Topic 'Log from RouterOS' in forum 'Wireless Service Providers' - dslreports.com

Re: Log from RouterOS

Mon, 09 Nov 2009 16:51:11 EDT

gunther_01 posted : you could just deny FTP from everyone but your camera.

Re: Log from RouterOS

Mon, 09 Nov 2009 16:41:58 EDT

livewireless posted : So In my case the solution would be to change ports.
I have a camera on motion detection sending images via ftp to the RouterOS H-drive. I'm trying to pack as much as I can on that box. The location is Tiny. Small knik-nack tourist shop probably 15 ft x 20 ft. So as one can imagine, one needs to conserve space.

Re: Log from RouterOS

Mon, 09 Nov 2009 14:40:01 EDT

slipstream1 posted : On my RouterOS installs, I turn off ssh and ftp, because I don't generally need those services.

Re: Log from RouterOS

Mon, 09 Nov 2009 13:08:38 EDT

Inssomniak posted :

said by viperm:

in winbox go into IP/services and turn off FTP. SSH etc and that wont happen. Now if you need FTP or SSH access to you mikrotik just use NON standard ports..

We see this all the time we dont turn on FTP or SSH at all and if we do we do it only for as long as we need it open..

Ya this a good option, I only turn on FTP when I need it.

Re: Log from RouterOS

Mon, 09 Nov 2009 12:51:28 EDT

viperm posted : in winbox go into IP/services and turn off FTP. SSH etc and that wont happen. Now if you need FTP or SSH access to you mikrotik just use NON standard ports..

We see this all the time we dont turn on FTP or SSH at all and if we do we do it only for as long as we need it open..
--
ComTrain Certified Tower Climber. American Tower Certified approved contractor. Wireless consultants.

Re: Log from RouterOS

Mon, 09 Nov 2009 12:36:33 EDT

livewireless posted : Interesting. Yeah, I hadn't yet pulled the Shotgun out of the closet. Didn't really think it was harmfull. I'd just like to get a hold of these goons for exercise.

Re: Log from RouterOS

Mon, 09 Nov 2009 12:08:59 EDT

tx_tower posted : we usually see these start within 12-24 hours of the device being connected.

once you set up the blacklist script you should be fine, like gunther mentioned its not a specific concentrated attack just a script running on some box.

Re: Log from RouterOS

Mon, 09 Nov 2009 10:43:26 EDT

livewireless posted : Thanks gunther-01, Inssomniak :D

Re: Log from RouterOS

Mon, 09 Nov 2009 09:29:03 EDT

Inssomniak posted : you can add ssh/ftp rules into your firewall that automatically blacklist 3 unsuccessful attempts to login.

/ip firewall filter add chain=input src-address-list=sshblacklist action=drop \comment="drop all traffic brute force attack sources" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new \src-address-list=sshdarkgreylist action=add-src-to-address-list \address-list=sshblacklist address-list-timeout=1h \comment="add new failed sshdarkgreylist to sshblacklist" \disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new \src-address-list=sshgreylist action=add-src-to-address-list \address-list=sshdarkgreylist address-list-timeout=1m \comment="add new failed sshgreylist to sshdarkgreylist" \disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new \src-address-list=sshlightgreylist action=add-src-to-address-list \address-list=sshgreylist address-list-timeout=1m \comment="add new failed sshlightgreylist to sshgreylist" \disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new \action=add-src-to-address-list \address-list=sshlightgreylist address-list-timeout=1m \comment="new connections to sshlightgreylist" \disabled=no

ftp is the same, just change the port and address list name

Re: Log from RouterOS

Sun, 08 Nov 2009 23:46:01 EDT

gunther_01 posted : You will be fighting logs like that for a while until you lock those ports down or place something automatic in there to block the attempts.

It's un-avoidable... Prob just some scanner program/hack/virus etc.. going about it's daily grind ;)

Log from RouterOS

Sun, 08 Nov 2009 22:46:59 EDT

livewireless posted : Anbody get hack attempts like these?
I've got some filters and can probably get one going for this.
Just thought I'd post this to get this IP known.

Hackers IP