MT Router under attack

AfricanTech

Honorary Master
Joined
Mar 19, 2010
Messages
40,369
So, fibre got switched on yesterday, and aside from the fact that that my 40/10 line appears to be configured as a 20/1 line (not according to the Call Centre so they're sending someone out to have a look), I've also had occasion to dip into the log.

All of a sardine, I've noticed that there is a long list of critical login failures of non-existed user-names on ftp port 21, ssh port 22 and telnet port 23 - obviously attempts to login to my router since the IP addresses are from all over the place (Brazil, S Korea, Netherlands, etc).

As a quick fix I've disabled ftp, ssh and telnet via Winbox. Is it better to do that or to use firewall rules such as in the examples below. I only ever access the Mikrotik locally so do I need to go the trouble of setting up the firewall rules or is it better to just leave those services disabled?



Allows only 10 FTP login incorrect answers per minute

Code:
/ip firewall filter

add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop

add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m

add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \
address-list=ftp_blacklist address-list-timeout=3h

and, prevent a SSH brute forcer to be banned for 10 days after repetitive attempts. Change the timeouts as necessary.

Code:
/ip firewall filter

add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
 

gregmcc

Honorary Master
Joined
Jun 29, 2006
Messages
25,514
Best would be to disable all services unless needed. Don't use ftp or telnet - they are clear text protocols.

If you don't ssh into the router from the internet then disable it as well.
 

AfricanTech

Honorary Master
Joined
Mar 19, 2010
Messages
40,369
Best would be to disable all services unless needed. Don't use ftp or telnet - they are clear text protocols.

If you don't ssh into the router from the internet then disable it as well.

Thanks and appreciated. That's exactly what I've done.

Those three are disabled.

My thinking is that since I don't fiddle much with the Mikrotik given that it only used as a home router, I'd rather not have a stack of firewall rules that I'll forget about image few months and then if something goes wrong I have to wrack my poor old brain around why all that stuff is in there...

:D
 
Top