you don't need it?
Re: is there anyway to know password mistake?
Thanks , it's very helpful
I need SSH service - and I don't always from witch computer I will try to enter it.(this is why I don't block the IP )
I need SSH service - and I don't always from witch computer I will try to enter it.(this is why I don't block the IP )
Re: is there anyway to know password mistake?
Thanks , it's very helpful
I need SSH service - and I don't always from witch computer I will try to enter it.(this is why I don't block the IP )
Then use a other port than de default port
Re: is there anyway to know password mistake?
...or use "port knocking".
Re: is there anyway to know password mistake?
Port knocking or a vpn
Sent from my SCH-I545 using Tapatalk
Sent from my SCH-I545 using Tapatalk
Re: is there anyway to know password mistake?
Port knocking as some already mentioned or you can use some filter rules which you can find on the wiki, like these for example:Thanks , it's very helpful
I need SSH service - and I don't always from witch computer I will try to enter it.(this is why I don't block the IP )
Code: Select all
/ip firewall filter
add action=drop chain=input comment="drop ssh brute force login" disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_blaclist
add action=add-src-to-address-list address-list=ssh_blaclist \
address-list-timeout=1w3d chain=input comment="" connection-state=new \
disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=5m chain=input comment="" connection-state=new \
disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input comment="" connection-state=new \
disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input comment="" connection-state=new \
disabled=no dst-port=22 protocol=tcpRe: is there anyway to know password mistake?
from what I have seen from the last few days
the first rules you gave me work just fine :
the first rules you gave me work just fine :
Code: Select all
/ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Aviod to enter from the WiFi
chain=forward action=drop src-address=10.0.0.0/24 dst-address=159.158.157.0/29
1 ;;; drop ssh brute forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22
2 chain=input action=add-src-to-address-list connection-state=new protocol=tcp
src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=1w3d
dst-port=22
3 chain=input action=add-src-to-address-list connection-state=new protocol=tcp
src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m dst-port=22
4 chain=input action=add-src-to-address-list connection-state=new protocol=tcp
src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-port=22
5 chain=input action=add-src-to-address-list connection-state=new protocol=tcp
address-list=ssh_stage1 address-list-timeout=1m dst-port=22
[admin@Koren-ADSL] >
Re: is there anyway to know password mistake?
Port knocking as some already mentioned or you can use some filter rules which you can find on the wiki, like these for example:Thanks , it's very helpful
I need SSH service - and I don't always from witch computer I will try to enter it.(this is why I don't block the IP )The above rules would allow connections from one IP on ssh three times, if all these attempts fail, then that IP will be banned for 10 days.Code: Select all/ip firewall filter add action=drop chain=input comment="drop ssh brute force login" disabled=no \ dst-port=22 protocol=tcp src-address-list=ssh_blaclist add action=add-src-to-address-list address-list=ssh_blaclist \ address-list-timeout=1w3d chain=input comment="" connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=5m chain=input comment="" connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=input comment="" connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=input comment="" connection-state=new \ disabled=no dst-port=22 protocol=tcp
The only issue is that it won't reset when a good connection is established right?.... it would seem that it would be cool to remove the IP from the list when a valid connection is established. The only way I can think of to do that however is to have the SSH server use the API to remove the entry....
Thoughts?
Re: is there anyway to know password mistake?
What do you mean by reset? A valid connection will connect at first attempt and the source IP will be part of the stage1 list which has a time out of 1m. Obviously, you would not attempt a second connection and after one minute the IP will not be any more on any list. Anyway, you still have three attempts to make a successful connection, and only if you fail those three attempts the IP will be part of the ssh black list. You can add attempts though if you like.The only issue is that it won't reset when a good connection is established right?
Re: is there anyway to know password mistake?
Unless you open multiple terminals. I'm just saying that those rules so not only pick up invalid attempts. They pick up valid and invalid. So if you opened multiple valid connections you could also get blocked.
Sent from my SCH-I545 using Tapatalk
Sent from my SCH-I545 using Tapatalk
-
-
jaykay2342
Member
- Posts: 336
- Joined:
- Location: /Vigor/LocalGroup/Milky Way/Earth/Europe/Germany
Re: is there anyway to know password mistake?
Why do you have ssh on a router open for everyone? I usually manage all devices from my office, via vpn or from a jump box at the datacenter. Therefor only those IP(ranges) are allowed to access the routers via ssh.
If it's possible i would limit the access to as few as possible IPs.
If it's possible i would limit the access to as few as possible IPs.
Re: is there anyway to know password mistake?
+1Why do you have ssh on a router open for everyone? I usually manage all devices from my office, via vpn or from a jump box at the datacenter. Therefor only those IP(ranges) are allowed to access the routers via ssh.
If it's possible i would limit the access to as few as possible IPs.
Sent from my SCH-I545 using Tapatalk
-
-
sanitycheck
newbie
- Posts: 48
- Joined:
- Location: USA
Re: is there anyway to know password mistake?
Don't forget certificates. I import a certificate for a new user I add (I don't use a password on the account, but I do on the certificate). I put that new user in a new group I create that has only SSH access. I remove the SSH privilege from admin group. I then put SSH on a random, high-numbered port as someone else suggested.
That setup doesn't eliminate the possibility of continued brute-force attacks, but the non-standard port makes it much less likely, and the certificate reduces the chance of success to just about zero. Even if someone could gain access through the ssh-only user account, there's not much they can do unless they can launch a second session as admin through the ssh connection.
If for some reason a certificate could not be used, I would still make the other changes above, but change the name of the account with ssh privilege to something difficult to guess. That way guessing the username is as difficult as guessing the password.
VPN is a great idea but not possible if you manage multiple routers not owned by the same person or company. Plus, having ssh as a back door is nice if the VPN breaks. That's a real possibility with firmware updates, but ssh is simple enough that it always seems to work.
That setup doesn't eliminate the possibility of continued brute-force attacks, but the non-standard port makes it much less likely, and the certificate reduces the chance of success to just about zero. Even if someone could gain access through the ssh-only user account, there's not much they can do unless they can launch a second session as admin through the ssh connection.
If for some reason a certificate could not be used, I would still make the other changes above, but change the name of the account with ssh privilege to something difficult to guess. That way guessing the username is as difficult as guessing the password.
VPN is a great idea but not possible if you manage multiple routers not owned by the same person or company. Plus, having ssh as a back door is nice if the VPN breaks. That's a real possibility with firmware updates, but ssh is simple enough that it always seems to work.