Hi group
The mikrotik router log show me every half minute a telnet and SSH login attempt it last for hours
the strange thing is that the IP it is using was not active in the AMR DNS up to yesterday and right after i have add it to the DNS and connected the router the login attempt tried
I have traced two off the breakers and one is in Poland and other is in China
Is it common that someone try to brake our network hosts ? do you see such things at your hosts too ?
how someone discover so quick about an active host in a Whole class A network ?
What is your solution \ reaction for such a brake attempts ??
Thanks for every clarifications
Regards
Ronen - 4Z4ZQ
Ronen Pinchooks (4Z4ZQ) WebSitehttp://www.ronen.org/ www.ronen.org ronen.org (Ronen Pinchooks (4Z4ZQ) WebSite) is hosted by domainavenue.com
That's quite normal. You will also see a lot of strange ICMP and DNS replies, UDP traffic and others.
The idea is that those IPs where poked even before you added them to the DNS, you just did not see them.
Get used to it and create proper firewall rules to not accept incoming connections on the router from the public and ampr-gw interfaces which you not need (usually you need none).
Marius, YO2LOJ
-----Original Message----- From: R P Sent: Tuesday, April 05, 2016 09:28 To: AMPRNet working group Subject: [44net] strange login attempts to AMPR Hosts
(Please trim inclusions from previous messages) _______________________________________________ Hi group
The mikrotik router log show me every half minute a telnet and SSH login attempt it last for hours
the strange thing is that the IP it is using was not active in the AMR DNS up to yesterday and right after i have add it to the DNS and connected the router the login attempt tried
I have traced two off the breakers and one is in Poland and other is in China
Is it common that someone try to brake our network hosts ? do you see such things at your hosts too ?
how someone discover so quick about an active host in a Whole class A network ?
What is your solution \ reaction for such a brake attempts ??
Thanks for every clarifications
Regards
Ronen - 4Z4ZQ
Ronen Pinchooks (4Z4ZQ) WebSitehttp://www.ronen.org/ www.ronen.org ronen.org (Ronen Pinchooks (4Z4ZQ) WebSite) is hosted by domainavenue.com
Probes of IP addresses are VERY common. The purpose is to find active hosts with open ports that can be exploited. If your router logged and rejected the probe then you are all set, there is nothing you need to do. As you said, it's a break-in attempt and only an attempt so there is no need to worry. It's the ones that are not logged that are the ones to worry about. You should check your access logs on your hosts to be sure only those hosts you authorized are accessing the servers and that the accesses are for legitimate purposes.
Good firewall management comes with the territory. Open only the ports you need and only from the hosts you support. Secondary firewalls of the hosts on the LAN side is also a good idea, (e.g., Linux iptables, Windows Advanced Firewall), these should be configured and active to block unnecessary ports and to log both successful and unsuccessful attempts and you should check those logs at least once a week.
This is only a sketch of the general policy of firewall management but I thought it needed to be said here. Log inspection will guide you and your experience will teach you the posture you must take regarding threats but know that the threat is always there and is part of the noise level a public-facing router/firewall must deal with every minute of every day.
-
Geoff Joy -KE6QH- -
Marius Petrescu -
R P