I actually turn off all IP services except Winbox. If I need SSH, I first enable it from Winbox. No doubt there is some reason why this is stupid, but it does solve the SSH problem. Did I mention I really like Winbox?
I only think I got burned once because of this, probably something like no default router, and was able to recover by setting up a PPTP tunnel to the next hop router so I could Winbox in from the same subnet. There’s probably a way to run a Winbox proxy on the next hop router but if there is I’m unaware of it. From: Bill Prince via Af Sent: Saturday, November 15, 2014 1:41 PM To: [email protected] Subject: Re: [AFMUG] [OT] Weird MT situation Ours MTs are almost all 5.26. I am still risk averse to anything 6.x, but I may change my mind when 7.x passes RC37. I have not seen this issue, but I do disallow SSH from anywhere other than approved IP ranges. bp <part-15@SkylineBroadbandService> On 11/15/2014 11:05 AM, George Skorup (Cyber Broadcasting) via Af wrote: No DNS. I suspected it was SSH causing it. I would see an error in the log after several brute force attempts, something like expected 50 got 5. The only thing I can find on that is something to do with keys. I do have keys installed for SCP'ing backup files. Anyway, it would take a couple hours after that error showed up for things to get really bad. If I let it go for 10-12 hours, it would eventually say all locally generated ICMP was 80% packet loss. This is one of the few routers I have with 5.26. It was deployed shortly after it was available last year and v6 wasn't all that stable yet. I have since set the SSH service to allow only my NOC management subnet and it has been running fine for days now. So whatever/whoever was attacking the SSH server is now completely blocked. I have no doubt whatever malformed request they were sending was causing it. I really think the SSH "fix" in 5.26 has a memory leak. Like I said, I could ping it remotely just fine with no loss or out of order packets so I don't think it got as far as the kernel, like it was only local user-space processes. Again, memory leak. Good job, MikroTik! I'm guessing they have no more interest in v5 either. On 11/15/2014 8:19 AM, Nicholas Eastman via Af wrote: We use 5.25 and 5.26 on most of our routers. The main issues we've seen are SSH brute force and DNS relay. We have a central DNS server that we send everyone to located in our NOC, so we disabled "Allow remote requests." This could easily be done with a firewall rule if you do use the routers for DNS at the site, so they are not being hit from outside. As far as the rest. We use an address list and firewall to block access to the router's configuration interfaces except from our office or local management IPs. As far as the ICMP packets being mis-ordered, you might try something like Greg Sowell's implementation of a ping brute force block. We don't employ it on site routers right now, but I have seen it catch some IPs on some customer set ups we have done. They are part of his "Border Router Firewall Script" example that can be found here: http://gregsowell.com/?p=4013 On Nov 10, 2014 7:05 PM, "George Skorup (Cyber Broadcasting) via Af" <[email protected]> wrote: I've got a RB1100AH running 5.26. Something has been happening every day for about the past week and it gets all screwy. I've confirmed there are no site temperature or power issues. Here's what happens in the screwy state. I can ping it and it responds fine. I can log into Winbox or the CLI and try to ping anything, even local same-subnet stuff and I get a bunch of packet loss. SNMP responses are hit or miss as well. I did a packet capture and it shows the ICMP packets all out of order. Reboot it and everything works fine again, until next time. The only thing I haven't tried yet is pinging 127.0.0.1 and see if the same packet loss happens. I see a bunch of SSH brute force attempts, but I'm using the brute force protection firewall scripts to add sequential attempts to an address list to stop them. And that works fine. But I'm wondering, since 5.26 is the "ssh - fixed denial of service;" version, did this "fix" break something else. I don't see this on any other routers running 5.25, RB1100's and 493's. This is a remote router so I do not want to try downgrading to 5.25 or upgrading to v6 without someone there. And if I'm going to send someone there, probably better off replacing it, but then I'll never know WTF is causing this.
