We use 5.25 and 5.26 on most of our routers. The main issues we've seen are SSH brute force and DNS relay. We have a central DNS server that we send everyone to located in our NOC, so we disabled "Allow remote requests." This could easily be done with a firewall rule if you do use the routers for DNS at the site, so they are not being hit from outside. As far as the rest. We use an address list and firewall to block access to the router's configuration interfaces except from our office or local management IPs.
As far as the ICMP packets being mis-ordered, you might try something like Greg Sowell's implementation of a ping brute force block. We don't employ it on site routers right now, but I have seen it catch some IPs on some customer set ups we have done. They are part of his "Border Router Firewall Script" example that can be found here: http://gregsowell.com/?p=4013 On Nov 10, 2014 7:05 PM, "George Skorup (Cyber Broadcasting) via Af" < [email protected]> wrote: > I've got a RB1100AH running 5.26. Something has been happening every day > for about the past week and it gets all screwy. I've confirmed there are no > site temperature or power issues. Here's what happens in the screwy state. > I can ping it and it responds fine. I can log into Winbox or the CLI and > try to ping anything, even local same-subnet stuff and I get a bunch of > packet loss. SNMP responses are hit or miss as well. I did a packet capture > and it shows the ICMP packets all out of order. Reboot it and everything > works fine again, until next time. The only thing I haven't tried yet is > pinging 127.0.0.1 and see if the same packet loss happens. > > I see a bunch of SSH brute force attempts, but I'm using the brute force > protection firewall scripts to add sequential attempts to an address list > to stop them. And that works fine. But I'm wondering, since 5.26 is the > "ssh - fixed denial of service;" version, did this "fix" break something > else. I don't see this on any other routers running 5.25, RB1100's and > 493's. This is a remote router so I do not want to try downgrading to 5.25 > or upgrading to v6 without someone there. And if I'm going to send someone > there, probably better off replacing it, but then I'll never know WTF is > causing this. >
