MikroTik

Hi,

Our primary router is under attack by a botnet. I see this sort of messages at the router console:

[admin@my-router] > /
echo: system,error,critical login failure for user ftpuser from 91.135.238.186 via ssh
[admin@my-router] > /
echo: system,error,critical login failure for user admin from 91.135.238.186 via ssh
[admin@my-router] > /
echo: system,error,critical login failure for user D-Link from 91.135.238.186 via ssh

Always in a series of three. Always the same usernames. Always from a new IP address.

My regular SSH brute-force rules don't kick in until four attempts and then only with a temporary ban.

Does anyone know how I could write rules to catch this attack and set a longer (or permanent) ban?

Thanks,

G

It's working correctly. If you would like to stop it immediately set the tarpit rule on the required tcp ports and drop on udp. But then you will not be able to log in as well. So you can implement port knocking. For longer time of blocking the ip just rise the address list timeout. Or regularly change dynamic records of address list to static.

How many records of attack attempts do you see per hour?

Hi,

I don't understand "It's working correctly." But thank you for your response.

I estimate I'm getting about 200 attempts per hour with 3 attempts per (source, attacker) IP adddress and the same three usernames being attempted by all attackers.

Overnight, the usernames have changed to 'root', 'guest' and 'admin' but the attack continues.

I decided to modify my existing SSH brute force rules to trigger after only three attempts and to last for 10 days. I'm sure there will be a price to pay...

Any better ideas, anyone?

Thanks in advance,

G

Skip one aging rule to have only two accepted attempts instead three. Add rules that drop all udp from listed ip addresses and tarpit the all tcp. Few hundreds per hour is nothing. Only thousands per second could mean something.

And correctly means as designed.

Use ssh keys and ignore the login attempts.

Using keys doesn't stop attempts, just stops login error messages.

The ideal thing is not to expose management access to the whole Internet. Block everything with the input chain, then allow it from the netblocks/static IP/vpn IP you want to have such access. All this tarpitting stuff, while it works, is sort of rube goldbergish.

This is what I do.. If it's not in the netblocks address list, it is rejected. The address list has the internal netblock like 192.168.x.x and external netblocks or static IPs which I'd use for management access.

Tarpit is more effective than reject as it doesn't need to track the connection and what's better, consumes attacker resources so he cannot try again if he hits his limits.
Of course whitelisting is better than blacklisting, no doubt.

Hi.
Simply move the SSH service to another port (like 122, 2022, 8022... ). This will stop most of botnet-robots.

Regards: Xen

Thanks all for your input.

In our use case, we use our main Mikrotik router as a sort of 'honeypot' and we also block traffic to all downstream routers as well. So, in this case, we'd rather 'detect and block' rather than 'avoid'.

I'm a little afraid of using 'tarpit' as I've heard that uses local (my) router resources and that scares me a bit. I guess I need to learn more about 'tarpitting'. This is on a powerful CloudCore router.

In general, we do use alternate ports for SSH and, while that is only obfuscation, it gets rid of most of the automated tools/script kiddies.

Where I struggle most is with botnets...and they are getting smarter all the time.

What I did seemed to work pretty well...I just modified my regular SSH brute force rules so that they blocked after three attempts and blocked for a longer time period (10 days).

Thanks again for all input.

G

If your router is the gateway than simply tarpit/drop all incoming from WAN. If your router is in a core network like mine with double NATs and on multiple VLANs and networks than you should set up port knocking and deny access from all non authoritive IPs. For example i deny all access to input from my gateway but i also have a 3s rule for outgoing. I dont do any NAT.

Simply said tarpit makes the attacker to believe the connection is opened but the track at your side is thrown away. Attacker keeps connection and your resources are not consumed further. If you drop he will try again and again.