Page 1 of 1
SSH attack
Posted: Fri May 30, 2014 2:41 am
by suporteitanet
Greetings ,for the last days, every time I open the log, I see a list of critical login failures via ssh and telnet and the source ip belongs to my network. Is possible someone has copied this ip, placed in a device and be trying invade the routerboard?
Sorry for my bad English , but I am worried about this.
Re: SSH attack
Posted: Fri May 30, 2014 8:52 am
by plisken
You can block the access for SSH disable SSH if you don't need SSH
Or you can make that you IP-address can connect with SSH
Go to "IP" "services"
Doubbleclick on the line SSH
Than give you a IP-address from the PC that can login with SSH
Re: SSH attack
Posted: Fri May 30, 2014 10:12 am
by IntrusDave
I use this solution... Allow a few attempts, then filter the IP.
/ip firewall filter
add action=drop chain=input src-address-list=blacklist
add action=log chain=input connection-state=new dst-port=22 \
log-prefix="SSH Brute Force Blocked" protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=blacklist \
address-list-timeout=4w chain=input comment="Block SSH 4th Attemp" \
connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input comment="Log SSH 3rd Attemp" \
connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input comment="Log SSH 2st Attemp" \
connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input comment="Log SSH 1st Attemp" \
connection-state=new dst-port=22 protocol=tcp
Re: SSH attack
Posted: Fri May 30, 2014 2:35 pm
by suporteitanet
Ty everyone , for the fast response. I will close the topic.
Re: SSH attack
Posted: Fri May 30, 2014 4:54 pm
by Rudios
@intrusdave
Why all the lists?
Looks like you are blocking anyway after multiple tries.
Could be blocked from the start?
Actually I get it. Upon successful connection the first time. Source Ip is only listed in 1stage list.
Only endup in blacklist upon multiple failed tries
Re: SSH attack
Posted: Sat May 31, 2014 8:19 am
by IntrusDave
Exactly. You get 3 attempts, then blocked.
Re: SSH attack
Posted: Mon Jun 02, 2014 3:46 am
by servaris
I am no Mikrotik guru but I would say it is easier to use a different port for SSH. We use a 5 digit port number (same one of course) on every one of our servers. Never got broken into. We used PF on the Servers (running FreeBSD). IThen you can use the firewall rule the person above said to use for the new ssh port. Just not sure if you can block port scans but I suspect one can do that too.
Re: SSH attack
Posted: Thu Apr 30, 2015 11:19 pm
by AlexS
personally I would use the firewall to limit access to the ssh port from known good locations.
All you need it 4-5 rsync's and scps and ssh's to put yourself on the blacked list.
If you limit to known good internal ip address, and your on the internet, use a VPN to get inside and then connect outside.
security by obscurity is not the best.