Re: [WISPA] Brute Force Attack on Mikrotik Gateway
I have the whole 59.0.0.0/8 and 61.0.0.0/8 input chain dropped on my core router... Chris - Original Message - From: Robert West To: 'WISPA General List' Sent: Friday, October 01, 2010 4:57 PM Subject: [WISPA] Brute Force Attack on Mikrotik Gateway Just had to deal with a brute force attack on a MT router acting as a gateway. Came from these two IP addresses.. 59.42.10.38 61.155.5.247 Looked them up, they turn out to be pretty common for this sort of thing. Added a firewall rule to drop them and they are no longer filling my log. Some may want to do the same for these jokers. Robert West Just Micro Digital Services Inc. 740-335-7020 -- WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/image001.gif WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
On Fri, 2010-10-01 at 22:38 -0400, Josh Luthman wrote: Compliments of Butch Evans This script doesn't look like my work. Not sure who it is, but I would ordinarily comment every rule. If it IS mine (and I have put a lot of these snippets out there), then I apologize for lack of comments. :-) /ip firewal filt add action=accept chain=forward comment=drop ssh brute forcers disabled=\ no dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=! heavysshservers -- * Butch Evans * Professional Network Consultation* * http://www.butchevans.com/* Network Engineering * * http://store.wispgear.net/* Wired or Wireless Networks * * http://blog.butchevans.com/ * ImageStream, Mikrotik and MORE! * WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
On Sat, 2010-10-02 at 12:57 -0400, Josh Luthman wrote: It doesn't answer anything. You can't configure anything. It screws up what you have set. Hate it. I would like to see an html copy of winbox, but that's a dream. ROS V5 includes webfig, which is winbox in a browser. With a v5 router, do http://IP.Address/webfig/ and you'll find it. -- * Butch Evans * Professional Network Consultation* * http://www.butchevans.com/* Network Engineering * * http://store.wispgear.net/* Wired or Wireless Networks * * http://blog.butchevans.com/ * ImageStream, Mikrotik and MORE! * WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
Probably was not one for one but I am quite certain the concept was yours. On Oct 3, 2010 11:01 PM, Butch Evans but...@butchevans.com wrote: On Fri, 2010-10-01 at 22:38 -0400, Josh Luthman wrote: Compliments of Butch Evans This script doesn't look like my work. Not sure who it is, but I would ordinarily comment every rule. If it IS mine (and I have put a lot of these snippets out there), then I apologize for lack of comments. :-) /ip firewal filt add action=accept chain=forward comment=drop ssh brute forcers disabled=\ no dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=! heavysshservers -- * Butch Evans * Professional Network Consultation* * http://www.butchevans.com/ * Network Engineering * * http://store.wispgear.net/ * Wired or Wireless Networks * * http://blog.butchevans.com/ * ImageStream, Mikrotik and MORE! * WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
On Fri, Oct 01, 2010 at 04:00:05PM -0700, Tom Sharples wrote: I've often wondered, is it legal for the receipient of this sort of thing, to retailiate with e.g. ping or curl storms? No. Flat no. And most of the time, your retaliation would be against some poor schmuck who simply hasn't kept up to date on their software updates. Does someone's grandmother's computer deserve to be beaten up? It may be satisfying to to think about, but don't go there. -- Scott LambertKC5MLE Unix SysAdmin lamb...@lambertfam.org WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
Most of the attacks we've seen have been from Chinese and eastern European IPs. I suppose it could be a Chinese or Russian grandma tho :-) - Original Message - From: Scott Lambert lamb...@lambertfam.org To: WISPA General List wireless@wispa.org Sent: Friday, October 01, 2010 11:43 PM Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway On Fri, Oct 01, 2010 at 04:00:05PM -0700, Tom Sharples wrote: I've often wondered, is it legal for the receipient of this sort of thing, to retailiate with e.g. ping or curl storms? No. Flat no. And most of the time, your retaliation would be against some poor schmuck who simply hasn't kept up to date on their software updates. Does someone's grandmother's computer deserve to be beaten up? It may be satisfying to to think about, but don't go there. -- Scott LambertKC5MLE Unix SysAdmin lamb...@lambertfam.org WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
Checked the logs this morning and guess who was back at it Was trying to do a brute force attack from yet another IP but that script from Butch swatted him like a fly. Worked like a charm! Thanks to both you and Butch, he be gone. Bob- From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Josh Luthman Sent: Friday, October 01, 2010 10:38 PM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway Compliments of Butch Evans /ip firewal filt add action=accept chain=forward comment=drop ssh brute forcers disabled=\ no dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=!heavysshservers Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, Oct 1, 2010 at 10:28 PM, Robert West robert.w...@just-micro.com wrote: Then we'll just send the pigeons over to poop on them. Easy. From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of RickG Sent: Friday, October 01, 2010 9:29 PM To: Tom Sharples; WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway I like it but what if the ip is being masqueraded? On Fri, Oct 1, 2010 at 7:00 PM, Tom Sharples tsharp...@qorvus.com wrote: I've often wondered, is it legal for the receipient of this sort of thing, to retailiate with e.g. ping or curl storms? Tom S. - Original Message - From: Robert West mailto:robert.w...@just-micro.com To: 'WISPA mailto:wireless@wispa.org General List' Sent: Friday, October 01, 2010 2:57 PM Subject: [WISPA] Brute Force Attack on Mikrotik Gateway Just had to deal with a brute force attack on a MT router acting as a gateway. Came from these two IP addresses.. 59.42.10.38 61.155.5.247 Looked them up, they turn out to be pretty common for this sort of thing. Added a firewall rule to drop them and they are no longer filling my log. Some may want to do the same for these jokers. Robert West Just Micro Digital Services Inc. 740-335-7020 Logo5 _ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ image001.gif WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
That script should be the MT default when one checks the protect router check box in the web UI. Greg On Oct 2, 2010, at 8:33 AM, Robert West wrote: Checked the logs this morning and guess who was back at it Was trying to do a brute force attack from yet another IP but that script from Butch swatted him like a fly. Worked like a charm! Thanks to both you and Butch, he be gone. Bob- From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Josh Luthman Sent: Friday, October 01, 2010 10:38 PM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway Compliments of Butch Evans /ip firewal filt add action=accept chain=forward comment=drop ssh brute forcers disabled=\ no dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=!heavysshservers Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, Oct 1, 2010 at 10:28 PM, Robert West robert.w...@just-micro.com wrote: Then we’ll just send the pigeons over to poop on them. Easy. From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of RickG Sent: Friday, October 01, 2010 9:29 PM To: Tom Sharples; WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway I like it but what if the ip is being masqueraded? On Fri, Oct 1, 2010 at 7:00 PM, Tom Sharples tsharp...@qorvus.com wrote: I've often wondered, is it legal for the receipient of this sort of thing, to retailiate with e.g. ping or curl storms? Tom S. - Original Message - From: Robert West To: 'WISPA General List' Sent: Friday, October 01, 2010 2:57 PM Subject: [WISPA] Brute Force Attack on Mikrotik Gateway Just had to deal with a brute force attack on a MT router acting as a gateway. Came from these two IP addresses…. 59.42.10.38 61.155.5.247 Looked them up, they turn out to be pretty common for this sort of thing. Added a firewall rule to drop them and they are no longer filling my log. Some may want to do the same for these jokers. Robert West Just Micro Digital Services Inc. 740-335-7020 image001.gif WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
Where is that located in the interface? From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Greg Ihnen Sent: Saturday, October 02, 2010 9:08 AM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway That script should be the MT default when one checks the protect router check box in the web UI. Greg On Oct 2, 2010, at 8:33 AM, Robert West wrote: Checked the logs this morning and guess who was back at it Was trying to do a brute force attack from yet another IP but that script from Butch swatted him like a fly. Worked like a charm! Thanks to both you and Butch, he be gone. Bob- From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Josh Luthman Sent: Friday, October 01, 2010 10:38 PM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway Compliments of Butch Evans /ip firewal filt add action=accept chain=forward comment=drop ssh brute forcers disabled=\ no dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=!heavysshservers Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, Oct 1, 2010 at 10:28 PM, Robert West robert.w...@just-micro.com wrote: Then we'll just send the pigeons over to poop on them. Easy. From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of RickG Sent: Friday, October 01, 2010 9:29 PM To: Tom Sharples; WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway I like it but what if the ip is being masqueraded? On Fri, Oct 1, 2010 at 7:00 PM, Tom Sharples tsharp...@qorvus.com wrote: I've often wondered, is it legal for the receipient of this sort of thing, to retailiate with e.g. ping or curl storms? Tom S. - Original Message - From: Robert West mailto:robert.w...@just-micro.com To: 'WISPA General List' mailto:wireless@wispa.org Sent: Friday, October 01, 2010 2:57 PM Subject: [WISPA] Brute Force Attack on Mikrotik Gateway Just had to deal with a brute force attack on a MT router acting as a gateway. Came from these two IP addresses.. 59.42.10.38 61.155.5.247 Looked them up, they turn out to be pretty common for this sort of thing. Added a firewall rule to drop them and they are no longer filling my log. Some may want to do the same for these jokers. Robert West Just Micro Digital Services Inc. 740-335-7020 image001.gif _ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
It may have been a coincidence but about an hour before they started hitting us I got a call from a subscriber on that gateway telling me she had just started getting that damn false virus program taking over her PC. Most of them I've seen redirects all internet traffic through their server, always have seen it go to Russia, and I was guessing the two may be related. Phoned home and since that network is Nat'd it would have given the IP for our router. And of course, they can always just sit and scan for active IP's all day as well. Bob- -Original Message- From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Tom Sharples Sent: Saturday, October 02, 2010 3:04 AM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway Most of the attacks we've seen have been from Chinese and eastern European IPs. I suppose it could be a Chinese or Russian grandma tho :-) - Original Message - From: Scott Lambert lamb...@lambertfam.org To: WISPA General List wireless@wispa.org Sent: Friday, October 01, 2010 11:43 PM Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway On Fri, Oct 01, 2010 at 04:00:05PM -0700, Tom Sharples wrote: I've often wondered, is it legal for the receipient of this sort of thing, to retailiate with e.g. ping or curl storms? No. Flat no. And most of the time, your retaliation would be against some poor schmuck who simply hasn't kept up to date on their software updates. Does someone's grandmother's computer deserve to be beaten up? It may be satisfying to to think about, but don't go there. -- Scott LambertKC5MLE Unix SysAdmin lamb...@lambertfam.org WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
The MT webbox causes cancer it is so terrible. On Oct 2, 2010 9:08 AM, Greg Ihnen os10ru...@gmail.com wrote: That script should be the MT default when one checks the protect router check box in the web UI. Greg On Oct 2, 2010, at 8:33 AM, Robert West wrote: Checked the logs this morning and guess who was back at it Was trying to do a brute force attack from yet another IP but that script from Butch swatted him like a fly. Worked like a charm! Thanks to both you and Butch, he be gone. Bob- From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Josh Luthman Sent: Friday, October 01, 2010 10:38 PM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway Compliments of Butch Evans /ip firewal filt add action=accept chain=forward comment=drop ssh brute forcers disabled=\ no dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=!heavysshservers Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, Oct 1, 2010 at 10:28 PM, Robert West robert.w...@just-micro.com wrote: Then we’ll just send the pigeons over to poop on them. Easy. From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of RickG Sent: Friday, October 01, 2010 9:29 PM To: Tom Sharples; WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway I like it but what if the ip is being masqueraded? On Fri, Oct 1, 2010 at 7:00 PM, Tom Sharples tsharp...@qorvus.com wrote: I've often wondered, is it legal for the receipient of this sort of thing, to retailiate with e.g. ping or curl storms? Tom S. - Original Message - From: Robert West To: 'WISPA General List' Sent: Friday, October 01, 2010 2:57 PM Subject: [WISPA] Brute Force Attack on Mikrotik Gateway Just had to deal with a brute force attack on a MT router acting as a gateway. Came from these two IP addresses…. 59.42.10.38 61.155.5.247 Looked them up, they turn out to be pretty common for this sort of thing. Added a firewall rule to drop them and they are no longer filling my log. Some may want to do the same for these jokers. Robert West Just Micro Digital Services Inc. 740-335-7020 image001.gif WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
Ah.. I always use Winbox. Tried Webbox a few times when I had to but wasn't comfortable with it at all. From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Josh Luthman Sent: Saturday, October 02, 2010 11:18 AM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway The MT webbox causes cancer it is so terrible. On Oct 2, 2010 9:08 AM, Greg Ihnen os10ru...@gmail.com wrote: That script should be the MT default when one checks the protect router check box in the web UI. Greg On Oct 2, 2010, at 8:33 AM, Robert West wrote: Checked the logs this morning and guess who was back at it Was trying to do a brute force attack from yet another IP but that script from Butch swatted him like a fly. Worked like a charm! Thanks to both you and Butch, he be gone. Bob- From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Josh Luthman Sent: Friday, October 01, 2010 10:38 PM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway Compliments of Butch Evans /ip firewal filt add action=accept chain=forward comment=drop ssh brute forcers disabled=\ no dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=!heavysshservers Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, Oct 1, 2010 at 10:28 PM, Robert West robert.w...@just-micro.com wrote: Then we'll just send the pigeons over to poop on them. Easy. From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of RickG Sent: Friday, October 01, 2010 9:29 PM To: Tom Sharples; WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway I like it but what if the ip is being masqueraded? On Fri, Oct 1, 2010 at 7:00 PM, Tom Sharples tsharp...@qorvus.com wrote: I've often wondered, is it legal for the receipient of this sort of thing, to retailiate with e.g. ping or curl storms? Tom S. - Original Message - From: Robert West To: 'WISPA General List' Sent: Friday, October 01, 2010 2:57 PM Subject: [WISPA] Brute Force Attack on Mikrotik Gateway Just had to deal with a brute force attack on a MT router acting as a gateway. Came from these two IP addresses.. 59.42.10.38 61.155.5.247 Looked them up, they turn out to be pretty common for this sort of thing. Added a firewall rule to drop them and they are no longer filling my log. Some may want to do the same for these jokers. Robert West Just Micro Digital Services Inc. 740-335-7020 image001.gif WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
It doesn't answer anything. You can't configure anything. It screws up what you have set. Hate it. I would like to see an html copy of winbox, but that's a dream. On Oct 2, 2010 12:33 PM, Robert West robert.w...@just-micro.com wrote: Ah.. I always use Winbox. Tried Webbox a few times when I had to but wasn't comfortable with it at all. From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Josh Luthman Sent: Saturday, October 02, 2010 11:18 AM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway The MT webbox causes cancer it is so terrible. On Oct 2, 2010 9:08 AM, Greg Ihnen os10ru...@gmail.com wrote: That script should be the MT default when one checks the protect router check box in the web UI. Greg On Oct 2, 2010, at 8:33 AM, Robert West wrote: Checked the logs this morning and guess who was back at it Was trying to do a brute force attack from yet another IP but that script from Butch swatted him like a fly. Worked like a charm! Thanks to both you and Butch, he be gone. Bob- From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Josh Luthman Sent: Friday, October 01, 2010 10:38 PM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway Compliments of Butch Evans /ip firewal filt add action=accept chain=forward comment=drop ssh brute forcers disabled=\ no dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=!heavysshservers Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, Oct 1, 2010 at 10:28 PM, Robert West robert.w...@just-micro.com wrote: Then we'll just send the pigeons over to poop on them. Easy. From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of RickG Sent: Friday, October 01, 2010 9:29 PM To: Tom Sharples; WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway I like it but what if the ip is being masqueraded? On Fri, Oct 1, 2010 at 7:00 PM, Tom Sharples tsharp...@qorvus.com wrote: I've often wondered, is it legal for the receipient of this sort of thing, to retailiate with e.g. ping or curl storms? Tom S. - Original Message - From: Robert West To: 'WISPA General List' Sent: Friday, October 01, 2010 2:57 PM Subject: [WISPA] Brute Force Attack on Mikrotik Gateway Just had to deal with a brute force attack on a MT router acting as a gateway. Came from these two IP addresses.. 59.42.10.38 61.155.5.247 Looked them up, they turn out to be pretty common for this sort of thing. Added a firewall rule to drop them and they are no longer filling my log. Some may want to do the same for these jokers. Robert West Just Micro Digital Services Inc. 740-335-7020 image001.gif WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
The new web admin in 5.0 looks like a web clone of winbox. On Oct 2, 2010 11:57 AM, Josh Luthman j...@imaginenetworksllc.com wrote: It doesn't answer anything. You can't configure anything. It screws up what you have set. Hate it. I would like to see an html copy of winbox, but that's a dream. On Oct 2, 2010 12:33 PM, Robert West robert.w...@just-micro.com wrote: Ah.. I always use Win... WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
Or Java would be nice. But really anything that is cross platform would be good. Then I wouldn't have to run Parallels or Fusion all day. Greg On Oct 2, 2010, at 12:27 PM, Josh Luthman wrote: It doesn't answer anything. You can't configure anything. It screws up what you have set. Hate it. I would like to see an html copy of winbox, but that's a dream. On Oct 2, 2010 12:33 PM, Robert West robert.w...@just-micro.com wrote: Ah.. I always use Winbox. Tried Webbox a few times when I had to but wasn't comfortable with it at all. From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Josh Luthman Sent: Saturday, October 02, 2010 11:18 AM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway The MT webbox causes cancer it is so terrible. On Oct 2, 2010 9:08 AM, Greg Ihnen os10ru...@gmail.com wrote: That script should be the MT default when one checks the protect router check box in the web UI. Greg On Oct 2, 2010, at 8:33 AM, Robert West wrote: Checked the logs this morning and guess who was back at it Was trying to do a brute force attack from yet another IP but that script from Butch swatted him like a fly. Worked like a charm! Thanks to both you and Butch, he be gone. Bob- From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Josh Luthman Sent: Friday, October 01, 2010 10:38 PM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway Compliments of Butch Evans /ip firewal filt add action=accept chain=forward comment=drop ssh brute forcers disabled=\ no dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=!heavysshservers Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, Oct 1, 2010 at 10:28 PM, Robert West robert.w...@just-micro.com wrote: Then we'll just send the pigeons over to poop on them. Easy. From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of RickG Sent: Friday, October 01, 2010 9:29 PM To: Tom Sharples; WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway I like it but what if the ip is being masqueraded? On Fri, Oct 1, 2010 at 7:00 PM, Tom Sharples tsharp...@qorvus.com wrote: I've often wondered, is it legal for the receipient of this sort of thing, to retailiate with e.g. ping or curl storms? Tom S. - Original Message - From: Robert West To: 'WISPA General List' Sent: Friday, October 01, 2010 2:57 PM Subject: [WISPA] Brute Force Attack on Mikrotik Gateway Just had to deal with a brute force attack on a MT router acting as a gateway. Came from these two IP addresses.. 59.42.10.38 61.155.5.247 Looked them up, they turn out to be pretty common for this sort of thing. Added a firewall rule to drop them and they are no longer filling my log. Some may want to do the same for these jokers. Robert West Just Micro Digital Services Inc. 740-335-7020 image001.gif WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
I asked them about a Java client a long time ago and they nixed it.. Said there was a Windoze client and it could run under Wine. But I was looking at other platforms. The biggest problem with Mikrotik is their tunnelvision and unwillingness to look outside of the box IMHO Leon On 10/2/2010 3:04 PM, Greg Ihnen wrote: Or Java would be nice. But really anything that is cross platform would be good. Then I wouldn't have to run Parallels or Fusion all day. Greg On Oct 2, 2010, at 12:27 PM, Josh Luthman wrote: It doesn't answer anything. You can't configure anything. It screws up what you have set. Hate it. I would like to see an html copy of winbox, but that's a dream. On Oct 2, 2010 12:33 PM, Robert West robert.w...@just-micro.com mailto:robert.w...@just-micro.com wrote: Ah.. I always use Winbox. Tried Webbox a few times when I had to but wasn't comfortable with it at all. From: wireless-boun...@wispa.org mailto:wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org mailto:wireless-boun...@wispa.org] On Behalf Of Josh Luthman Sent: Saturday, October 02, 2010 11:18 AM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway The MT webbox causes cancer it is so terrible. On Oct 2, 2010 9:08 AM, Greg Ihnen os10ru...@gmail.com mailto:os10ru...@gmail.com wrote: That script should be the MT default when one checks the protect router check box in the web UI. Greg On Oct 2, 2010, at 8:33 AM, Robert West wrote: Checked the logs this morning and guess who was back at it Was trying to do a brute force attack from yet another IP but that script from Butch swatted him like a fly. Worked like a charm! Thanks to both you and Butch, he be gone. Bob- From: wireless-boun...@wispa.org mailto:wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org mailto:wireless-boun...@wispa.org] On Behalf Of Josh Luthman Sent: Friday, October 01, 2010 10:38 PM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway Compliments of Butch Evans /ip firewal filt add action=accept chain=forward comment=drop ssh brute forcers disabled=\ no dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=!heavysshservers Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, Oct 1, 2010 at 10:28 PM, Robert West robert.w...@just-micro.com mailto:robert.w...@just-micro.com wrote: Then we'll just send the pigeons over to poop on them. Easy. From: wireless-boun...@wispa.org mailto:wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org mailto:wireless-boun...@wispa.org] On Behalf Of RickG Sent: Friday, October 01, 2010 9:29 PM To: Tom Sharples; WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway I like it but what if the ip is being masqueraded? On Fri, Oct 1, 2010 at 7:00 PM, Tom Sharples tsharp...@qorvus.com mailto:tsharp...@qorvus.com wrote: I've often wondered, is it legal for the receipient of this sort of thing, to retailiate with e.g. ping or curl storms? Tom S. - Original Message - From: Robert West To: 'WISPA General List' Sent: Friday, October 01, 2010 2:57 PM Subject: [WISPA] Brute Force Attack on Mikrotik Gateway Just had to deal with a brute force attack on a MT router acting as a gateway. Came from these two IP addresses.. 59.42.10.38 61.155.5.247 Looked them up, they turn out to be pretty common for this sort of thing. Added a firewall rule to drop them and they are no longer filling my log. Some may want to do the same for these jokers. Robert West Just Micro Digital Services Inc. 740-335-7020 image001.gif No virus found in this message. Checked by AVG - www.avg.com http://www.avg.com Version: 10.0.1120 / Virus Database: 422/3172 - Release Date: 10/02/10 - No virus found in this message. Checked by AVG - www.avg.com Version: 10.0.1120 / Virus Database: 422/3172 - Release Date: 10/02/10 WISPA
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
Jon was right - just loaded up 5.0rc1 and they added webfig. Format is very much that of Winbox and looks very good at a glance! Webbox is still there and it is still bad. Java is way too slow and not very portable (in the sense a new laptop won't use it). Flash is easier and lighter. HTML works 99.99% of the time. Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Sat, Oct 2, 2010 at 3:57 PM, Leon D. Zetekoff wa4...@backwoodswireless.net wrote: I asked them about a Java client a long time ago and they nixed it.. Said there was a Windoze client and it could run under Wine. But I was looking at other platforms. The biggest problem with Mikrotik is their tunnelvision and unwillingness to look outside of the box IMHO Leon On 10/2/2010 3:04 PM, Greg Ihnen wrote: Or Java would be nice. But really anything that is cross platform would be good. Then I wouldn't have to run Parallels or Fusion all day. Greg On Oct 2, 2010, at 12:27 PM, Josh Luthman wrote: It doesn't answer anything. You can't configure anything. It screws up what you have set. Hate it. I would like to see an html copy of winbox, but that's a dream. On Oct 2, 2010 12:33 PM, Robert West robert.w...@just-micro.com wrote: Ah.. I always use Winbox. Tried Webbox a few times when I had to but wasn't comfortable with it at all. From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Josh Luthman Sent: Saturday, October 02, 2010 11:18 AM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway The MT webbox causes cancer it is so terrible. On Oct 2, 2010 9:08 AM, Greg Ihnen os10ru...@gmail.com wrote: That script should be the MT default when one checks the protect router check box in the web UI. Greg On Oct 2, 2010, at 8:33 AM, Robert West wrote: Checked the logs this morning and guess who was back at it Was trying to do a brute force attack from yet another IP but that script from Butch swatted him like a fly. Worked like a charm! Thanks to both you and Butch, he be gone. Bob- From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Josh Luthman Sent: Friday, October 01, 2010 10:38 PM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway Compliments of Butch Evans /ip firewal filt add action=accept chain=forward comment=drop ssh brute forcers disabled=\ no dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=!heavysshservers Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, Oct 1, 2010 at 10:28 PM, Robert West robert.w...@just-micro.com wrote: Then we'll just send the pigeons over to poop on them. Easy. From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of RickG Sent: Friday, October 01, 2010 9:29 PM To: Tom Sharples; WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway I like it but what if the ip is being masqueraded? On Fri, Oct 1, 2010 at 7:00 PM, Tom Sharples tsharp...@qorvus.com wrote: I've often wondered, is it legal for the receipient of this sort of thing, to retailiate with e.g. ping or curl storms? Tom S. - Original Message - From: Robert West To: 'WISPA General List' Sent: Friday, October 01, 2010 2:57 PM Subject: [WISPA] Brute Force Attack on Mikrotik Gateway Just had to deal with a brute force attack on a MT router acting as a gateway. Came from these two IP addresses.. 59.42.10.38 61.155.5.247 Looked them up, they turn out to be pretty common for this sort of thing. Added a firewall rule to drop them and they are no longer filling my log. Some may want to do the same for these jokers. Robert West Just Micro Digital Services Inc. 740-335-7020 image001.gif -- No virus found in this message. Checked by AVG - www.avg.com Version: 10.0.1120 / Virus Database: 422/3172 - Release Date: 10/02/10
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
I have to question: Why would a new laptop not use it? And how do you figure flash is lighter? On Sat, Oct 2, 2010 at 2:22 PM, Josh Luthman j...@imaginenetworksllc.com wrote: Jon was right - just loaded up 5.0rc1 and they added webfig. Format is very much that of Winbox and looks very good at a glance! Webbox is still there and it is still bad. Java is way too slow and not very portable (in the sense a new laptop won't use it). Flash is easier and lighter. HTML works 99.99% of the time. Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Sat, Oct 2, 2010 at 3:57 PM, Leon D. Zetekoff wa4...@backwoodswireless.net wrote: I asked them about a Java client a long time ago and they nixed it.. Said there was a Windoze client and it could run under Wine. But I was looking at other platforms. The biggest problem with Mikrotik is their tunnelvision and unwillingness to look outside of the box IMHO Leon On 10/2/2010 3:04 PM, Greg Ihnen wrote: Or Java would be nice. But really anything that is cross platform would be good. Then I wouldn't have to run Parallels or Fusion all day. Greg On Oct 2, 2010, at 12:27 PM, Josh Luthman wrote: It doesn't answer anything. You can't configure anything. It screws up what you have set. Hate it. I would like to see an html copy of winbox, but that's a dream. On Oct 2, 2010 12:33 PM, Robert West robert.w...@just-micro.com wrote: Ah.. I always use Winbox. Tried Webbox a few times when I had to but wasn't comfortable with it at all. From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Josh Luthman Sent: Saturday, October 02, 2010 11:18 AM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway The MT webbox causes cancer it is so terrible. On Oct 2, 2010 9:08 AM, Greg Ihnen os10ru...@gmail.com wrote: That script should be the MT default when one checks the protect router check box in the web UI. Greg On Oct 2, 2010, at 8:33 AM, Robert West wrote: Checked the logs this morning and guess who was back at it Was trying to do a brute force attack from yet another IP but that script from Butch swatted him like a fly. Worked like a charm! Thanks to both you and Butch, he be gone. Bob- From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Josh Luthman Sent: Friday, October 01, 2010 10:38 PM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway Compliments of Butch Evans /ip firewal filt add action=accept chain=forward comment=drop ssh brute forcers disabled=\ no dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=!heavysshservers Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, Oct 1, 2010 at 10:28 PM, Robert West robert.w...@just-micro.com wrote: Then we'll just send the pigeons over to poop on them. Easy. From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of RickG Sent: Friday, October 01, 2010 9:29 PM To: Tom Sharples; WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway I like it but what if the ip is being masqueraded? On Fri, Oct 1, 2010 at 7:00 PM, Tom Sharples tsharp...@qorvus.com wrote: I've often wondered, is it legal for the receipient of this sort of thing, to retailiate with e.g. ping or curl storms? Tom S. - Original Message - From: Robert West To: 'WISPA General List' Sent: Friday, October 01, 2010 2:57 PM Subject: [WISPA] Brute Force Attack on Mikrotik Gateway Just had to deal with a brute force attack on a MT router acting as a gateway. Came from these two IP addresses.. 59.42.10.38 61.155.5.247 Looked them up, they turn out to be pretty common for this sort of thing. Added a firewall rule to drop them and they are no longer filling my log. Some may want to do the same for these jokers. Robert West Just Micro Digital Services Inc. 740-335-7020
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
New laptops don't have java. Flash is one library and takes second to install. Launch speeds are of no comparison, flash is way faster. Takes a lot of time to warm up the virtual engine. On Oct 2, 2010 5:32 PM, Jeromie Reeves jree...@18-30chat.net wrote: I have to question: Why would a new laptop not use it? And how do you figure flash is lighter? On Sat, Oct 2, 2010 at 2:22 PM, Josh Luthman j...@imaginenetworksllc.com wrote: Jon was right - just loaded up 5.0rc1 and they added webfig. Format is very much that of Winbox and looks very good at a glance! Webbox is still there and it is still bad. Java is way too slow and not very portable (in the sense a new laptop won't use it). Flash is easier and lighter. HTML works 99.99% of the time. Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Sat, Oct 2, 2010 at 3:57 PM, Leon D. Zetekoff wa4...@backwoodswireless.net wrote: I asked them about a Java client a long time ago and they nixed it.. Said there was a Windoze client and it could run under Wine. But I was looking at other platforms. The biggest problem with Mikrotik is their tunnelvision and unwillingness to look outside of the box IMHO Leon On 10/2/2010 3:04 PM, Greg Ihnen wrote: Or Java would be nice. But really anything that is cross platform would be good. Then I wouldn't have to run Parallels or Fusion all day. Greg On Oct 2, 2010, at 12:27 PM, Josh Luthman wrote: It doesn't answer anything. You can't configure anything. It screws up what you have set. Hate it. I would like to see an html copy of winbox, but that's a dream. On Oct 2, 2010 12:33 PM, Robert West robert.w...@just-micro.com wrote: Ah.. I always use Winbox. Tried Webbox a few times when I had to but wasn't comfortable with it at all. From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Josh Luthman Sent: Saturday, October 02, 2010 11:18 AM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway The MT webbox causes cancer it is so terrible. On Oct 2, 2010 9:08 AM, Greg Ihnen os10ru...@gmail.com wrote: That script should be the MT default when one checks the protect router check box in the web UI. Greg On Oct 2, 2010, at 8:33 AM, Robert West wrote: Checked the logs this morning and guess who was back at it Was trying to do a brute force attack from yet another IP but that script from Butch swatted him like a fly. Worked like a charm! Thanks to both you and Butch, he be gone. Bob- From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Josh Luthman Sent: Friday, October 01, 2010 10:38 PM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway Compliments of Butch Evans /ip firewal filt add action=accept chain=forward comment=drop ssh brute forcers disabled=\ no dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=!heavysshservers Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, Oct 1, 2010 at 10:28 PM, Robert West robert.w...@just-micro.com wrote: Then we'll just send the pigeons over to poop on them. Easy. From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of RickG Sent: Friday, October 01, 2010 9:29 PM To: Tom Sharples; WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway I like it but what if the ip is being masqueraded? On Fri, Oct 1, 2010 at 7:00 PM, Tom Sharples tsharp...@qorvus.com wrote: I've often wondered, is it legal for the receipient of this sort of thing, to retailiate with e.g. ping or curl storms? Tom S. - Original Message - From: Robert West To: 'WISPA General List' Sent: Friday, October 01, 2010 2:57 PM Subject: [WISPA] Brute Force Attack on Mikrotik Gateway Just had to deal with a brute force attack on a MT router acting as a gateway. Came from these two IP addresses.. 59.42.10.38 61.155.5.247 Looked
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
On 10/02/2010 05:58 PM, Josh Luthman wrote: New laptops don't have java. Flash is one library and takes second to install. Launch speeds are of no comparison, flash is way faster. Takes a lot of time to warm up the virtual engine. I find flash a PITA. java is one download off java.com; not a biggie there. IMHO leon On Oct 2, 2010 5:32 PM, Jeromie Reeves jree...@18-30chat.net mailto:jree...@18-30chat.net wrote: I have to question: Why would a new laptop not use it? And how do you figure flash is lighter? On Sat, Oct 2, 2010 at 2:22 PM, Josh Luthman j...@imaginenetworksllc.com mailto:j...@imaginenetworksllc.com wrote: Jon was right - just loaded up 5.0rc1 and they added webfig. Format is very much that of Winbox and looks very good at a glance! Webbox is still there and it is still bad. Java is way too slow and not very portable (in the sense a new laptop won't use it). Flash is easier and lighter. HTML works 99.99% of the time. WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
My experience is the total opposite and I think the world agrees with me. Youtube videos, games, ads, etc. On Oct 2, 2010 6:22 PM, Leon D. Zetekoff wa4...@backwoodswireless.net wrote: WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
HTML5 is better than either java or flash. On Sat, Oct 2, 2010 at 5:32 PM, Josh Luthman j...@imaginenetworksllc.com wrote: My experience is the total opposite and I think the world agrees with me. Youtube videos, games, ads, etc. On Oct 2, 2010 6:22 PM, Leon D. Zetekoff wa4...@backwoodswireless.net wrote: WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
That's what I'm saying! On Oct 2, 2010 6:57 PM, Philip Dorr wirel...@judgementgaming.com wrote: HTML5 is better than either java or flash. On Sat, Oct 2, 2010 at 5:32 PM, Josh Luthman j...@imaginenetworksllc.com wrote: My experience is the total opposite and I think the world agrees with me. Youtube videos, games, ads, etc. On Oct 2, 2010 6:22 PM, Leon D. Zetekoff wa4...@backwoodswireless.net wrote: WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
Installing flash or java is the same procedure. Flash is a horribly unstable system. It is a container system with many IDE's that make it drag drop simple to produce with. This topic can only go the way of Linux vs Windows. Windows took off because you do not need skill to use it. Same with flash. The better option is tossed to the wayside. On Sat, Oct 2, 2010 at 2:58 PM, Josh Luthman j...@imaginenetworksllc.com wrote: New laptops don't have java. Flash is one library and takes second to install. Launch speeds are of no comparison, flash is way faster. Takes a lot of time to warm up the virtual engine. On Oct 2, 2010 5:32 PM, Jeromie Reeves jree...@18-30chat.net wrote: I have to question: Why would a new laptop not use it? And how do you figure flash is lighter? On Sat, Oct 2, 2010 at 2:22 PM, Josh Luthman j...@imaginenetworksllc.com wrote: Jon was right - just loaded up 5.0rc1 and they added webfig. Format is very much that of Winbox and looks very good at a glance! Webbox is still there and it is still bad. Java is way too slow and not very portable (in the sense a new laptop won't use it). Flash is easier and lighter. HTML works 99.99% of the time. Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Sat, Oct 2, 2010 at 3:57 PM, Leon D. Zetekoff wa4...@backwoodswireless.net wrote: I asked them about a Java client a long time ago and they nixed it.. Said there was a Windoze client and it could run under Wine. But I was looking at other platforms. The biggest problem with Mikrotik is their tunnelvision and unwillingness to look outside of the box IMHO Leon On 10/2/2010 3:04 PM, Greg Ihnen wrote: Or Java would be nice. But really anything that is cross platform would be good. Then I wouldn't have to run Parallels or Fusion all day. Greg On Oct 2, 2010, at 12:27 PM, Josh Luthman wrote: It doesn't answer anything. You can't configure anything. It screws up what you have set. Hate it. I would like to see an html copy of winbox, but that's a dream. On Oct 2, 2010 12:33 PM, Robert West robert.w...@just-micro.com wrote: Ah.. I always use Winbox. Tried Webbox a few times when I had to but wasn't comfortable with it at all. From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Josh Luthman Sent: Saturday, October 02, 2010 11:18 AM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway The MT webbox causes cancer it is so terrible. On Oct 2, 2010 9:08 AM, Greg Ihnen os10ru...@gmail.com wrote: That script should be the MT default when one checks the protect router check box in the web UI. Greg On Oct 2, 2010, at 8:33 AM, Robert West wrote: Checked the logs this morning and guess who was back at it Was trying to do a brute force attack from yet another IP but that script from Butch swatted him like a fly. Worked like a charm! Thanks to both you and Butch, he be gone. Bob- From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Josh Luthman Sent: Friday, October 01, 2010 10:38 PM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway Compliments of Butch Evans /ip firewal filt add action=accept chain=forward comment=drop ssh brute forcers disabled=\ no dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=!heavysshservers Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, Oct 1, 2010 at 10:28 PM, Robert West robert.w...@just-micro.com wrote: Then we'll just send the pigeons over to poop on them. Easy. From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of RickG Sent: Friday, October 01, 2010 9:29 PM To: Tom Sharples; WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway I like it but what if the ip is being masqueraded? On Fri, Oct 1, 2010 at 7:00 PM, Tom Sharples tsharp...@qorvus.com wrote: I've often wondered, is it legal
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
Or..! A rule that will route them back to themselves! Now THAT would be hilarious!!! Bob- From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of RickG Sent: Saturday, October 02, 2010 12:56 AM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway But thinking back on it, imagine the Damn it! looks on their faces if they DID get in only to find a nothing Mikrotik routerboard! LOL, it would be funny to have something connected that did nothing. Better yet, just reroute them to fbi.gov! On Fri, Oct 1, 2010 at 10:22 PM, Robert West robert.w...@just-micro.com wrote: I've been migrating everything to a central location. Not done yet but boy, have had a mess the past 3 weeks with the reconfiguring and moving of stuff. As well as one major gateway out of the solar status to real grid power. Finally! Was interesting to watch the log, though. I blocked every IP as it popped up then they switched from FTP to SSH. Once SSH was blocked, they went the hell away. But thinking back on it, imagine the Damn it! looks on their faces if they DID get in only to find a nothing Mikrotik routerboard! HA! From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Glenn Kelley Sent: Friday, October 01, 2010 10:00 PM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway Bob, If memory serves me correct - you do not have a central network - is that right? instead your just using multiple pops via cable modems? If that is the case - it might be a bit more difficult - on the other hand - if you have switched to a central network (or have this in some places) than I can give you an easy transparent bridge solution @ no cost (just need one of your old pc's and 2 nics :-) ) Let me know On Oct 1, 2010, at 9:48 PM, Glenn Kelley wrote: why not just block china (and other countries) from access unless it is something opened first from inside the network ? Would make a big difference :-) On Oct 1, 2010, at 9:28 PM, RickG wrote: 61.155.5.247 _ Glenn Kelley | Principle | HostMedic |www.HostMedic.com Email: gl...@hostmedic.com Pplease don't print this e-mail unless you really need to. WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ _ Glenn Kelley | Principle | HostMedic |www.HostMedic.com Email: gl...@hostmedic.com Pplease don't print this e-mail unless you really need to. WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
How about the Backtrack toolset. In the early days of the internet (for me) I would see people trying to attack me so I'd use some script kiddie tools to throw attacks back at them. If they weren't patched they'd go down. Often they'd go down. Then again that was a colossal waste of time. It's better to just block them, and once in a while look at your address list and see who's gotten put in the sand box. Greg On Oct 2, 2010, at 7:18 PM, Robert West wrote: Or..! A rule that will route them back to themselves! Now THAT would be hilarious!!! Bob- From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of RickG Sent: Saturday, October 02, 2010 12:56 AM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway But thinking back on it, imagine the “Damn it!” looks on their faces if they DID get in only to find a nothing Mikrotik routerboard! LOL, it would be funny to have something connected that did nothing. Better yet, just reroute them to fbi.gov! On Fri, Oct 1, 2010 at 10:22 PM, Robert West robert.w...@just-micro.com wrote: I’ve been migrating everything to a central location. Not done yet but boy, have had a mess the past 3 weeks with the reconfiguring and moving of “stuff”. As well as one major gateway out of the “solar” status to real grid power. Finally! Was interesting to watch the log, though. I blocked every IP as it popped up then they switched from FTP to SSH. Once SSH was blocked, they went the hell away. But thinking back on it, imagine the “Damn it!” looks on their faces if they DID get in only to find a nothing Mikrotik routerboard! HA! From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Glenn Kelley Sent: Friday, October 01, 2010 10:00 PM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway Bob, If memory serves me correct - you do not have a central network - is that right? instead your just using multiple pops via cable modems? If that is the case - it might be a bit more difficult - on the other hand - if you have switched to a central network (or have this in some places) than I can give you an easy transparent bridge solution @ no cost (just need one of your old pc's and 2 nics :-) ) Let me know On Oct 1, 2010, at 9:48 PM, Glenn Kelley wrote: why not just block china (and other countries) from access unless it is something opened first from inside the network ? Would make a big difference :-) On Oct 1, 2010, at 9:28 PM, RickG wrote: 61.155.5.247 _ Glenn Kelley | Principle | HostMedic |www.HostMedic.com Email: gl...@hostmedic.com Pplease don't print this e-mail unless you really need to. WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ _ Glenn Kelley | Principle | HostMedic |www.HostMedic.com Email: gl...@hostmedic.com Pplease don't print this e-mail unless you really need to. WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
IP Spoofing can really hit you hard. Running a datacenter I have received reports from a number of other DC's then when doing the actual investigation I have to tell an engineer @ the other DC that they are wrong. Retaliation is never a good thing - chances are you are hitting the wrong person. Just my 2 cents On Oct 2, 2010, at 7:55 PM, Greg Ihnen wrote: How about the Backtrack toolset. In the early days of the internet (for me) I would see people trying to attack me so I'd use some script kiddie tools to throw attacks back at them. If they weren't patched they'd go down. Often they'd go down. Then again that was a colossal waste of time. It's better to just block them, and once in a while look at your address list and see who's gotten put in the sand box. Greg On Oct 2, 2010, at 7:18 PM, Robert West wrote: Or..! A rule that will route them back to themselves! Now THAT would be hilarious!!! Bob- From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of RickG Sent: Saturday, October 02, 2010 12:56 AM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway But thinking back on it, imagine the “Damn it!” looks on their faces if they DID get in only to find a nothing Mikrotik routerboard! LOL, it would be funny to have something connected that did nothing. Better yet, just reroute them to fbi.gov! On Fri, Oct 1, 2010 at 10:22 PM, Robert West robert.w...@just-micro.com wrote: I’ve been migrating everything to a central location. Not done yet but boy, have had a mess the past 3 weeks with the reconfiguring and moving of “stuff”. As well as one major gateway out of the “solar” status to real grid power. Finally! Was interesting to watch the log, though. I blocked every IP as it popped up then they switched from FTP to SSH. Once SSH was blocked, they went the hell away. But thinking back on it, imagine the “Damn it!” looks on their faces if they DID get in only to find a nothing Mikrotik routerboard! HA! From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Glenn Kelley Sent: Friday, October 01, 2010 10:00 PM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway Bob, If memory serves me correct - you do not have a central network - is that right? instead your just using multiple pops via cable modems? If that is the case - it might be a bit more difficult - on the other hand - if you have switched to a central network (or have this in some places) than I can give you an easy transparent bridge solution @ no cost (just need one of your old pc's and 2 nics :-) ) Let me know On Oct 1, 2010, at 9:48 PM, Glenn Kelley wrote: why not just block china (and other countries) from access unless it is something opened first from inside the network ? Would make a big difference :-) On Oct 1, 2010, at 9:28 PM, RickG wrote: 61.155.5.247 _ Glenn Kelley | Principle | HostMedic |www.HostMedic.com Email: gl...@hostmedic.com Pplease don't print this e-mail unless you really need to. WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ _ Glenn Kelley | Principle | HostMedic |www.HostMedic.com Email: gl...@hostmedic.com Pplease don't print this e-mail unless you really need to. WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
Bcp 38 Control plane v mgmt plane v data plane Botnets Don't shoot poop back at the internetwebz On Oct 2, 2010, at 7:15 PM, Glenn Kelley gl...@hostmedic.commailto:gl...@hostmedic.com wrote: IP Spoofing can really hit you hard. Running a datacenter I have received reports from a number of other DC's then when doing the actual investigation I have to tell an engineer @ the other DC that they are wrong. Retaliation is never a good thing - chances are you are hitting the wrong person. Just my 2 cents On Oct 2, 2010, at 7:55 PM, Greg Ihnen wrote: How about the Backtrack toolset. In the early days of the internet (for me) I would see people trying to attack me so I'd use some script kiddie tools to throw attacks back at them. If they weren't patched they'd go down. Often they'd go down. Then again that was a colossal waste of time. It's better to just block them, and once in a while look at your address list and see who's gotten put in the sand box. Greg On Oct 2, 2010, at 7:18 PM, Robert West wrote: Or..! A rule that will route them back to themselves! Now THAT would be hilarious!!! Bob- From: mailto:wireless-boun...@wispa.org wireless-boun...@wispa.orgmailto:wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of RickG Sent: Saturday, October 02, 2010 12:56 AM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway But thinking back on it, imagine the “Damn it!” looks on their faces if they DID get in only to find a nothing Mikrotik routerboard! LOL, it would be funny to have something connected that did nothing. Better yet, just reroute them to http://fbi.gov/ fbi.govhttp://fbi.gov! On Fri, Oct 1, 2010 at 10:22 PM, Robert West mailto:robert.w...@just-micro.comrobert.w...@just-micro.commailto:robert.w...@just-micro.com wrote: I’ve been migrating everything to a central location. Not done yet but boy, have had a mess the past 3 weeks with the reconfiguring and moving of “stuff”. As well as one major gateway out of the “solar” status to real grid power. Finally! Was interesting to watch the log, though. I blocked every IP as it popped up then they switched from FTP to SSH. Once SSH was blocked, they went the hell away. But thinking back on it, imagine the “Damn it!” looks on their faces if they DID get in only to find a nothing Mikrotik routerboard! HA! From: mailto:wireless-boun...@wispa.org wireless-boun...@wispa.orgmailto:wireless-boun...@wispa.org [mailto:mailto:wireless-boun...@wispa.orgwireless-boun...@wispa.orgmailto:wireless-boun...@wispa.org] On Behalf Of Glenn Kelley Sent: Friday, October 01, 2010 10:00 PM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway Bob, If memory serves me correct - you do not have a central network - is that right? instead your just using multiple pops via cable modems? If that is the case - it might be a bit more difficult - on the other hand - if you have switched to a central network (or have this in some places) than I can give you an easy transparent bridge solution @ no cost (just need one of your old pc's and 2 nics :-) ) Let me know On Oct 1, 2010, at 9:48 PM, Glenn Kelley wrote: why not just block china (and other countries) from access unless it is something opened first from inside the network ? Would make a big difference :-) On Oct 1, 2010, at 9:28 PM, RickG wrote: 61.155.5.247 _ Glenn Kelley | Principle | HostMedic |http://www.HostMedic.com/www.HostMedic.comhttp://www.HostMedic.com Email: mailto:gl...@hostmedic.com gl...@hostmedic.commailto:gl...@hostmedic.com Pplease don't print this e-mail unless you really need to. WISPA Wants You! Join today! http://signup.wispa.org/http://signup.wispa.org/ WISPA Wireless List: mailto:wireless@wispa.org wireless@wispa.orgmailto:wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wirelesshttp://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ http://lists.wispa.org/pipermail/wireless/ _ Glenn Kelley | Principle | HostMedic |http://www.HostMedic.com/www.HostMedic.comhttp://www.HostMedic.com Email: mailto:gl...@hostmedic.com gl...@hostmedic.commailto:gl...@hostmedic.com Pplease don't print this e-mail unless you really need to. WISPA Wants You! Join today! http://signup.wispa.org/http://signup.wispa.org/ WISPA Wireless List: mailto:wireless@wispa.org wireless@wispa.orgmailto:wireless
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
You're right. That was the folly of youth. Greg On Oct 2, 2010, at 7:45 PM, Glenn Kelley wrote: IP Spoofing can really hit you hard. Running a datacenter I have received reports from a number of other DC's then when doing the actual investigation I have to tell an engineer @ the other DC that they are wrong. Retaliation is never a good thing - chances are you are hitting the wrong person. Just my 2 cents On Oct 2, 2010, at 7:55 PM, Greg Ihnen wrote: How about the Backtrack toolset. In the early days of the internet (for me) I would see people trying to attack me so I'd use some script kiddie tools to throw attacks back at them. If they weren't patched they'd go down. Often they'd go down. Then again that was a colossal waste of time. It's better to just block them, and once in a while look at your address list and see who's gotten put in the sand box. Greg On Oct 2, 2010, at 7:18 PM, Robert West wrote: Or..! A rule that will route them back to themselves! Now THAT would be hilarious!!! Bob- From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of RickG Sent: Saturday, October 02, 2010 12:56 AM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway But thinking back on it, imagine the “Damn it!” looks on their faces if they DID get in only to find a nothing Mikrotik routerboard! LOL, it would be funny to have something connected that did nothing. Better yet, just reroute them to fbi.gov! On Fri, Oct 1, 2010 at 10:22 PM, Robert West robert.w...@just-micro.com wrote: I’ve been migrating everything to a central location. Not done yet but boy, have had a mess the past 3 weeks with the reconfiguring and moving of “stuff”. As well as one major gateway out of the “solar” status to real grid power. Finally! Was interesting to watch the log, though. I blocked every IP as it popped up then they switched from FTP to SSH. Once SSH was blocked, they went the hell away. But thinking back on it, imagine the “Damn it!” looks on their faces if they DID get in only to find a nothing Mikrotik routerboard! HA! From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Glenn Kelley Sent: Friday, October 01, 2010 10:00 PM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway Bob, If memory serves me correct - you do not have a central network - is that right? instead your just using multiple pops via cable modems? If that is the case - it might be a bit more difficult - on the other hand - if you have switched to a central network (or have this in some places) than I can give you an easy transparent bridge solution @ no cost (just need one of your old pc's and 2 nics :-) ) Let me know On Oct 1, 2010, at 9:48 PM, Glenn Kelley wrote: why not just block china (and other countries) from access unless it is something opened first from inside the network ? Would make a big difference :-) On Oct 1, 2010, at 9:28 PM, RickG wrote: 61.155.5.247 _ Glenn Kelley | Principle | HostMedic |www.HostMedic.com Email: gl...@hostmedic.com Pplease don't print this e-mail unless you really need to. WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ _ Glenn Kelley | Principle | HostMedic |www.HostMedic.com Email: gl...@hostmedic.com Pplease don't print this e-mail unless you really need to. WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
I tried that one but 5.0 beta was randomly dropping connection so I quickly went back down to 4.11 and has been working like a champ 24/7 From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Jon Auer Sent: Saturday, October 02, 2010 1:40 PM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway The new web admin in 5.0 looks like a web clone of winbox. On Oct 2, 2010 11:57 AM, Josh Luthman j...@imaginenetworksllc.com wrote: It doesn't answer anything. You can't configure anything. It screws up what you have set. Hate it. I would like to see an html copy of winbox, but that's a dream. On Oct 2, 2010 12:33 PM, Robert West robert.w...@just-micro.com wrote: Ah.. I always use Win... WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
Java should be a no brainer. I think you're right about the tunnel vision. Happens to many companies. No one there with the guts to rock the boat. From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Leon D. Zetekoff Sent: Saturday, October 02, 2010 3:58 PM To: wireless@wispa.org Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway I asked them about a Java client a long time ago and they nixed it.. Said there was a Windoze client and it could run under Wine. But I was looking at other platforms. The biggest problem with Mikrotik is their tunnelvision and unwillingness to look outside of the box IMHO Leon On 10/2/2010 3:04 PM, Greg Ihnen wrote: Or Java would be nice. But really anything that is cross platform would be good. Then I wouldn't have to run Parallels or Fusion all day. Greg On Oct 2, 2010, at 12:27 PM, Josh Luthman wrote: It doesn't answer anything. You can't configure anything. It screws up what you have set. Hate it. I would like to see an html copy of winbox, but that's a dream. On Oct 2, 2010 12:33 PM, Robert West robert.w...@just-micro.com wrote: Ah.. I always use Winbox. Tried Webbox a few times when I had to but wasn't comfortable with it at all. From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Josh Luthman Sent: Saturday, October 02, 2010 11:18 AM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway The MT webbox causes cancer it is so terrible. On Oct 2, 2010 9:08 AM, Greg Ihnen os10ru...@gmail.com wrote: That script should be the MT default when one checks the protect router check box in the web UI. Greg On Oct 2, 2010, at 8:33 AM, Robert West wrote: Checked the logs this morning and guess who was back at it Was trying to do a brute force attack from yet another IP but that script from Butch swatted him like a fly. Worked like a charm! Thanks to both you and Butch, he be gone. Bob- From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Josh Luthman Sent: Friday, October 01, 2010 10:38 PM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway Compliments of Butch Evans /ip firewal filt add action=accept chain=forward comment=drop ssh brute forcers disabled=\ no dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=!heavysshservers Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, Oct 1, 2010 at 10:28 PM, Robert West robert.w...@just-micro.com wrote: Then we'll just send the pigeons over to poop on them. Easy. From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of RickG Sent: Friday, October 01, 2010 9:29 PM To: Tom Sharples; WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway I like it but what if the ip is being masqueraded? On Fri, Oct 1, 2010 at 7:00 PM, Tom Sharples tsharp...@qorvus.com wrote: I've often wondered, is it legal for the receipient of this sort of thing, to retailiate with e.g. ping or curl storms? Tom S. - Original Message - From: Robert West To: 'WISPA General List' Sent: Friday, October 01, 2010 2:57 PM Subject: [WISPA] Brute Force Attack on Mikrotik Gateway Just had to deal with a brute force attack on a MT router acting as a gateway. Came from these two IP addresses.. 59.42.10.38 61.155.5.247 Looked them up, they turn out to be pretty common for this sort of thing. Added a firewall rule to drop them and they are no longer filling my log. Some may want to do the same for these jokers. Robert West Just Micro Digital Services Inc. 740-335-7020 image001.gif _ No virus found in this message. Checked by AVG - www.avg.com Version: 10.0.1120 / Virus Database: 422/3172 - Release Date: 10/02/10 _ No virus found in this message. Checked by AVG - www.avg.com Version: 10.0.1120 / Virus Database: 422/3172 - Release Date: 10/02/10 WISPA
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
All my new laptops deal with UBNT air control as smooth as can be. -Original Message- From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Jeromie Reeves Sent: Saturday, October 02, 2010 5:32 PM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway I have to question: Why would a new laptop not use it? And how do you figure flash is lighter? On Sat, Oct 2, 2010 at 2:22 PM, Josh Luthman j...@imaginenetworksllc.com wrote: Jon was right - just loaded up 5.0rc1 and they added webfig. Format is very much that of Winbox and looks very good at a glance! Webbox is still there and it is still bad. Java is way too slow and not very portable (in the sense a new laptop won't use it). Flash is easier and lighter. HTML works 99.99% of the time. Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Sat, Oct 2, 2010 at 3:57 PM, Leon D. Zetekoff wa4...@backwoodswireless.net wrote: I asked them about a Java client a long time ago and they nixed it.. Said there was a Windoze client and it could run under Wine. But I was looking at other platforms. The biggest problem with Mikrotik is their tunnelvision and unwillingness to look outside of the box IMHO Leon On 10/2/2010 3:04 PM, Greg Ihnen wrote: Or Java would be nice. But really anything that is cross platform would be good. Then I wouldn't have to run Parallels or Fusion all day. Greg On Oct 2, 2010, at 12:27 PM, Josh Luthman wrote: It doesn't answer anything. You can't configure anything. It screws up what you have set. Hate it. I would like to see an html copy of winbox, but that's a dream. On Oct 2, 2010 12:33 PM, Robert West robert.w...@just-micro.com wrote: Ah.. I always use Winbox. Tried Webbox a few times when I had to but wasn't comfortable with it at all. From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Josh Luthman Sent: Saturday, October 02, 2010 11:18 AM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway The MT webbox causes cancer it is so terrible. On Oct 2, 2010 9:08 AM, Greg Ihnen os10ru...@gmail.com wrote: That script should be the MT default when one checks the protect router check box in the web UI. Greg On Oct 2, 2010, at 8:33 AM, Robert West wrote: Checked the logs this morning and guess who was back at it Was trying to do a brute force attack from yet another IP but that script from Butch swatted him like a fly. Worked like a charm! Thanks to both you and Butch, he be gone. Bob- From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Josh Luthman Sent: Friday, October 01, 2010 10:38 PM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway Compliments of Butch Evans /ip firewal filt add action=accept chain=forward comment=drop ssh brute forcers disabled=\ no dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=!heavysshservers Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, Oct 1, 2010 at 10:28 PM, Robert West robert.w...@just-micro.com wrote: Then we'll just send the pigeons over to poop on them. Easy. From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of RickG Sent: Friday, October 01, 2010 9:29 PM To: Tom Sharples; WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway I like it but what if the ip is being masqueraded? On Fri, Oct 1, 2010 at 7:00 PM, Tom Sharples tsharp...@qorvus.com wrote: I've often wondered, is it legal for the receipient of this sort of thing, to retailiate with e.g. ping or curl storms? Tom S. - Original Message - From: Robert West To: 'WISPA General List' Sent: Friday, October 01, 2010 2:57 PM Subject: [WISPA] Brute Force Attack on Mikrotik Gateway Just had to deal with a brute force attack on a MT router acting
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
Agreed. Easy download though and yes, it can have issues. From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Josh Luthman Sent: Saturday, October 02, 2010 5:59 PM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway New laptops don't have java. Flash is one library and takes second to install. Launch speeds are of no comparison, flash is way faster. Takes a lot of time to warm up the virtual engine. On Oct 2, 2010 5:32 PM, Jeromie Reeves jree...@18-30chat.net wrote: I have to question: Why would a new laptop not use it? And how do you figure flash is lighter? On Sat, Oct 2, 2010 at 2:22 PM, Josh Luthman j...@imaginenetworksllc.com wrote: Jon was right - just loaded up 5.0rc1 and they added webfig. Format is very much that of Winbox and looks very good at a glance! Webbox is still there and it is still bad. Java is way too slow and not very portable (in the sense a new laptop won't use it). Flash is easier and lighter. HTML works 99.99% of the time. Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Sat, Oct 2, 2010 at 3:57 PM, Leon D. Zetekoff wa4...@backwoodswireless.net wrote: I asked them about a Java client a long time ago and they nixed it.. Said there was a Windoze client and it could run under Wine. But I was looking at other platforms. The biggest problem with Mikrotik is their tunnelvision and unwillingness to look outside of the box IMHO Leon On 10/2/2010 3:04 PM, Greg Ihnen wrote: Or Java would be nice. But really anything that is cross platform would be good. Then I wouldn't have to run Parallels or Fusion all day. Greg On Oct 2, 2010, at 12:27 PM, Josh Luthman wrote: It doesn't answer anything. You can't configure anything. It screws up what you have set. Hate it. I would like to see an html copy of winbox, but that's a dream. On Oct 2, 2010 12:33 PM, Robert West robert.w...@just-micro.com wrote: Ah.. I always use Winbox. Tried Webbox a few times when I had to but wasn't comfortable with it at all. From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Josh Luthman Sent: Saturday, October 02, 2010 11:18 AM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway The MT webbox causes cancer it is so terrible. On Oct 2, 2010 9:08 AM, Greg Ihnen os10ru...@gmail.com wrote: That script should be the MT default when one checks the protect router check box in the web UI. Greg On Oct 2, 2010, at 8:33 AM, Robert West wrote: Checked the logs this morning and guess who was back at it Was trying to do a brute force attack from yet another IP but that script from Butch swatted him like a fly. Worked like a charm! Thanks to both you and Butch, he be gone. Bob- From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Josh Luthman Sent: Friday, October 01, 2010 10:38 PM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway Compliments of Butch Evans /ip firewal filt add action=accept chain=forward comment=drop ssh brute forcers disabled=\ no dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=!heavysshservers Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, Oct 1, 2010 at 10:28 PM, Robert West robert.w...@just-micro.com wrote: Then we'll just send the pigeons over to poop on them. Easy. From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of RickG Sent: Friday, October 01, 2010 9:29 PM To: Tom Sharples; WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway I like it but what if the ip is being masqueraded? On Fri, Oct 1, 2010 at 7:00 PM, Tom Sharples tsharp...@qorvus.com wrote: I've often wondered, is it legal for the receipient of this sort of thing, to retailiate with e.g. ping or curl storms? Tom S. - Original Message - From: Robert West
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
But not on the iPhone J From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Josh Luthman Sent: Saturday, October 02, 2010 6:32 PM To: WISPA General List; wa4...@arrl.net Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway My experience is the total opposite and I think the world agrees with me. Youtube videos, games, ads, etc. On Oct 2, 2010 6:22 PM, Leon D. Zetekoff wa4...@backwoodswireless.net wrote: WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
The price is now 6.2 cents by the way. Inflation. From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Glenn Kelley Sent: Saturday, October 02, 2010 8:16 PM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway IP Spoofing can really hit you hard. Running a datacenter I have received reports from a number of other DC's then when doing the actual investigation I have to tell an engineer @ the other DC that they are wrong. Retaliation is never a good thing - chances are you are hitting the wrong person. Just my 2 cents On Oct 2, 2010, at 7:55 PM, Greg Ihnen wrote: How about the Backtrack toolset. In the early days of the internet (for me) I would see people trying to attack me so I'd use some script kiddie tools to throw attacks back at them. If they weren't patched they'd go down. Often they'd go down. Then again that was a colossal waste of time. It's better to just block them, and once in a while look at your address list and see who's gotten put in the sand box. Greg On Oct 2, 2010, at 7:18 PM, Robert West wrote: Or..! A rule that will route them back to themselves! Now THAT would be hilarious!!! Bob- From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of RickG Sent: Saturday, October 02, 2010 12:56 AM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway But thinking back on it, imagine the Damn it! looks on their faces if they DID get in only to find a nothing Mikrotik routerboard! LOL, it would be funny to have something connected that did nothing. Better yet, just reroute them to fbi.gov http://fbi.gov/ ! On Fri, Oct 1, 2010 at 10:22 PM, Robert West robert.w...@just-micro.com wrote: I've been migrating everything to a central location. Not done yet but boy, have had a mess the past 3 weeks with the reconfiguring and moving of stuff. As well as one major gateway out of the solar status to real grid power. Finally! Was interesting to watch the log, though. I blocked every IP as it popped up then they switched from FTP to SSH. Once SSH was blocked, they went the hell away. But thinking back on it, imagine the Damn it! looks on their faces if they DID get in only to find a nothing Mikrotik routerboard! HA! From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Glenn Kelley Sent: Friday, October 01, 2010 10:00 PM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway Bob, If memory serves me correct - you do not have a central network - is that right? instead your just using multiple pops via cable modems? If that is the case - it might be a bit more difficult - on the other hand - if you have switched to a central network (or have this in some places) than I can give you an easy transparent bridge solution @ no cost (just need one of your old pc's and 2 nics :-) ) Let me know On Oct 1, 2010, at 9:48 PM, Glenn Kelley wrote: why not just block china (and other countries) from access unless it is something opened first from inside the network ? Would make a big difference :-) On Oct 1, 2010, at 9:28 PM, RickG wrote: 61.155.5.247 _ Glenn Kelley | Principle | HostMedic |www.HostMedic.com http://www.HostMedic.com/ Email: gl...@hostmedic.com Pplease don't print this e-mail unless you really need to. WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ _ Glenn Kelley | Principle | HostMedic |www.HostMedic.com http://www.HostMedic.com/ Email: gl...@hostmedic.com Pplease don't print this e-mail unless you really need to. WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http
[WISPA] Brute Force Attack on Mikrotik Gateway
Just had to deal with a brute force attack on a MT router acting as a gateway. Came from these two IP addresses.. 59.42.10.38 61.155.5.247 Looked them up, they turn out to be pretty common for this sort of thing. Added a firewall rule to drop them and they are no longer filling my log. Some may want to do the same for these jokers. Robert West Just Micro Digital Services Inc. 740-335-7020 Logo5 image001.gif WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
Two options you may want to consider: a) automatic blacklist scripts: http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention b) firewalling off external access to your network management services On Fri, Oct 1, 2010 at 4:57 PM, Robert West robert.w...@just-micro.com wrote: Just had to deal with a brute force attack on a MT router acting as a gateway. Came from these two IP addresses…. 59.42.10.38 61.155.5.247 Looked them up, they turn out to be pretty common for this sort of thing. Added a firewall rule to drop them and they are no longer filling my log. Some may want to do the same for these jokers. Robert West Just Micro Digital Services Inc. 740-335-7020 WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
Yep, I'll be a lookin' at all that. Need to rework it all anyhow. Been reading some scripts that Butch has posted as well. Bob- -Original Message- From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Jon Auer Sent: Friday, October 01, 2010 6:00 PM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway Two options you may want to consider: a) automatic blacklist scripts: http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention b) firewalling off external access to your network management services On Fri, Oct 1, 2010 at 4:57 PM, Robert West robert.w...@just-micro.com wrote: Just had to deal with a brute force attack on a MT router acting as a gateway. Came from these two IP addresses…. 59.42.10.38 61.155.5.247 Looked them up, they turn out to be pretty common for this sort of thing. Added a firewall rule to drop them and they are no longer filling my log. Some may want to do the same for these jokers. Robert West Just Micro Digital Services Inc. 740-335-7020 WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
Are you not using the brute force protection from the wiki? I use it on the ports I must keep open. Three strikes they're out. Greg On Oct 1, 2010, at 5:27 PM, Robert West wrote: Just had to deal with a brute force attack on a MT router acting as a gateway. Came from these two IP addresses…. 59.42.10.38 61.155.5.247 Looked them up, they turn out to be pretty common for this sort of thing. Added a firewall rule to drop them and they are no longer filling my log. Some may want to do the same for these jokers. Robert West Just Micro Digital Services Inc. 740-335-7020 image001.gif WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
I've often wondered, is it legal for the receipient of this sort of thing, to retailiate with e.g. ping or curl storms? Tom S. - Original Message - From: Robert West To: 'WISPA General List' Sent: Friday, October 01, 2010 2:57 PM Subject: [WISPA] Brute Force Attack on Mikrotik Gateway Just had to deal with a brute force attack on a MT router acting as a gateway. Came from these two IP addresses.. 59.42.10.38 61.155.5.247 Looked them up, they turn out to be pretty common for this sort of thing. Added a firewall rule to drop them and they are no longer filling my log. Some may want to do the same for these jokers. Robert West Just Micro Digital Services Inc. 740-335-7020 -- WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/image001.gif WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
How about an 'interactive script' that detects such attacks and automatically black lists them... ? Now, now now.. what would you do with all that free time ? - http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention - Faisal Imtiaz Snappy Internet Telecom On 10/1/2010 5:57 PM, Robert West wrote: Just had to deal with a brute force attack on a MT router acting as a gateway. Came from these two IP addresses…. 59.42.10.38 61.155.5.247 Looked them up, they turn out to be pretty common for this sort of thing. Added a firewall rule to drop them and they are no longer filling my log. Some may want to do the same for these jokers. Robert West Just Micro Digital Services Inc. 740-335-7020 Logo5 WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
I like it but what if the ip is being masqueraded? On Fri, Oct 1, 2010 at 7:00 PM, Tom Sharples tsharp...@qorvus.com wrote: I've often wondered, is it legal for the receipient of this sort of thing, to retailiate with e.g. ping or curl storms? Tom S. - Original Message - *From:* Robert West robert.w...@just-micro.com *To:* 'WISPA General List' wireless@wispa.org *Sent:* Friday, October 01, 2010 2:57 PM *Subject:* [WISPA] Brute Force Attack on Mikrotik Gateway Just had to deal with a brute force attack on a MT router acting as a gateway. Came from these two IP addresses…. 59.42.10.38 61.155.5.247 Looked them up, they turn out to be pretty common for this sort of thing. Added a firewall rule to drop them and they are no longer filling my log. Some may want to do the same for these jokers. Robert West Just Micro Digital Services Inc. 740-335-7020 [image: Logo5] -- WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ image001.gif WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
why not just block china (and other countries) from access unless it is something opened first from inside the network ? Would make a big difference :-) On Oct 1, 2010, at 9:28 PM, RickG wrote: 61.155.5.247 _ Glenn Kelley | Principle | HostMedic |www.HostMedic.com Email: gl...@hostmedic.com Pplease don't print this e-mail unless you really need to. WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
Bob, If memory serves me correct - you do not have a central network - is that right? instead your just using multiple pops via cable modems? If that is the case - it might be a bit more difficult - on the other hand - if you have switched to a central network (or have this in some places) than I can give you an easy transparent bridge solution @ no cost (just need one of your old pc's and 2 nics :-) ) Let me know On Oct 1, 2010, at 9:48 PM, Glenn Kelley wrote: why not just block china (and other countries) from access unless it is something opened first from inside the network ? Would make a big difference :-) On Oct 1, 2010, at 9:28 PM, RickG wrote: 61.155.5.247 _ Glenn Kelley | Principle | HostMedic |www.HostMedic.com Email: gl...@hostmedic.com Pplease don't print this e-mail unless you really need to. WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ _ Glenn Kelley | Principle | HostMedic |www.HostMedic.com Email: gl...@hostmedic.com Pplease don't print this e-mail unless you really need to. WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
I've been migrating everything to a central location. Not done yet but boy, have had a mess the past 3 weeks with the reconfiguring and moving of stuff. As well as one major gateway out of the solar status to real grid power. Finally! Was interesting to watch the log, though. I blocked every IP as it popped up then they switched from FTP to SSH. Once SSH was blocked, they went the hell away. But thinking back on it, imagine the Damn it! looks on their faces if they DID get in only to find a nothing Mikrotik routerboard! HA! From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Glenn Kelley Sent: Friday, October 01, 2010 10:00 PM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway Bob, If memory serves me correct - you do not have a central network - is that right? instead your just using multiple pops via cable modems? If that is the case - it might be a bit more difficult - on the other hand - if you have switched to a central network (or have this in some places) than I can give you an easy transparent bridge solution @ no cost (just need one of your old pc's and 2 nics :-) ) Let me know On Oct 1, 2010, at 9:48 PM, Glenn Kelley wrote: why not just block china (and other countries) from access unless it is something opened first from inside the network ? Would make a big difference :-) On Oct 1, 2010, at 9:28 PM, RickG wrote: 61.155.5.247 _ Glenn Kelley | Principle | HostMedic |www.HostMedic.com Email: gl...@hostmedic.com Pplease don't print this e-mail unless you really need to. WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ _ Glenn Kelley | Principle | HostMedic |www.HostMedic.com Email: gl...@hostmedic.com Pplease don't print this e-mail unless you really need to. WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
Oh, we do have fiber but it's not used in all AP's. Not yet anyhow. But the cable modems on top of a box in a field are primo, man! From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Glenn Kelley Sent: Friday, October 01, 2010 10:00 PM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway Bob, If memory serves me correct - you do not have a central network - is that right? instead your just using multiple pops via cable modems? If that is the case - it might be a bit more difficult - on the other hand - if you have switched to a central network (or have this in some places) than I can give you an easy transparent bridge solution @ no cost (just need one of your old pc's and 2 nics :-) ) Let me know On Oct 1, 2010, at 9:48 PM, Glenn Kelley wrote: why not just block china (and other countries) from access unless it is something opened first from inside the network ? Would make a big difference :-) On Oct 1, 2010, at 9:28 PM, RickG wrote: 61.155.5.247 _ Glenn Kelley | Principle | HostMedic |www.HostMedic.com Email: gl...@hostmedic.com Pplease don't print this e-mail unless you really need to. WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ _ Glenn Kelley | Principle | HostMedic |www.HostMedic.com Email: gl...@hostmedic.com Pplease don't print this e-mail unless you really need to. WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
Yeah? Send me that link, dude! From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Greg Ihnen Sent: Friday, October 01, 2010 6:06 PM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway Are you not using the brute force protection from the wiki? I use it on the ports I must keep open. Three strikes they're out. Greg On Oct 1, 2010, at 5:27 PM, Robert West wrote: Just had to deal with a brute force attack on a MT router acting as a gateway. Came from these two IP addresses.. 59.42.10.38 61.155.5.247 Looked them up, they turn out to be pretty common for this sort of thing. Added a firewall rule to drop them and they are no longer filling my log. Some may want to do the same for these jokers. Robert West Just Micro Digital Services Inc. 740-335-7020 image001.gif WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
Why not?! Who would prevail if it ever came to a court?! From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Tom Sharples Sent: Friday, October 01, 2010 7:00 PM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway I've often wondered, is it legal for the receipient of this sort of thing, to retailiate with e.g. ping or curl storms? Tom S. - Original Message - From: Robert West mailto:robert.w...@just-micro.com To: 'WISPA General List' mailto:wireless@wispa.org Sent: Friday, October 01, 2010 2:57 PM Subject: [WISPA] Brute Force Attack on Mikrotik Gateway Just had to deal with a brute force attack on a MT router acting as a gateway. Came from these two IP addresses.. 59.42.10.38 61.155.5.247 Looked them up, they turn out to be pretty common for this sort of thing. Added a firewall rule to drop them and they are no longer filling my log. Some may want to do the same for these jokers. Robert West Just Micro Digital Services Inc. 740-335-7020 Logo5 _ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ image001.gif WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
I'd sleep. I Just need to script it to add to the drop list if an IP fails with the login x number of times. Should work. Bob- -Original Message- From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Faisal Imtiaz Sent: Friday, October 01, 2010 7:48 PM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway How about an 'interactive script' that detects such attacks and automatically black lists them... ? Now, now now.. what would you do with all that free time ? - http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention - Faisal Imtiaz Snappy Internet Telecom On 10/1/2010 5:57 PM, Robert West wrote: Just had to deal with a brute force attack on a MT router acting as a gateway. Came from these two IP addresses.. 59.42.10.38 61.155.5.247 Looked them up, they turn out to be pretty common for this sort of thing. Added a firewall rule to drop them and they are no longer filling my log. Some may want to do the same for these jokers. Robert West Just Micro Digital Services Inc. 740-335-7020 Logo5 -- -- WISPA Wants You! Join today! http://signup.wispa.org/ -- -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
Then we'll just send the pigeons over to poop on them. Easy. From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of RickG Sent: Friday, October 01, 2010 9:29 PM To: Tom Sharples; WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway I like it but what if the ip is being masqueraded? On Fri, Oct 1, 2010 at 7:00 PM, Tom Sharples tsharp...@qorvus.com wrote: I've often wondered, is it legal for the receipient of this sort of thing, to retailiate with e.g. ping or curl storms? Tom S. - Original Message - From: Robert West mailto:robert.w...@just-micro.com To: 'WISPA General List' mailto:wireless@wispa.org Sent: Friday, October 01, 2010 2:57 PM Subject: [WISPA] Brute Force Attack on Mikrotik Gateway Just had to deal with a brute force attack on a MT router acting as a gateway. Came from these two IP addresses.. 59.42.10.38 61.155.5.247 Looked them up, they turn out to be pretty common for this sort of thing. Added a firewall rule to drop them and they are no longer filling my log. Some may want to do the same for these jokers. Robert West Just Micro Digital Services Inc. 740-335-7020 Logo5 _ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ image001.gif WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
Compliments of Butch Evans /ip firewal filt add action=accept chain=forward comment=drop ssh brute forcers disabled=\ no dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=!heavysshservers Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, Oct 1, 2010 at 10:28 PM, Robert West robert.w...@just-micro.comwrote: Then we’ll just send the pigeons over to poop on them. Easy. *From:* wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] *On Behalf Of *RickG *Sent:* Friday, October 01, 2010 9:29 PM *To:* Tom Sharples; WISPA General List *Subject:* Re: [WISPA] Brute Force Attack on Mikrotik Gateway I like it but what if the ip is being masqueraded? On Fri, Oct 1, 2010 at 7:00 PM, Tom Sharples tsharp...@qorvus.com wrote: I've often wondered, is it legal for the receipient of this sort of thing, to retailiate with e.g. ping or curl storms? Tom S. - Original Message - *From:* Robert West robert.w...@just-micro.com *To:* 'WISPA General List' wireless@wispa.org *Sent:* Friday, October 01, 2010 2:57 PM *Subject:* [WISPA] Brute Force Attack on Mikrotik Gateway Just had to deal with a brute force attack on a MT router acting as a gateway. Came from these two IP addresses…. 59.42.10.38 61.155.5.247 Looked them up, they turn out to be pretty common for this sort of thing. Added a firewall rule to drop them and they are no longer filling my log. Some may want to do the same for these jokers. Robert West Just Micro Digital Services Inc. 740-335-7020 [image: Logo5] -- WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ image001.gif WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
I change the address-list to just blacklist and duplicate the script for other ports I want to block as well. That way if they get blacklisted on ssh they're blacklisted for what ever else you're protecting (telnet, ftp, etc). I only keep SSH and WinBox ports open, I use SSH to reboot if it really gets cranky and WinBox for everything else. Greg On Oct 1, 2010, at 10:08 PM, Josh Luthman wrote: Compliments of Butch Evans /ip firewal filt add action=accept chain=forward comment=drop ssh brute forcers disabled=\ no dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=!heavysshservers Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, Oct 1, 2010 at 10:28 PM, Robert West robert.w...@just-micro.com wrote: Then we’ll just send the pigeons over to poop on them. Easy. From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of RickG Sent: Friday, October 01, 2010 9:29 PM To: Tom Sharples; WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway I like it but what if the ip is being masqueraded? On Fri, Oct 1, 2010 at 7:00 PM, Tom Sharples tsharp...@qorvus.com wrote: I've often wondered, is it legal for the receipient of this sort of thing, to retailiate with e.g. ping or curl storms? Tom S. - Original Message - From: Robert West To: 'WISPA General List' Sent: Friday, October 01, 2010 2:57 PM Subject: [WISPA] Brute Force Attack on Mikrotik Gateway Just had to deal with a brute force attack on a MT router acting as a gateway. Came from these two IP addresses…. 59.42.10.38 61.155.5.247 Looked them up, they turn out to be pretty common for this sort of thing. Added a firewall rule to drop them and they are no longer filling my log. Some may want to do the same for these jokers. Robert West Just Micro Digital Services Inc. 740-335-7020 image001.gif WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
I was going to but I see others already did and someone sent Butch's script. Greg On Oct 1, 2010, at 9:55 PM, Robert West wrote: Yeah? Send me that link, dude! From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Greg Ihnen Sent: Friday, October 01, 2010 6:06 PM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway Are you not using the brute force protection from the wiki? I use it on the ports I must keep open. Three strikes they're out. Greg On Oct 1, 2010, at 5:27 PM, Robert West wrote: Just had to deal with a brute force attack on a MT router acting as a gateway. Came from these two IP addresses…. 59.42.10.38 61.155.5.247 Looked them up, they turn out to be pretty common for this sort of thing. Added a firewall rule to drop them and they are no longer filling my log. Some may want to do the same for these jokers. Robert West Just Micro Digital Services Inc. 740-335-7020 image001.gif WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
Ok who uses FTP and telnet?! Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, Oct 1, 2010 at 10:46 PM, Greg Ihnen os10ru...@gmail.com wrote: I was going to but I see others already did and someone sent Butch's script. Greg On Oct 1, 2010, at 9:55 PM, Robert West wrote: Yeah? Send me that link, dude! *From:* wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] *On Behalf Of *Greg Ihnen *Sent:* Friday, October 01, 2010 6:06 PM *To:* WISPA General List *Subject:* Re: [WISPA] Brute Force Attack on Mikrotik Gateway Are you not using the brute force protection from the wiki? I use it on the ports I must keep open. Three strikes they're out. Greg On Oct 1, 2010, at 5:27 PM, Robert West wrote: Just had to deal with a brute force attack on a MT router acting as a gateway. Came from these two IP addresses…. 59.42.10.38 61.155.5.247 Looked them up, they turn out to be pretty common for this sort of thing. Added a firewall rule to drop them and they are no longer filling my log. Some may want to do the same for these jokers. Robert West Just Micro Digital Services Inc. 740-335-7020 image001.gif WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
hackers? On Oct 1, 2010, at 10:21 PM, Josh Luthman wrote: Ok who uses FTP and telnet?! Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, Oct 1, 2010 at 10:46 PM, Greg Ihnen os10ru...@gmail.com wrote: I was going to but I see others already did and someone sent Butch's script. Greg On Oct 1, 2010, at 9:55 PM, Robert West wrote: Yeah? Send me that link, dude! From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Greg Ihnen Sent: Friday, October 01, 2010 6:06 PM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway Are you not using the brute force protection from the wiki? I use it on the ports I must keep open. Three strikes they're out. Greg On Oct 1, 2010, at 5:27 PM, Robert West wrote: Just had to deal with a brute force attack on a MT router acting as a gateway. Came from these two IP addresses…. 59.42.10.38 61.155.5.247 Looked them up, they turn out to be pretty common for this sort of thing. Added a firewall rule to drop them and they are no longer filling my log. Some may want to do the same for these jokers. Robert West Just Micro Digital Services Inc. 740-335-7020 image001.gif WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
I disable them on any important routers...they're useless. Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, Oct 1, 2010 at 11:01 PM, Greg Ihnen os10ru...@gmail.com wrote: hackers? On Oct 1, 2010, at 10:21 PM, Josh Luthman wrote: Ok who uses FTP and telnet?! Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, Oct 1, 2010 at 10:46 PM, Greg Ihnen os10ru...@gmail.com wrote: I was going to but I see others already did and someone sent Butch's script. Greg On Oct 1, 2010, at 9:55 PM, Robert West wrote: Yeah? Send me that link, dude! *From:* wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] *On Behalf Of *Greg Ihnen *Sent:* Friday, October 01, 2010 6:06 PM *To:* WISPA General List *Subject:* Re: [WISPA] Brute Force Attack on Mikrotik Gateway Are you not using the brute force protection from the wiki? I use it on the ports I must keep open. Three strikes they're out. Greg On Oct 1, 2010, at 5:27 PM, Robert West wrote: Just had to deal with a brute force attack on a MT router acting as a gateway. Came from these two IP addresses…. 59.42.10.38 61.155.5.247 Looked them up, they turn out to be pretty common for this sort of thing. Added a firewall rule to drop them and they are no longer filling my log. Some may want to do the same for these jokers. Robert West Just Micro Digital Services Inc. 740-335-7020 image001.gif WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
Thats faster than sending poop via dsl! On Fri, Oct 1, 2010 at 10:28 PM, Robert West robert.w...@just-micro.comwrote: Then we’ll just send the pigeons over to poop on them. Easy. *From:* wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] *On Behalf Of *RickG *Sent:* Friday, October 01, 2010 9:29 PM *To:* Tom Sharples; WISPA General List *Subject:* Re: [WISPA] Brute Force Attack on Mikrotik Gateway I like it but what if the ip is being masqueraded? On Fri, Oct 1, 2010 at 7:00 PM, Tom Sharples tsharp...@qorvus.com wrote: I've often wondered, is it legal for the receipient of this sort of thing, to retailiate with e.g. ping or curl storms? Tom S. - Original Message - *From:* Robert West robert.w...@just-micro.com *To:* 'WISPA General List' wireless@wispa.org *Sent:* Friday, October 01, 2010 2:57 PM *Subject:* [WISPA] Brute Force Attack on Mikrotik Gateway Just had to deal with a brute force attack on a MT router acting as a gateway. Came from these two IP addresses…. 59.42.10.38 61.155.5.247 Looked them up, they turn out to be pretty common for this sort of thing. Added a firewall rule to drop them and they are no longer filling my log. Some may want to do the same for these jokers. Robert West Just Micro Digital Services Inc. 740-335-7020 [image: Logo5] -- WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ image001.gif WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
And it aint even Christmas yet! On Fri, Oct 1, 2010 at 10:38 PM, Josh Luthman j...@imaginenetworksllc.comwrote: Compliments of Butch Evans /ip firewal filt add action=accept chain=forward comment=drop ssh brute forcers disabled=\ no dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=!heavysshservers Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, Oct 1, 2010 at 10:28 PM, Robert West robert.w...@just-micro.comwrote: Then we’ll just send the pigeons over to poop on them. Easy. *From:* wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] *On Behalf Of *RickG *Sent:* Friday, October 01, 2010 9:29 PM *To:* Tom Sharples; WISPA General List *Subject:* Re: [WISPA] Brute Force Attack on Mikrotik Gateway I like it but what if the ip is being masqueraded? On Fri, Oct 1, 2010 at 7:00 PM, Tom Sharples tsharp...@qorvus.com wrote: I've often wondered, is it legal for the receipient of this sort of thing, to retailiate with e.g. ping or curl storms? Tom S. - Original Message - *From:* Robert West robert.w...@just-micro.com *To:* 'WISPA General List' wireless@wispa.org *Sent:* Friday, October 01, 2010 2:57 PM *Subject:* [WISPA] Brute Force Attack on Mikrotik Gateway Just had to deal with a brute force attack on a MT router acting as a gateway. Came from these two IP addresses…. 59.42.10.38 61.155.5.247 Looked them up, they turn out to be pretty common for this sort of thing. Added a firewall rule to drop them and they are no longer filling my log. Some may want to do the same for these jokers. Robert West Just Micro Digital Services Inc. 740-335-7020 [image: Logo5] -- WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ image001.gif WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
But thinking back on it, imagine the “Damn it!” looks on their faces if they DID get in only to find a nothing Mikrotik routerboard! LOL, it would be funny to have something connected that did nothing. Better yet, just reroute them to fbi.gov! On Fri, Oct 1, 2010 at 10:22 PM, Robert West robert.w...@just-micro.comwrote: I’ve been migrating everything to a central location. Not done yet but boy, have had a mess the past 3 weeks with the reconfiguring and moving of “stuff”. As well as one major gateway out of the “solar” status to real grid power. Finally! Was interesting to watch the log, though. I blocked every IP as it popped up then they switched from FTP to SSH. Once SSH was blocked, they went the hell away. But thinking back on it, imagine the “Damn it!” looks on their faces if they DID get in only to find a nothing Mikrotik routerboard! HA! *From:* wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] *On Behalf Of *Glenn Kelley *Sent:* Friday, October 01, 2010 10:00 PM *To:* WISPA General List *Subject:* Re: [WISPA] Brute Force Attack on Mikrotik Gateway Bob, If memory serves me correct - you do not have a central network - is that right? instead your just using multiple pops via cable modems? If that is the case - it might be a bit more difficult - on the other hand - if you have switched to a central network (or have this in some places) than I can give you an easy transparent bridge solution @ no cost (just need one of your old pc's and 2 nics :-) ) Let me know On Oct 1, 2010, at 9:48 PM, Glenn Kelley wrote: why not just block china (and other countries) from access unless it is something opened first from inside the network ? Would make a big difference :-) On Oct 1, 2010, at 9:28 PM, RickG wrote: 61.155.5.247 * _ * *Glenn Kelley | Principle | HostMedic |www.HostMedic.com * Email: gl...@hostmedic.com Pplease don't print this e-mail unless you really need to. WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ * _ * *Glenn Kelley | Principle | HostMedic |www.HostMedic.com * Email: gl...@hostmedic.com Pplease don't print this e-mail unless you really need to. WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] Brute Force Attack on Mikrotik Gateway
Very nice! Thanks, dude! From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Josh Luthman Sent: Friday, October 01, 2010 10:38 PM To: WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway Compliments of Butch Evans /ip firewal filt add action=accept chain=forward comment=drop ssh brute forcers disabled=\ no dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=forward comment= connection-state=new \ disabled=no dst-port=22 protocol=tcp src-address-list=!heavysshservers Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, Oct 1, 2010 at 10:28 PM, Robert West robert.w...@just-micro.com wrote: Then we'll just send the pigeons over to poop on them. Easy. From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of RickG Sent: Friday, October 01, 2010 9:29 PM To: Tom Sharples; WISPA General List Subject: Re: [WISPA] Brute Force Attack on Mikrotik Gateway I like it but what if the ip is being masqueraded? On Fri, Oct 1, 2010 at 7:00 PM, Tom Sharples tsharp...@qorvus.com wrote: I've often wondered, is it legal for the receipient of this sort of thing, to retailiate with e.g. ping or curl storms? Tom S. - Original Message - From: Robert West mailto:robert.w...@just-micro.com To: 'WISPA General List' mailto:wireless@wispa.org Sent: Friday, October 01, 2010 2:57 PM Subject: [WISPA] Brute Force Attack on Mikrotik Gateway Just had to deal with a brute force attack on a MT router acting as a gateway. Came from these two IP addresses.. 59.42.10.38 61.155.5.247 Looked them up, they turn out to be pretty common for this sort of thing. Added a firewall rule to drop them and they are no longer filling my log. Some may want to do the same for these jokers. Robert West Just Micro Digital Services Inc. 740-335-7020 Logo5 _ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ image001.gif WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
